From e35eceee3f6146956fbeace556432d7ca9b09f86 Mon Sep 17 00:00:00 2001 From: exp1orer <43846937@qq.com> Date: Sun, 26 Dec 2021 19:45:58 +0800 Subject: [PATCH 1/4] Update README.md --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 166e148..f699336 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ > 本工具用于解决 Fastjson、log4j2、原生JNDI注入等场景中针对高版本JDK无法加载远程恶意类,通过LDAP服务器返回原生Java反序列化数据,受害者(客户端)在具备反序列化Gadget依赖的情况下可达到命令执行、代码执行、回显命令执行、无文件落地内存马注册等。 > -> Solve the high version of JDK Bypass, like FastJson, Jackson, Log4j2, native JNDI injection vulnerabilities, and detect locally available deserialization gadgets to achieve command execution, echo command execution, and memory shell injection +> Solve the high version of JDK Bypass, like FastJson, Jackson, Log4j2, native JNDI injection vulnerabilities, and detect locally available deserialization gadgets to achieve command execution, echo command execution, and memory shell injection. ## Usage @@ -123,4 +123,6 @@ java -jar JNDI-Inject-Exploit-0.1-all.jar ip="192.168.0.104" url="http://192.168 [wyzxxz/shiro_rce_tool: shiro 反序列 命令执行辅助检测工具](https://github.com/wyzxxz/shiro_rce_tool) -[feihong-cs/Java-Rce-Echo: Java RCE 回显测试代码](https://github.com/feihong-cs/Java-Rce-Echo) \ No newline at end of file +[feihong-cs/Java-Rce-Echo: Java RCE 回显测试代码](https://github.com/feihong-cs/Java-Rce-Echo) + +[j1anFen/shiro_attack: shiro反序列化漏洞综合利用,包含(回显执行命令/注入内存马)](https://github.com/j1anFen/shiro_attack) From b2a566785b3b6866e581e1757b22ed251347cb74 Mon Sep 17 00:00:00 2001 From: exp1orer <43846937@qq.com> Date: Mon, 27 Dec 2021 16:30:52 +0800 Subject: [PATCH 2/4] Update README.md --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index f699336..355d35f 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,9 @@ # JNDI-Inject-Exploit +## 免责声明 + +本工具仅面向**合法授权的企业安全测试**,如您需测试本工具的可用性请自行搭建靶机环境,在使用本工具进行检测时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权。**请勿对非授权目标进行扫描,如您在使用本工具的过程中存在任何非法行为,您需自行承担相应后果,作者将不承担任何法律及连带责任。** + ## Introduce > 本工具用于解决 Fastjson、log4j2、原生JNDI注入等场景中针对高版本JDK无法加载远程恶意类,通过LDAP服务器返回原生Java反序列化数据,受害者(客户端)在具备反序列化Gadget依赖的情况下可达到命令执行、代码执行、回显命令执行、无文件落地内存马注册等。 From f0be5500c90e266b264fb663d4fb3fc8c2c8de91 Mon Sep 17 00:00:00 2001 From: exp1orer <43846937@qq.com> Date: Mon, 27 Dec 2021 17:39:41 +0800 Subject: [PATCH 3/4] Create LICENSE --- LICENSE | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..7f0b540 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2021 exp1orer + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. From 0938cd11df397ac532793b9c7e9f09a4e031f9ea Mon Sep 17 00:00:00 2001 From: exp1orer <43846937@qq.com> Date: Tue, 28 Dec 2021 11:22:52 +0800 Subject: [PATCH 4/4] Update README.md --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 355d35f..33894d4 100644 --- a/README.md +++ b/README.md @@ -130,3 +130,8 @@ java -jar JNDI-Inject-Exploit-0.1-all.jar ip="192.168.0.104" url="http://192.168 [feihong-cs/Java-Rce-Echo: Java RCE 回显测试代码](https://github.com/feihong-cs/Java-Rce-Echo) [j1anFen/shiro_attack: shiro反序列化漏洞综合利用,包含(回显执行命令/注入内存马)](https://github.com/j1anFen/shiro_attack) + + +## Stargazers over time + +[![Stargazers over time](https://starchart.cc/exp1orer/JNDI-Inject-Exploit.svg)](https://starchart.cc/exp1orer/JNDI-Inject-Exploit)