JNDI-LDAP

2020-03-27

upload successful

https://blog.sari3l.com/posts/469de5e6/15523811246162.jpg

DirectoryManager.getObjectInstance

JNDI-LDAP

除了RMI服务之外，JNDI也可以与LDAP目录服务进行交互，Java对象在LDAP目录中也有多种存储形式：

Java序列化
JNDI Reference
Marshalled对象
Remote Location (已弃用)

upload successful

com.sun.jndi.ldap.LdapCtx#c_lookup

protected Object c_lookup(Name var1, Continuation var2) throws NamingException {
    var2.setError(this, var1);
    Object var3 = null;

    Object var4;
    try {
        SearchControls var22 = new SearchControls();
        var22.setSearchScope(0);
        var22.setReturningAttributes((String[])null);
        var22.setReturningObjFlag(true);
        LdapResult var23 = this.doSearchOnce(var1, "(objectClass=*)", var22, true);
        this.respCtls = var23.resControls;
        if (var23.status != 0) {
            this.processReturnCode(var23, var1);
        }

        if (var23.entries != null && var23.entries.size() == 1) {
            LdapEntry var25 = (LdapEntry)var23.entries.elementAt(0);
            var4 = var25.attributes;
            Vector var8 = var25.respCtls;
            if (var8 != null) {
                appendVector(this.respCtls, var8);
            }
        } else {
            var4 = new BasicAttributes(true);
        }
        
		// 有javaClassName，触发点1
        if (((Attributes)var4).get(Obj.JAVA_ATTRIBUTES[2]) != null) {
            var3 = Obj.decodeObject((Attributes)var4);
        }

        if (var3 == null) {
            var3 = new LdapCtx(this, this.fullyQualifiedName(var1));
        }
    } catch (LdapReferralException var20) {
        LdapReferralException var5 = var20;
        if (this.handleReferrals == 2) {
            throw var2.fillInException(var20);
        }

        while(true) {
            LdapReferralContext var6 = (LdapReferralContext)var5.getReferralContext(this.envprops, this.bindCtls);

            try {
                Object var7 = var6.lookup(var1);
                return var7;
            } catch (LdapReferralException var18) {
                var5 = var18;
            } finally {
                var6.close();
            }
        }
    } catch (NamingException var21) {
        throw var2.fillInException(var21);
    }

    try {
    	// 触发点2
        return DirectoryManager.getObjectInstance(var3, var1, this, this.envprops, (Attributes)var4);
    } catch (NamingException var16) {
        throw var2.fillInException(var16);
    } catch (Exception var17) {
        NamingException var24 = new NamingException("problem generating object using object factory");
        var24.setRootCause(var17);
        throw var2.fillInException(var24);
    }
}

com.sun.jndi.ldap.Obj#decodeObject

upload successful

static Object decodeObject(Attributes var0) throws NamingException {
        String[] var2 = getCodebases(var0.get(JAVA_ATTRIBUTES[4]));

        try {
            Attribute var1;
            if ((var1 = var0.get(JAVA_ATTRIBUTES[1])) != null) {
                ClassLoader var3 = helper.getURLClassLoader(var2);
                return deserializeObject((byte[])((byte[])var1.get()), var3);
            } else if ((var1 = var0.get(JAVA_ATTRIBUTES[7])) != null) {
                return decodeRmiObject((String)var0.get(JAVA_ATTRIBUTES[2]).get(), (String)var1.get(), var2);
            } else {
                var1 = var0.get(JAVA_ATTRIBUTES[0]);
                return var1 == null || !var1.contains(JAVA_OBJECT_CLASSES[2]) && !var1.contains(JAVA_OBJECT_CLASSES_LOWER[2]) ? null : decodeReference(var0, var2);
            }
        } catch (IOException var5) {
            NamingException var4 = new NamingException();
            var4.setRootCause(var5);
            throw var4;
        }
    }

Reference 调用链

getObjectInstance:20, Exploit
getObjectInstance:194, DirectoryManager (javax.naming.spi)
c_lookup:1085, LdapCtx (com.sun.jndi.ldap)
p_lookup:542, ComponentContext (com.sun.jndi.toolkit.ctx)
lookup:177, PartialCompositeContext (com.sun.jndi.toolkit.ctx)
lookup:166, PartialCompositeContext (com.sun.jndi.toolkit.ctx)
lookup:417, InitialContext (javax.naming)
t2:69, VulnClient (com.m0d9.sec.jndi.ldap)

javaSerializedData 调用链

java.io.ObjectInputStream.readObject(ObjectInputStream.java:371)
com.sun.jndi.ldap.Obj.deserializeObject(Obj.java:531)
com.sun.jndi.ldap.Obj.decodeObject(Obj.java:239)
com.sun.jndi.ldap.LdapCtx.c_lookup(LdapCtx.java:1051)
com.sun.jndi.toolkit.ctx.ComponentContext.p_lookup(ComponentContext.java:542)
com.sun.jndi.toolkit.ctx.PartialCompositeContext.lookup(PartialCompositeContext.java:177)
com.sun.jndi.toolkit.ctx.PartialCompositeContext.lookup(PartialCompositeContext.java:166)
javax.naming.InitialContext.lookup(InitialContext.java:417)
com.m0d9.sec.jndi.ldap.VulnClient.t2(VulnClient.java:69)

