HTTP request not sent

[DesiralizationLover]

Hello, I really like your project it is great! but ( :-( ) i ran into a problem wile running your exploit test using Castor serializer. When running the gadget of JNDI I've set it up just as you've shown, using the provided LDAP server with a exploit.class just as you've shown in one of your issue responses. The LDAP server returns the URL address as expected but then, there is no request to the HTTP server. Even when I try your -t flag it says RCE achieved but the HTTP server won't recieve any communication. Sorry for the bad english, Thanks!

[mbechler]

The JNDI/LDAP exploitation vector was disabled in later Java versions, so this may be the issue.

[Jackey0]

I have same issue: when I use JNDI-Injection-Exploit.jar ， first ldap request, then http request

but when use marshalsec , ldap request success, but my http.server no request received. every env is same...

[fuemoshi]

i meet same issue

[mbechler]

I vaguely remember that Java does not like if you do not specify a trailing slash for the codebase url. Could that be causing the issue?

[christophetd]

Same behavior here. I attempted to use a patched version prepending a / to the javaCodeBase URL, but it didn't change the behavior.

[drriguz]

same issue here~~

[drriguz]

so I guess most of the guys cames here for the log4j2 cve?

[drriguz]

Hi, there, I tried JDK 1.8.0_181 and it works! any newer JDK8, 11, 17 versions does not work!

[mbechler]

Yes, as mentioned above and in diffent other places (e.g. https://mbechler.github.io/2018/11/01/Java-CVE-2018-3149/) the original remote-classloading RCE does only work on old (or badly configured) Java runtimes. There are however potentially alternative less direct vectors (compare https://www.veracode.com/blog/research/exploiting-jndi-injections-java)

[mbechler]

Howver, @Jackey0 mentioned that another (from what I found this seems mostly a copy of my code) exploit worked in the same instance, which would be curious.

[mbechler]

I put together a post about the relevant exploitation vectors and affected versions: https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/

[thehackingsnake]

Hi, there, I tried JDK 1.8.0_181 and it works! any newer JDK8, 11, 17 versions does not work!

Hey, how did you manage it? I'm testing with the same version but I still have the same problem. I used 1.8.0_181 javac to compile the test exploit and java to run the marshalsec etc command. I get the hit on marshal but it doesn't contact the webserver

[mbechler]

The exploited target needs to use <8u191

[thehackingsnake]

I see, I was testing it on Ghidra 9.1 that seemed vulnerable but it uses Java 11.x

[mbechler]

Yes, there is "vulnerable" to the JNDI injection (easy to show) and "exploitable" for RCE (for which with modern Java you need additional preconditions, and that may be much harder to prove/disprove). Blog post above has some pointers.

[ecki]

I used 1.8.0_181 javac to compile the test exploit

it’s not a question of the compiler, it must be an outdated victim runtime (or use a better payload) or just turn on the codebase loading.

[obada-cyber]

should we use the same version of java as the website? \

[mbechler]

The version you run the exploit on and the target version should be independent, but the target version matters very much as stated above on multiple occasions. On your side, best stick to Java 8 to avoid module visibility issues.