《JNDI-深入理解万恶之源》

本项目是用来记录自己在研究 JNDI 安全过程中收集到的优秀内容，包括优秀的工具代码技巧或详细深入分析的漏洞文章等资源。JNDI实乃万恶之源！JNDI - The Root of all Evil。作者：0e0w

本项目创建于2021年12月11日，最近的一次更新时间为2023年8月16日。

• 01-JNDI基础知识
• 02-JNDI利用工具
• 03-JNDI上层建筑
• 04-JNDI漏洞分析
• 05-JNDI参考资源

01-JNDI基础知识

• https://mbechler.github.io/2018/11/01/Java-CVE-2018-3149/
• https://mbechler.github.io/2018/01/20/Java-CVE-2018-2633/
• https://xz.aliyun.com/t/7079
• https://kingx.me/Exploit-Java-Deserialization-with-RMI.html
• https://y4er.com/post/use-local-factory-bypass-jdk-to-jndi/
• https://rickgray.me/2016/08/19/jndi-injection-from-theory-to-apply-blackhat-review/
• https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf
• http://blog.topsec.com.cn/java-jndi%E6%B3%A8%E5%85%A5%E7%9F%A5%E8%AF%86%E8%AF%A6%E8%A7%A3/
• https://github.com/longofo/rmi-jndi-ldap-jrmp-jmx-jms
• https://www.cnblogs.com/jony-it/p/10585150.html
• https://xz.aliyun.com/t/12778

02-JNDI利用工具

• https://github.com/bradfitz/jndi
• https://github.com/EmYiQing/LDAPKit
• https://github.com/su18/JNDI
• https://github.com/welk1n/JNDI-Injection-Exploit
• https://github.com/feihong-cs/JNDIExploit
• https://github.com/0x727/JNDIExploit
• https://github.com/veracode-research/rogue-jndi
• https://github.com/quentinhardy/jndiat
• https://github.com/p1n93r/AttackJNDI
• https://github.com/kxcode/JNDI-Exploit-Bypass-Demo
• https://github.com/bradfitz/jndi
• https://github.com/zu1k/ldap-log
• https://github.com/mbechler/marshalsec
• https://github.com/LeakIX/l9fuzz
• https://github.com/zyn3rgy/LdapRelayScan
• https://github.com/wyzxxz/jndi_tool
• https://github.com/ffadd/JNDIKit
• https://github.com/exp1orer/JNDI-Inject-Exploit
• https://github.com/WhiteHSBG/JNDIExploit
• https://github.com/welk1n/JNDI-Injection-Bypass
• https://github.com/achuna33/MYJNDIExploit
• https://github.com/Bl0omZ/JNDIEXP
• https://github.com/su18/ysoserial
• https://github.com/cckuailong/JNDI-Injection-Exploit-Plus
• https://github.com/projectdiscovery/interactsh
• https://github.com/nitnelave/lldap
• https://github.com/novysodope/RMI_Inj_MemShell
• https://github.com/rebeyond/JNDInjector
• https://github.com/r00tSe7en/JNDIMonitor
• https://github.com/l3yx/JNDI-Injection-LDAP-Deserialization
• https://github.com/Hypdncy/JNDIBypassExploit
• https://github.com/qi4L/JYso

03-JNDI上层建筑

04-JNDI漏洞分析

• Weblogic
• Jackson
• Log4j
• Spring
• Fastjson

05-JNDI参考资源

• https://evilpan.com/2021/12/13/jndi-injection/