JNDI-Exploit-Kit
JNDI-Exploitation-Kit(A modified version of the great JNDI-Injection-Exploit created by @welk1n. This tool can be used to start an HTTP Server, RMI Server and LDAP Server to exploit java web apps vulnerable to JNDI Injection) (by pimps)
JNDI-Injection-Exploit-Plus
80+ Gadgets(30 More than ysoserial). JNDI-Injection-Exploit-Plus is a tool for generating workable JNDI links and provide background services by starting RMI server,LDAP server and HTTP server. (by cckuailong)
| JNDI-Exploit-Kit | JNDI-Injection-Exploit-Plus | |
|---|---|---|
| 2 | 3 | |
| 872 | 595 | |
| - | - | |
| 0.0 | 4.7 | |
| over 2 years ago | 2 months ago | |
| Java | Java | |
| MIT License | MIT License |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
JNDI-Exploit-Kit
Posts with mentions or reviews of JNDI-Exploit-Kit.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-12-23.
-
Java deserialization payloads in log4j (Unified starting point)
So I've finished the unified box in stage 2 of the starting point and have tons of questions about the box. In the box they use veracode-research/rogue-jndi to exploit the log4j vulnerability. But when I test it with deserialize payload generated by frohoff/ysoserial it's not running. I've try to look at the java log in the challenge container but can't find anything that java complain or error out. Is it because the ysoserial payload too complex that it running but fail at some point and don't throw error or maybe the author just hard code so that only the payload from rogue-jndi work? can it's because of the java version/framework/library/weirdness? Do I need to test both kind of payload if I want to exploit log4j in the future or just stick with pimps/JNDI-Expoit-Kit or cckuailong/JNDI-Injection_Exploit-Plus (my senior recommendation when exploiting log4j).
- pimps/JNDI-Exploit-Kit: added support to LDAP Serialized Payloads and attack path works in *ANY* java version
JNDI-Injection-Exploit-Plus
Posts with mentions or reviews of JNDI-Injection-Exploit-Plus.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-12-23.
- JNDI-Injection-Exploit-Plus tool for generating workable JNDI links and provide background services by starting RMI server,LDAP server and HTTP server.
- GitHub - cckuailong/JNDI-Injection-Exploit-Plus: 80+ Gadgets(30 More than ysoserial). JNDI-Injection-Exploit-Plus is a tool for generating workable JNDI links and provide background services by starting RMI server,LDAP server and HTTP server.
-
Java deserialization payloads in log4j (Unified starting point)
So I've finished the unified box in stage 2 of the starting point and have tons of questions about the box. In the box they use veracode-research/rogue-jndi to exploit the log4j vulnerability. But when I test it with deserialize payload generated by frohoff/ysoserial it's not running. I've try to look at the java log in the challenge container but can't find anything that java complain or error out. Is it because the ysoserial payload too complex that it running but fail at some point and don't throw error or maybe the author just hard code so that only the payload from rogue-jndi work? can it's because of the java version/framework/library/weirdness? Do I need to test both kind of payload if I want to exploit log4j in the future or just stick with pimps/JNDI-Expoit-Kit or cckuailong/JNDI-Injection_Exploit-Plus (my senior recommendation when exploiting log4j).
What are some alternatives?
When comparing JNDI-Exploit-Kit and JNDI-Injection-Exploit-Plus you can also consider the following projects:
ysoserial - A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
AndroRAT - A Simple android remote administration tool using sockets. It uses java on the client side and python on the server side
JNDIExploit - 一款用于JNDI注入利用的工具,大量参考/引用了Rogue JNDI项目的代码,支持直接植入内存shell,并集成了常见的bypass 高版本JDK的方式,适用于与自动化工具配合使用。
DroidFrida - Portable frida injector for rooted android devices.
RmiTaste - RmiTaste allows security professionals to detect, enumerate, interact and exploit RMI services by calling remote methods with gadgets from ysoserial.