search

welk1n / JNDI-Injection-Exploit

JNDI注入测试工具(A tool which generates JNDI links can start several servers to exploit JNDI Injection vulnerability,like Jackson,Fastjson,etc)
MIT License
2.59k stars 725 forks source link

Is LDAP vector possible when trusturlcodebase is set to False #3

Closed l33tgrl closed 4 years ago

l33tgrl commented 4 years ago

Hi @welk1n ,

I can see that you have a malicious RMI server option when trustURLcodebase is set to false and java version is 1.8.191+

I was wondering if we can do the same thing via an LDAP Server as well.

Thanks

welk1n commented 4 years ago

FYI: https://mp.weixin.qq.com/s/0LePKo8k7HDIjk9ci8dQtA some code on this page can be useful.