├── src └── main │ ├── resources │ ├── application.properties │ └── templates │ │ └── index.html │ └── java │ └── com │ └── github │ └── isafeblue │ └── fastjson │ ├── FastjsonAutotypeBypassDemoApplication.java │ ├── entity │ └── Comment.java │ └── controller │ └── CommentController.java ├── README.md └── pom.xml /src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | server.port=80 -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # fastjson-autotype-bypass-demo 2 | fastjson 1.2.68 版本有限制autotype bypass 3 | 4 | # 参考 5 | 6 | 《fastjson 1.2.68 autotype bypass 反序列化漏洞 gadget 的一种挖掘思路》:https://b1ue.cn/archives/382.html 7 | 8 | 《fastjson 1.2.68 最新版本有限制 autotype bypass》:https://b1ue.cn/archives/348.html 9 | -------------------------------------------------------------------------------- /src/main/java/com/github/isafeblue/fastjson/FastjsonAutotypeBypassDemoApplication.java: -------------------------------------------------------------------------------- 1 | package com.github.isafeblue.fastjson; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | 6 | @SpringBootApplication 7 | public class FastjsonAutotypeBypassDemoApplication { 8 | 9 | public static void main(String[] args) { 10 | SpringApplication.run(FastjsonAutotypeBypassDemoApplication.class, args); 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /src/main/java/com/github/isafeblue/fastjson/entity/Comment.java: -------------------------------------------------------------------------------- 1 | package com.github.isafeblue.fastjson.entity; 2 | 3 | /** 4 | * @author 浅蓝 5 | * @email blue@ixsec.org 6 | * @since 2020/5/9 12:58 7 | */ 8 | public class Comment { 9 | 10 | private String name; 11 | private String email; 12 | private String content; 13 | 14 | public String getName() { 15 | return name; 16 | } 17 | 18 | public void setName(String name) { 19 | this.name = name; 20 | } 21 | 22 | public String getEmail() { 23 | return email; 24 | } 25 | 26 | public void setEmail(String email) { 27 | this.email = email; 28 | } 29 | 30 | public String getContent() { 31 | return content; 32 | } 33 | 34 | public void setContent(String content) { 35 | this.content = content; 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 4.0.0 5 | 6 | org.springframework.boot 7 | spring-boot-starter-parent 8 | 2.2.7.RELEASE 9 | 10 | 11 | com.github.iSafeBlue 12 | fastjson-autotype-bypass-demo 13 | 0.0.1-SNAPSHOT 14 | fastjson-autotype-bypass-demo 15 | fastjson-autotype-bypass-demo 16 | 17 | 18 | 1.8 19 | 20 | 21 | 22 | 23 | 24 | com.alibaba 25 | fastjson 26 | 1.2.68 27 | 28 | 29 | 30 | org.seleniumhq.selenium 31 | selenium-api 32 | 3.141.59 33 | 34 | 35 | 36 | 37 | org.springframework.boot 38 | spring-boot-starter-web 39 | 40 | 41 | org.springframework.boot 42 | spring-boot-starter-thymeleaf 43 | 44 | 45 | 46 | 47 | 48 | 49 | org.springframework.boot 50 | spring-boot-maven-plugin 51 | 52 | 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /src/main/resources/templates/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Hello World 6 | 7 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 |
序号姓名邮箱留言
45 | 46 | 47 |
48 | 49 | 50 |
51 |
52 |
53 |
54 | 55 |
56 | 57 | 58 | -------------------------------------------------------------------------------- /src/main/java/com/github/isafeblue/fastjson/controller/CommentController.java: -------------------------------------------------------------------------------- 1 | package com.github.isafeblue.fastjson.controller; 2 | 3 | import com.alibaba.fastjson.JSON; 4 | import com.alibaba.fastjson.JSONObject; 5 | import com.alibaba.fastjson.parser.ParserConfig; 6 | import com.github.isafeblue.fastjson.entity.Comment; 7 | import org.springframework.stereotype.Controller; 8 | import org.springframework.web.bind.annotation.RequestBody; 9 | import org.springframework.web.bind.annotation.RequestMapping; 10 | import org.springframework.web.bind.annotation.ResponseBody; 11 | import org.springframework.web.servlet.ModelAndView; 12 | 13 | import java.util.ArrayList; 14 | import java.util.List; 15 | 16 | /** 17 | * @author 浅蓝 18 | * @email blue@ixsec.org 19 | * @since 2020/5/9 12:56 20 | */ 21 | @Controller 22 | public class CommentController { 23 | 24 | 25 | public static List comments = new ArrayList(){ 26 | { 27 | Comment comment = new Comment(); 28 | comment.setName("Tom"); 29 | comment.setContent("Hello World."); 30 | comment.setEmail("tom@gmail.com"); 31 | add(comment); 32 | } 33 | }; 34 | 35 | @RequestMapping("/") 36 | public ModelAndView index(){ 37 | ModelAndView modelAndView = new ModelAndView(); 38 | modelAndView.setViewName("index.html"); 39 | modelAndView.addObject("comments",comments); 40 | return modelAndView; 41 | } 42 | 43 | @RequestMapping("addComment") 44 | @ResponseBody 45 | public String addComment(@RequestBody String comment){ 46 | 47 | JSONObject jsonObject = JSON.parseObject(comment); 48 | Comment temp = new Comment(); 49 | temp.setName(jsonObject.getString("name")); 50 | temp.setEmail(jsonObject.getString("email")); 51 | temp.setContent(jsonObject.getString("content")); 52 | comments.add(temp); 53 | return "1"; 54 | } 55 | 56 | } 57 | --------------------------------------------------------------------------------