JNDIExploit or a ysoserial.

• UpdatedMar 12, 2025
• Java

80+ Gadgets(30 More than ysoserial). JNDI-Injection-Exploit-Plus is a tool for generating workable JNDI links and provide background services by starting RMI server,LDAP server and HTTP server.

• UpdatedJun 24, 2024
• Java

Antenna是58同城安全团队打造的一款辅助安全从业人员验证网络中多种漏洞是否存在以及可利用性的工具。其基于带外应用安全测试(OAST)通过任务的形式，将不同漏洞场景检测能力通过插件的形式进行集合，通过与目标进行out-bind的数据通信方式进行辅助检测。

• UpdatedJun 6, 2023
• JavaScript

Common Exploitation Techniques for Java RCE Vulnerabilities in Real-World Scenarios | 实战场景较通用的 Java Rce 相关漏洞的利用方式

• UpdatedMar 6, 2025
• Java

JNDI 注入利用工具, 支持 RMI, LDAP 和 LDAPS 协议, 包含多种高版本 JDK 绕过方式 | A JNDI injection exploit tool that supports RMI, LDAP and LDAPS protocols, including a variety of methods to bypass higher-version JDK

• UpdatedOct 18, 2024
• Java

一款用于JNDI注入利用的工具，大量参考/引用了Rogue JNDI项目的代码，支持直接植入内存shell，并集成了常见的bypass 高版本JDK的方式，适用于与自动化工具配合使用。

• UpdatedSep 6, 2022
• Java

一个LDAP请求监听器，摆脱dnslog平台

• UpdatedApr 7, 2023
• Java

Tool that runs a test to check whether one of your applications is affected by the recent vulnerabilities in log4j: CVE-2021-44228 and CVE-2021-45046

• UpdatedApr 7, 2024
• Go

Log4j jndi injection fuzz tool

• UpdatedDec 24, 2021
• Python

Abuse Log4J CVE-2021-44228 to patch CVE-2021-44228 in vulnerable Minecraft game sessions to prevent exploitation in the session :)

• UpdatedDec 12, 2021
• Java

Check, exploit, generate class, obfuscate, TLS, ACME about log4j2 vulnerability in one Go program.

• UpdatedDec 23, 2021
• Go

pyyso is a Python package that generate java serialized poc. Including CommonsCollections1-7, JDK7u21, JDK8u20, ldap for jndi, shiro-550, CommonsBeanutils1 no cc, JRMPClient, high version JDK Bypass, Fake MySQL for JDBC attack

• UpdatedNov 5, 2022
• Python

《JNDI-深入理解Java万恶之源》

• UpdatedNov 13, 2023

CVE-2021-2109 && Weblogic Server RCE via JNDI

• UpdatedJan 22, 2021
• Java

A repository of Jboss CLI snippets

• UpdatedJun 20, 2019

• UpdatedDec 11, 2021
• Java

A drop in replacement for the standard Tomcat DataSourceFactory that allows the database connection password to be encrypted using a symmetric key for the purposes of security.

• UpdatedNov 10, 2019
• Java

Selection of ways to remove JndiLookup in now obsolete Minecraft versions, or versions that still have log4j < 2.10 and is unable to use `-Dlog4j2.formatMsgNoLookups=true`

• UpdatedDec 15, 2021
• Java

A minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2021-44228.

• UpdatedDec 13, 2021
• Go

Help fuzz various protocols and waits for ping backs Integrates LDAP server and JNDI payload

• UpdatedDec 27, 2021
• Go