| Titel | JNDI injection tool JNDIExploit has an arbitrary file reading vulnerability |
|---|
| Beschreibung | JNDIExploit is a widely used vulnerability exploitation tool, and many other tools also use or are based on JNDIExploit.
The http server will be started by default,The corresponding code for the tool http server is located in the project."src/main/java/com/feihong/ldap/HTTPServer.java"
When the suffix name does not belong to any of the if else, it will enter handleFileRequest.
vulnerability code:
private static void handleFileRequest(HttpExchange exchange) throws Exception { String path = exchange.getRequestURI().getPath(); String filename = cwd + File.separator + "data" + File.separator +path.substring(path.lastIndexOf("/") + 1); File file = new File(filename); if (file.exists()){ byte[] bytes = new byte[(int) file.length()]; FileInputStream fileInputStream = new FileInputStream(file); fileInputStream.read(bytes); exchange.sendResponseHeaders(200, file.length() + 1); exchange.getResponseBody().write(bytes); }else { System.out.println("[!] Response Code: " + 404); exchange.sendResponseHeaders(404, 0); } exchange.close(); }
It will get the last / and splice it with the current pwd, but in the Windows system, the path is represented by , so running the tool on Windows will cause the corresponding arbitrary file to be read.
Here I use python to attack
You can see that the file contents are returned. And I do have this file in my d drive |
|---|
| Quelle | ⚠️ https://github.com/WhiteHSBG/JNDIExploit/issues/10 |
|---|
| Benutzer | kaikaix (UID 30740) |
|---|
| Einreichung | 17.09.2023 07:29 (vor 3 Jahren) |
|---|
| Moderieren | 29.09.2023 07:05 (12 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 240866 [WhiteHSBG JNDIExploit 1.4 auf Windows HTTPServer.java handleFileRequest Directory Traversal] |
|---|
| Punkte | 20 |
|---|