welk1n / jndi-injection-exploit Goto Github PK

Target environment jdk6
jdk向下兼容的原因，可以利用低版本jdk去在高版本的jvm执行，实战中遇到好多jdk6 的环境，作者工具新的很棒，帮助改进一点。
效果如下：

更改代码为下，使用jdk6 编译src/test/java/ExecTemplateJDK6.java 即可

hi guys i dont find the way to run this server like in the command you provide?
thank you

I have tweaked the code to use the new Groovy payload given by orange last month.
However in my usecase , i dont have a direct initialContext.lookup available. What i have is the path below-
However right now its failing at line 104 in http://cr.openjdk.java.net/~mduigou/7072353/3/webrev/src/share/classes/com/sun/jndi/rmi/registry/RegistryContextFactory.java.html#104

As the object sent back from the EVIL RMI server is not an instance of Context?
ANy suggestions if this can still be exploited?

javax.naming.NotContextException: rmi://54.x.x.x:1099/ngiawf
	at com.sun.jndi.rmi.registry.RegistryContextFactory.URLToContext(RegistryContextFactory.java:107) ~[?:1.8.0_222]
	at com.sun.jndi.rmi.registry.RegistryContextFactory.getInitialContext(RegistryContextFactory.java:69) ~[?:1.8.0_222]
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_222]
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_222]
	at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_222]
	at javax.naming.InitialContext.<init>(InitialContext.java:216) ~[?:1.8.0_222]
	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) ~[?:1.8.0_222]

I have tried to combine the execbyGroovy code from JNDI-Injection-Bypass to JNDI-Injection-Exploit.

Im getting the following error when launching the exploit:-
java.lang.IllegalArgumentException: Can not set javax.naming.Reference field com.sun.jndi.rmi.registry.ReferenceWrapper.wrappee to com.sun.jndi.rmi.registry.ReferenceWrapper

2020-04-28 12:18:17 [RMISERVER]  >> Sending local classloading reference.
java.lang.IllegalArgumentException: Can not set javax.naming.Reference field com.sun.jndi.rmi.registry.ReferenceWrapper.wrappee to com.sun.jndi.rmi.registry.ReferenceWrapper
	at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
	at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
	at sun.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81)
	at java.lang.reflect.Field.set(Field.java:764)
	at util.Reflections.setFieldValue(Reflections.java:34)
	at jndi.RMIRefServer.handleRMI(RMIRefServer.java:353)
	at jndi.RMIRefServer.doCall(RMIRefServer.java:304)
	at jndi.RMIRefServer.doMessage(RMIRefServer.java:250)
	at jndi.RMIRefServer.run(RMIRefServer.java:195)
	at java.lang.Thread.run(Thread.java:748)

  Im using Reflections.setFieldValue(rw, "wrappee", execByGroovy());
using the same one as for execByEL, is this right?

@welk1n any suggestions?

下载完源码按照方法二编译后尝试了本地演示的命令报错如下：
Exception in thread "main" java.net.BindException: Address already in use (Bind failed)
at java.net.PlainSocketImpl.socketBind(Native Method)
at java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:513)
at java.net.ServerSocket.bind(ServerSocket.java:375)
at java.net.ServerSocket.(ServerSocket.java:237)
at java.net.ServerSocket.(ServerSocket.java:128)
at javax.net.DefaultServerSocketFactory.createServerSocket(ServerSocketFactory.java:218)
at jndi.RMIRefServer.(RMIRefServer.java:81)
at run.ServerStart.(ServerStart.java:142)
at run.ServerStart.main(ServerStart.java:83)

Hi @welk1n ,

I can see that you have a malicious RMI server option when trustURLcodebase is set to false and java version is 1.8.191+

I was wondering if we can do the same thing via an LDAP Server as well.

Thanks

Hello,
Nothing seems to execute while referencing the above printout msg from your logj4 exploit. Any reason why open http://google.com is not working?