Shulou(Shulou.com)05/31 Report--

This article introduces you how Fastjson deserialization vulnerabilities are, the content is very detailed, interested friends can refer to, hope to help you.

Fastjson in Java has exposed a number of deserialization vulnerabilities and Bypass versions, and there is also a library of Fastjson in the .net field. The author Guan Xuan declares that this is the most efficient read and write Json. Net component, using the built-in method JSON.ToJSON, you can quickly serialize .net objects. It makes it easy for you to convert all types (objects, basic data types, etc.) in .net to Json.

Fastjson is an open source Json.Net library, download address http://www.codeproject.com/Articles/159450/fastJSON, the detailed performance comparison in the reverse sequence process is as follows

From the diagram, we can see that compared with the old Json.Net, Stack, etc., the speed and performance advantages are very obvious. The reason is that the author of the component uses reflection to generate a lot of IL code, while the IL code is managed code, which can be compiled directly to the runtime, so the performance is greatly improved. However, in some scenarios, when developers use the JSON.ToObject method to serialize unsafe data, it will cause deserialization vulnerabilities and achieve remote RCE attacks. In this paper, the author introduces and repeats it from the perspective of principle and code audit.

II. Fastjson serialization

The conversion between .NET objects and Json data can be easily realized by using JSON.ToJSON. ToJSON will first get the fully qualified name of the assembly in which the object name is located, and as the key value of $types, convert the member attribute name of the object into Key in Json data, and the member attribute value of the object into value in Json data. The problem is illustrated by an example. First, the TestClass object defines three members. And implement a static method ClassMethod to start the process. Serialization assigns values to members by creating object instances

In order to ensure that the serialization process does not throw an exception as far as possible, the author introduces the second parameter of the JSON.ToJSON method and instantiates the creation of JSONParameters, many of which are Boolean values in its fields.

The field related to the deserialization vulnerability is UseExtensions. Set it to true to get the fully qualified name of the class. If you do not need to serialize null values, you can set another field SerializeNullValues to false;. The author uses JSON.ToJSON to get serialized Json data.

Third, Fastjson deserialization 3.1 deserialization usage

The process of deserialization is to convert Json data into objects, and Fastjson calls JSON. As realized by the ToObject method, ToObject has multiple overloaded methods. When two parameters are passed in, the first parameter needs to serialize the data, and the second parameter sets the serialization configuration option to specify that the JSONParameters is handled according to the specified attribute value. The overloading method refers to the following figure.

For specific code, please refer to the following Demo

3.2 build Poc

The trigger point of the vulnerability also lies in whether the $types in the serialized Json is controllable, and warnings are also marked in the official documentation.

The author continues to choose the ObjectDataProvider class to facilitate calling methods in any referenced class. For more information on the use of this class, please see ".NET Advanced Code Audit (lesson 1) XmlSerializer deserialization vulnerability", because the Process.Start method to start a thread needs to configure the properties related to the ProcessStartInfo class, such as specifying a file name and specifying startup parameters, so first consider serializing ProcessStartInfo, as shown in the following code Demo step by step Start getting an instance of the current class from GetType and return the Type type variable T3 Then use the Type.GetProperty method to find the public property specified as FileName and assign it to the variable propertyName; of type PropertyInfo, and then use the PropertyInfo.SetValue method to set the specified property value "cmd.exe" of the object, similarly, specify the value for the Arguments property. The next step is to serialize the Process class and call the StartInfo launcher, Demo as follows

Then we need to subtract it, get rid of irrelevant System.RuntimeType and System.IntPtr data, and finally get the JSON class that deserializes Payload FastJson defines multiple ToObject overloaded methods. For deserialization vulnerabilities, there is no need to care about whether the overloaded method parameters are one or more, all of which can trigger vulnerabilities. The author successfully pops up the calculator through the following Demo, JSON.ToObject (payload) deserialization.

IV. Code audit perspective

From the perspective of code audit, it is easy to find the contamination points of the vulnerability. Through the knowledge of the previous sections, we can find that a key condition JSON.ToObject can be deserialized if it is passed into String or Object. For example, the following JSONSerializer class attackers can easily implement deserialization vulnerabilities by controlling the incoming string parameter json. There are also a large number of unsafe case codes on Github, as follows

V. case review

Finally, the following example is used to review the whole process, which shows that the calculator is popped up through deserialization vulnerabilities in VS debugging.

1. Enter http://localhost:5651/Default Post to load the value value

two。 Deserialize via ToObject and pop up the calculator

Finally, a dynamic diagram is attached.

On how Fastjson deserialization vulnerabilities are shared here, I hope the above content can be of some help to you, you can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.