JNDI
JNDI is a JNDI injection exploitation module. It allows users to select gadget chains through the frontend, while the backend generates a short token based on the current timestamp to identify the selected and generated payload. This approach avoids the need to insert gadget parameters directly into the LDAP URL payload.
The module also offers fault tolerance. If an LDAP request is received without matching any token, it defaults to returning the most recently generated payload, making it suitable for scenarios where LDAP parameters are uncontrollable.
As a first step, we need to start the JNDI port first
If you want to automatically fetch the external IP address, please enable the [Auto Fetch IP] option.
The IP Address here is the callback IP, typically a public IP. Click [Start] to enable LDAP, HTTP, and RMI services.
There are many use poses for JNDI injection, you can see the specific Payload description field for details, here we take the ShowHand chain as an example to achieve batch testing
Enter the DNSLOG domain name
After the blast is over, some logs may be obtained in the dnslog If there is a DNSLOG record, there must be code execution The absence of a dnslog record indicates that the chain may not be exploited, or for some other reason
The dnslog result looks like this:
basic.dnslogandhttp.macos.xxx.eyes.sh
deser.jackson.templatesimpl.macos.xxx.eyes.sh
resourceref.tomcatelref.elconvert.macos.xxx.eyes.sh
reference.tomcatdbcp2jdbcattack.pgsql-jdbc-jndi.bean-xml.macos.xxx.eyes.sh
The first field means
- basic:Represents the exploitation of JDK < 8u191, Corresponding to the JndiBasicPayload menu on the left
- deser:The deserialization is LDAP, followed by the deserialization chain, e.g. cb1 uses the CommonsBeanUtils1 chain, and the jackson rep uses the jackson chain. Corresponding to the JndiDeserializetionPayload menu on the left
- resourceref:The representative uses the utilization of the beanFactory under Tomcat, and the most common is tomcatelref, which is the EL expression execution. Corresponding to the JndiResourceRefPayload menu on the left
- reference:The delegate is using other ObjectFactory classes to bypass the BeanFactory. Corresponding to the JndiRefernecePayload menu on the left
Due to the long names of some gadgets, they may not be displayed on some dnslog platforms, and some gadgets do alias alias, and the alias will appear in the dnslog, and the corresponding list of gadgets and alias is as follows:
| Gadget/Payload name | alias |
|---|---|
| JndiBasicPayload | basic |
| JndiReferencePayload | reference |
| JndiResourceRefPayload | ResourceRef |
| CommonsBeanutils1 | cb1 |
| CommonsBeanutils2 | cb2 |
| CommonsBeanutils3 | cb3 |
| CommonsBeanutils4 | cb4 |
| CommonsCollectionsK1 | K1 |
| CommonsCollectionsK2 | K2 |
| CommonsCollectionsK3 | K3 |
| CommonsCollectionsK4 | K4 |
| PostgreSqlJdbc4Jndi | pgsql or pgsql-jdbc-jndi |
| SnakeyamlJarConvert | sjc or snake_convert |
| SnakeyamlJarSpi4JNDI | sjsj or snake_jar_jndi |
| SpringBeanXmlClassLoader | sbxcl or bean-xml |
basic.dnslogwithinfo.macos.y6uncf2v.eyes.sh
The exploitation method corresponding to this DNSLog result is as follows (bytecode list can be selected freely):
You can execute the calc command:
Mac adaptation of the calc command: ➜ ~ where calc /usr/local/bin/calc ➜ ~ cat /usr/local/bin/calc #!/bin/bash open -a /System/Applications/Calculator.app
deser.cb1.templatesimpl.macos.y6uncf2v.eyes.sh
The exploitation method corresponding to this DNSLog result is as follows (bytecode list can be selected freely):
resourceref.snakeyamlref.snake-jar-jndi.snake-convert.macos.y6uncf2v.eyes.sh
The exploitation method corresponding to this DNSLog result is as follows (bytecode list can be selected freely):
reference.commondbcp2jdbcattack.pgsql-jdbc-jndi.bean-xml.macos.y6uncf2v.eyes.sh
The exploitation method corresponding to this DNSLog result is as follows (bytecode list can be selected freely):