参考

JNDI-RMI

2020-03-26

反序列利用的时候经常会用到jndi加载远程class，原理是什么？

什么是JNDI

JNDI到底是什么，有什么作用

什么是JNDI Injection

深入理解JNDI注入与Java反序列化漏洞利用

more >>

利用openssl反弹shell

2019-12-03

server

openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes

openssl s_server -accept 4444 -key server.pem -cert server.pem

more >>

Fastjson<1.2.60 Dos分析

2019-09-06

fastjson<1.2.60

发现

https://github.com/alibaba/fastjson/commit/995845170527221ca0293cf290e33a7d6cb52bf7

upload successful

more >>

lzma踩坑记

2019-07-24

lzma 是python3.3 之后引入的一个官方压缩库，但是在使用时候发现import error

$ python
Python 3.6.0 (default, Mar 10 2017, 10:08:04)
[GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import lzma
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/mody/.pyenv/versions/3.6.0/lib/python3.6/lzma.py", line 27, in <module>
    from _lzma import *
ModuleNotFoundError: No module named '_lzma'
>>>

日常机器环境oxs+brew+pyenv，一顿找，发现应该是lib的问题，新版lzma 已经合并到xz库里面，安装xz

1	brew install xz

pyenv 安装个新的 3.5.6版本测试

1	pyenv install 3.5.6

报错：install failed, “zlib not available” on macOS Mojave

1	CFLAGS="-I$(xcrun --show-sdk-path)/usr/include" pyenv install 3.5.6

$pyenv local 3.5.6
$python
Python 3.5.6 (default, Jul 24 2019, 09:55:40)
[GCC 4.2.1 Compatible Apple LLVM 10.0.1 (clang-1001.0.46.4)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import lzma
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/mody/.pyenv/versions/3.6.0/lib/python3.6/lzma.py", line 27, in <module>
    from _lzma import *
ModuleNotFoundError: No module named '_lzma'
>>>

仍然报错，思考应该python编译的时候依赖库问题

brew 安装的依赖库都会放在/usr/local/homebrew/Cellar/下面

$ ll /usr/local/homebrew/Cellar/xz/5.2.4/include/
total 24
drwxr-xr-x   4 mody  staff   128 Apr 30  2018 ./
drwxr-xr-x  14 mody  staff   448 Jul 23 14:58 ../
drwxr-xr-x  16 mody  staff   512 Apr 30  2018 lzma/
-rw-r--r--   1 mody  staff  9817 Apr 30  2018 lzma.h

通过brew link xz 软连接到/usr/local/homebrew/include/目录下(默认执行)

1
2
3

$ ll /usr/local/homebrew/include/ |grep lzma
lrwxr-xr-x    1 mody  admin    31 Jul 24 09:47 lzma@ -> ../Cellar/xz/5.2.4/include/lzma
lrwxr-xr-x    1 mody  admin    33 Jul 24 09:47 lzma.h@ -> ../Cellar/xz/5.2.4/include/lzma.h

所以

1	CFLAGS="-I$(xcrun --show-sdk-path)/usr/include -I/usr/local/homebrew/include" pyenv install 3.5.5

$pyenv local 3.5.5
$python
Python 3.5.5 (default, Jul 24 2019, 10:22:29)
[GCC 4.2.1 Compatible Apple LLVM 10.0.1 (clang-1001.0.46.4)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import lzma
>>

成功，反思“定位到是python编译的时候依赖库问题”走了弯路，CFLAGS解决zlib时就应该想到

参考

https://github.com/pyenv/pyenv/issues/1219

20201225

pyenv macOS Big Sur 11.1安装问题，解决方法：

CFLAGS="-I$(brew --prefix openssl)/include -I$(brew --prefix bzip2)/include -I$(brew --prefix readline)/include -I$(xcrun --show-sdk-path)/usr/include" LDFLAGS="-L$(brew --prefix openssl)/lib -L$(brew --prefix readline)/lib -L$(brew --prefix zlib)/lib -L$(brew --prefix bzip2)/lib" pyenv install --patch 2.7.15 < <(curl -sSL https://github.com/python/cpython/commit/8ea6353.patch\?full_index\=1)

参考

https://github.com/pyenv/pyenv/issues/1643