Shulou(Shulou.com)05/31 Report--

This article shows you how to test Fastjson deserialization in XML. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Introduction

In actual business development,    often parses the request data of type xml or json. For example, for the function of Wechat code-scanning payment, data in XML format is needed for data interaction with the payment platform according to Wechat development documents. For data transmitted by XML, the easiest thing to think of is the XXE attack. Through the use of XXE, the following goals can be achieved:

Sensitive information disclosure (reading sensitive files and column directories using file protocol)

A denial of service attack caused by recursive calls

SSRF

Remote code execution may occur if expect extension is enabled by php

……

   can achieve the effect of RCE under certain conditions, but it is not nearly as rough as vulnerabilities such as arbitrary file upload and deserialization. The following is the process of recording an internal safety test.

Testing Fastjson deserialization in XML

The main interaction mode of    target is to request in the way of Content-Type: application/xml;charset=UTF-8, and mainly to transmit data in the way of xml. The first thing that comes to mind is to detect XXE by introducing external entities. But it's a pity that it's banned.

   is looking for another way out to see if there are any function points similar to uploading. Fortunately, the defect of downloading arbitrary files has been found in the file operation function. Try to download the relevant code for audit here to see if there are any other breakthroughs. You can refer to https://sec-in.com/article/537 for the process of downloading the source code.

The    system is started and deployed through jar and is developed based on springboot. After getting the code, I habitually took a look at the imported components and found that the introduced fastjson version is 1.2.24, which is the same familiar recipe:

Com.alibaba fastjson 1.2.24

   @ RequestBody in Spring is mainly used to receive the data in the json string passed from the front end to the backend. Since the fastjson dependency is used, it is speculated that some interfaces may interact in json mode. Search for @ RequestBody directly, but it is found that @ RequestBody also modifies the interface for downloading files:

RequestMapping ("/ fileOper/download") @ ResponseBodypublic String getOrderDetails (@ RequestBody FileOper fileOper) {/ /.}

   guesses here that the system may have done the mutual conversion of xml and json data? Now that you've used fastjson dependencies, take a look at how fastjson is integrated. Springboot defaults to jackson as a tool for data conversion, and it is also processed in json format by default. Find the relevant configuration file WebMvcConfig, where fastjson is integrated by operating the HttpMessageConverter message converter:

@ Configurationpublic class WebMvcConfig extends WebMvcConfigurationSupport {@ Overridepublic void extendMessageConverters (List > converters) method. Add FastJsonHttpMessageConverter to the original list of message converters:

FastJsonHttpMessageConverter fjc = new FastJsonHttpMessageConverter (); FastJsonConfig fj = new FastJsonConfig (); fj.setSerializerFeatures (SerializerFeature.DisableCircularReferenceDetect); fjc.setFastJsonConfig (fj); converters.add (fjc)

   FastJsonHttpMessageConverter will be at the end of the list. According to the rules for the use of message converters, the message translators that meet the requirements will be selected according to the relevant order. By default, MappingJackson2HttpMessageConverter will still use MappingJackson message converters before the newly added converters, so remove them here to ensure that fastjson is used for parsing:

For (int I = converters.size ()-1; I > = 0; iMel -) {if (converters.get (I) instanceof MappingJackson2HttpMessageConverter) {converters.remove (I);}}

   is here to confirm that fastjson is indeed introduced and used, at least to ensure that @ ResponseBody annotations are parsed using fastjson's message converter (the system response returns in json format). Following the above idea, what exactly parses the xml request data? Why does @ RequestBody also parse xml content? Moving on to the code, you see the jackson-dataformat-xml component in the dependency import:

Com.fasterxml.jackson.dataformatjackson-dataformat-xml2.9.8

When    consults the relevant information, jackson conversion XML will use jackson-dataformat-xml component. In essence, the corresponding message converter org.springframework.http.converter.xml.MappingJackson2XmlHttpMessageConverter is introduced, so that the parsing of the corresponding request can be completed. Combined with the actual need, a similar parameter is added to the @ RequestMappping annotation of the corresponding method: produces= "application/json. "charset=UTF-8", so that you can control the format of the returned data to json or other types. Here, an environment is set up for verification:

   to sum up, the target system should now introduce two message converters:

Org.springframework.http.converter.xml.MappingJackson2XmlHttpMessageConverter

FastJsonHttpMessageConverter

According to the rules for the use of Spring message converters,    will select the message converters that meet the requirements in the relevant order. It is assumed that the request request of the system can accept the conversion between xml and json format (request request can parse both xml and json data). Try to integrate fastjson in the environment you built, and output the loaded message converter based on the above. The relevant code is as follows:

@ Overridepublic void extendMessageConverters (List messageConverter: converters) {System.out.println (messageConverter);}}

List of message converters loaded by   :

Org.springframework.http.converter.ByteArrayHttpMessageConverter@c074c0corg.springframework.http.converter.StringHttpMessageConverter@58a55449org.springframework.http.converter.ResourceHttpMessageConverter@5949eba8org.springframework.http.converter.ResourceRegionHttpMessageConverter@6e0ff644org.springframework.http.converter.xml.SourceHttpMessageConverter@58dea0a5org.springframework.http.converter.support.AllEncompassingFormHttpMessageConverter@2a2bb0eborg.springframework.http.converter.xml.MappingJackson2XmlHttpMessageConverter@3c291aadcom.alibaba.fastjson.support.spring.FastJsonHttpMessageConverter@2d0566ba

  , that is to say, you can try to convert the xml data requested by request into json for deserialization testing. The actual results of the test environment are attached here:

   is normally an xml transport:

   conversion to json format transmission can also be parsed:

At this time,    tries to convert it to json format and perform deserialization test with dnslog:

   dnslog successfully received the record:

   tells the results to his colleagues, and all that is left is to solve the problem of gadget of the target system or not getting off the net.

Conclusion

   to sum up, when testing requests transmitted by XML type, you can try format conversion, and if the JSON format can also be parsed, then you can try to take advantage of fastjson deserialization, of course, jackson is the same (because the default json converter for springboot2 is MappingJackson2HttpMessageConverter).

For SpringMVC applications,    can add custom message converters or override default message converters by configuring child element tags, which can also be followed during audit:

...... Text/html;charset=UTF-8 application/json;charset=UTF-8

   similarly, in black-box testing, data packets transmitted by json can also be converted into xml for XXE-related testing. Related versions of jackson-dataformat-xml components are also subject to XXE risks:

The above is how to test Fastjson deserialization in XML. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.