Jndi injection and Spring RCE vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201680067
Type myhack58
Reporter 碳烤鱿鱼丝
Modified 2016-10-11T00:00:00


Foreword Because before has been traveling, and haven't done the research, eleven during the re-focus of the 2 0 1 6 BlackHat the above subject, wherein jndi injection caught my attention, this paper mainly divided into the following 3 sections, the understanding of jndi, analysis jndi injection problems, as well as the word-if not RCE vulnerability form of reason. This article belongs to the basis of the document, a large cattle bypass the Do not spray~ Article directory Understanding jndi jndi injection causes Spring RCE with the Jndi injection the relationship between the demo 2016BlackHat in jndi topic original: BlackHat English Good students can go to read the original. Understanding JNDI The Jndi name is: Java Naming and Directory Interface, called the Java naming and directory interface, SUN Microsystems provides a standard Java naming system interface, the JNDI provides a uniform Client API, by different access providers to the interface to the JNDI Service Provider Interface(SPI)implemented by the Manager of the JNDI API is mapped to a particular Naming Service and the directory system, so that Java applications can and these naming services and directory services between interaction, as shown in Figure: ! Java Naming: The naming service is a key value pair binding, is application can by a key to retrieve the value Java Directory: The directory service is a naming service is a natural extension. Between the two the key difference is the directory service object can have properties, for example, the user has the email address, and Naming Service objects don't have properties. Therefore, in the directory services, you can according to the attribute of the search object. JNDI allows you to access files in the file system, locate the remote RMI registry to the object, to access the LDAP-like Directory Services, the positioning of the network on the EJB component As shown in the hierarchy as a result, the popular understanding of the jndi is a set of api interfaces. Each object has a unique set of key-value bindings, the name and object bindings by name to retrieve the development of the object, the object may be stored in the rmi, ldap, CORBA, and so on. In jndi, provide the binding and the lookup method of the jndi the name and the object bound in the together, and on this basis provides lookup and search capabilities 1, the void bind( String name , Object object ) //the name of the binding to the object 2, Object lookup( String name ) //by name to retrieve the implementation object Below write a jdni the demo to help understand: We define a Person class import java. io. Serializable; import java. rmi. Remote; public class Person implements Remote,Serializable { private static final long serialVersionUID = 1L; private String name; private String password; public String getName() { return name; } public void setName(String name) { this. name = name; } public String getPassword() { return password; } public void setPassword(String password) { this. password = password; } public String toString(){ return "name:"+name+" password:"+password; } } Here the service end to the rmi, for example, package com. jndi. demo; import java. rmi. RemoteException; import java. rmi. registry. LocateRegistry; import javax. naming. Context; import javax. naming. InitialContext; import javax. naming. NamingException; import javax. naming. spi. NamingManager; public class Test { public static void initPerson() throws Exception{ //Configure the JNDI factory and JNDI url and port. If you do not configure this information, will appear NoInitialContextException exception LocateRegistry. createRegistry(3 0 0 1); System. setProperty(Context. INITIAL_CONTEXT_FACTORY, "com. sun. jndi. rmi. registry. RegistryContextFactory"); System. setProperty(Context. PROVIDER_URL, "rmi://localhost:3 0 0 1"); ////Initialization InitialContext ctx = new InitialContext();

//Instantiate the person object Person p = new Person(); p. setName("hello"); p. setPassword("jndi");

//person object bound to a JNDI service, the JNDI name is called: person. ctx. bind("person", p); ctx. close(); }

public static void findPerson() throws Exception{

[1] [2] [3] [4] next