lca

真正的不自由，是在自己的心中设下牢笼。

基于dbcp的fastjson rce回显复现

May 28, 2023#渗透测试163

AI-generated summary

This is a guide on how to compile and set up the environment for a fastjson rce echo project on GitHub. It includes configuring Maven and setting.xml, setting up JDK 1.8, packaging the project into a JAR file, and running it. The project is suitable for fastjson versions 1.2.24 and 1.2.33-1.2.47 with JDK 8u251 and Tomcat-DBCP. The guide also includes instructions for reproducing the project using SpringEcho.java and BCELEncode.java.

先进行环境的编译，项目地址：GitHub - depycode/fastjson-local-echo: 基于 dbcp 的 fastjson rce 回显

idea 编译 & 环境设置#

配置好 maven 和 setting.xml

配置 jdk 为 1.8

package 之后生成 jar 文件

运行 jar 文件，启动环境

java -jar demo-0.0.1-SNAPSHOT.jar

浏览器访问

适用场景#

fastjson <= 1.2.24
1.2.33 <= fastjson <= 1.2.47
jdk <= 8u251
存在 tomcat-dbcp

复现#

文件名	介绍
SpringEcho.java	spring 回显代码
BCELEncode.java	将 class 文件进行 bcel 编码

首先将 SpringEcho.java 编译生成 SpringEcho.class 文件，然后用 BCELEncode 对 class 文件进行 bcel 编码

fastjson <= 1.2.24 poc
- 见 github 项目
1.2.33 <= fastjson <= 1.2.47 poc
- 见 github 项目

上处 driverClassName 中的内容通过 BCELEncode 进行编码

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.

Blockchain ID
#53657-46
Owner
0x0bd0c6639592f2265c3dcd019be4fe39e5b00428
Transaction Hash
Creation 0xa3abb2fe...cab0966c70 Last Update 0xa3abb2fe...cab0966c70
IPFS Address
ipfs://bafkreidaoys44sk3lles2bsgu33w3lu3qyrubhediaarxlcqsvdje3gzlq