摘要
通过对Java反序列化漏洞形成原因及利用原理的研究,结合RMI编程技术,自主设计漏洞扫面及漏洞利用算法,并实现了针对WebLogic中间件的漏洞利用工具,包含自动扫描探测漏洞以及系统命令执行、文件上传等功能。通过实际测试,该工具能准确地发现存在的漏洞主机并有效地利用漏洞执行相关操作,在一定程度上可帮助运维人员及时修补安全隐患,提高业务系统防护水平。
Based on the causes and the exploitation principles of the de-serialized vulnerabilities of Java,in combination with the RMI programming technique,this paper introduces a self-designed algorithm for the scanning and exploiting of vulnerabilities,which can help create a tool of the exploitation of vulnerabilities for the Web Logic middleware with such functions as automatically scanning and detecting vulnerabilities,implementing system commands and uploading files. Practical tests have shown that the tool can accurately discover hosts with vulnerabilities and carry out relevant operations by exploiting them,which can help operation and maintenance staff members patch potential safety hazards and improve their professional skills in the system protection.
出处
《重庆电力高等专科学校学报》
2017年第3期49-53,共5页
Journal of Chongqing Electric Power College
关键词
反序列化
RMI
漏洞扫描
漏洞利用
WEBLOGIC
deserialization
RMI
vulnerability scanning
exploitation of vulnerabilities
Web Logic
