rogue-jndi icon indicating copy to clipboard operation
rogue-jndi copied to clipboard

Published 20 hours ago verified publisher icon veracode-research

Adding JNDI gadgets based on JDBC connection pooling classes.

Open benny-sec opened this issue 1 year ago • 1 comments

These gadgets trigger an RCE by abusing the JDBC connection string to a vulnerable DB.

benny-sec avatar Jul 16 '23 08:07 benny-sec

Hi

Since the forceString in the org.apache.naming.factory.BeanFactory is replaced with a String setter lookup from Tomcat 9.0.63 / 8.5.79 onwards adding in a JDBC route as mentioned in the research of 浅蓝’s blogpost seems to be helpful with the newer Tomcat versions. Please note, my proficiency with of Java is quite limited and hence these additions may not have an optimal implementation / clean code, kindly let me know your input and I'll rework it as needed. Thank you

Kind Regards SnowyOwl

benny-sec avatar Jul 16 '23 08:07 benny-sec