So the attacking server sends back a serialized object during the jndi request and then deserialized method is called on that object?
How does the downloaded java class get executed though? I get that you can get the logger to download from a server but what needs to be on the server? e.g. how does it trigger the malicious java class? Does it need to…
So the attacking server sends back a serialized object during the jndi request and then deserialized method is called on that object?
How does the downloaded java class get executed though? I get that you can get the logger to download from a server but what needs to be on the server? e.g. how does it trigger the malicious java class? Does it need to…