Submit #209767: JNDI injection tool JNDIExploit has an arbitrary file reading vulnerabilityinfo

TitleJNDI injection tool JNDIExploit has an arbitrary file reading vulnerability
DescriptionJNDIExploit is a widely used vulnerability exploitation tool, and many other tools also use or are based on JNDIExploit. The http server will be started by default,The corresponding code for the tool http server is located in the project."src/main/java/com/feihong/ldap/HTTPServer.java" When the suffix name does not belong to any of the if else, it will enter handleFileRequest. vulnerability code: private static void handleFileRequest(HttpExchange exchange) throws Exception { String path = exchange.getRequestURI().getPath(); String filename = cwd + File.separator + "data" + File.separator +path.substring(path.lastIndexOf("/") + 1); File file = new File(filename); if (file.exists()){ byte[] bytes = new byte[(int) file.length()]; FileInputStream fileInputStream = new FileInputStream(file); fileInputStream.read(bytes); exchange.sendResponseHeaders(200, file.length() + 1); exchange.getResponseBody().write(bytes); }else { System.out.println("[!] Response Code: " + 404); exchange.sendResponseHeaders(404, 0); } exchange.close(); } It will get the last / and splice it with the current pwd, but in the Windows system, the path is represented by , so running the tool on Windows will cause the corresponding arbitrary file to be read. Here I use python to attack You can see that the file contents are returned. And I do have this file in my d drive
Source⚠️ https://github.com/WhiteHSBG/JNDIExploit/issues/10
User
 kaikaix (UID 30740)
Submission09/17/2023 07:29 (3 years ago)
Moderation09/29/2023 07:05 (12 days later)
StatusAccepted
VulDB entry240866 [WhiteHSBG JNDIExploit 1.4 on Windows HTTPServer.java handleFileRequest path traversal]
Points20

Want to know what is going to be exploited?

We predict KEV entries!