feat:公开若干个新的jackson、fastjson SSRF gadget（水）

“threedr3am” · “threedr3am” · commit 23ab9ee90b1c · 2020-03-03T23:14:09.000+08:00
diff --git a/README.md b/README.md
@@ -3,10 +3,10 @@
 ---
 
 ### fastjson
-1. com.threedr3am.bug.fastjson.FastjsonSerialize(TemplatesImpl) 利用条件：fastjson <= 1.2.24 + Feature.SupportNonPublicField
-2. com.threedr3am.bug.fastjson.NoNeedAutoTypePoc 利用条件：fastjson < 1.2.48 不需要任何配置，默认配置通杀RCE
-3. com.threedr3am.bug.fastjson.HikariConfigPoc(HikariConfig) 利用条件：fastjson <= 1.2.59 RCE，需要开启AutoType
-4. com.threedr3am.bug.fastjson.CommonsProxyPoc(SessionBeanProvider) 利用条件：fastjson <= 1.2.61 RCE，需要开启AutoType
+1. com.threedr3am.bug.fastjson.rce.FastjsonSerialize(TemplatesImpl) 利用条件：fastjson <= 1.2.24 + Feature.SupportNonPublicField
+2. com.threedr3am.bug.fastjson.rce.NoNeedAutoTypePoc 利用条件：fastjson < 1.2.48 不需要任何配置，默认配置通杀RCE
+3. com.threedr3am.bug.fastjson.rce.HikariConfigPoc(HikariConfig) 利用条件：fastjson <= 1.2.59 RCE，需要开启AutoType
+4. com.threedr3am.bug.fastjson.rce.CommonsProxyPoc(SessionBeanProvider) 利用条件：fastjson <= 1.2.61 RCE，需要开启AutoType
 
 ---
 
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/AnterosPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/AnterosPoc.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.fastjson;
+package com.threedr3am.bug.fastjson.rce;
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.parser.ParserConfig;
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/Cmd.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/Cmd.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.fastjson;
+package com.threedr3am.bug.fastjson.rce;
 
 import com.sun.org.apache.xalan.internal.xsltc.DOM;
 import com.sun.org.apache.xalan.internal.xsltc.TransletException;
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/CocoonSlidePoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/CocoonSlidePoc.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.fastjson;
+package com.threedr3am.bug.fastjson.rce;
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.parser.ParserConfig;
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/CommonsProxyPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/CommonsProxyPoc.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.fastjson;
+package com.threedr3am.bug.fastjson.rce;
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.parser.ParserConfig;
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/FastjsonSerialize.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/FastjsonSerialize.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.fastjson;
+package com.threedr3am.bug.fastjson.rce;
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.parser.Feature;
@@ -19,7 +19,7 @@ private static void testSimpleExp() {
         try {
             StringBuilder stringBuilder = new StringBuilder();
             stringBuilder.append("{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\",");
-            String base64Class = new BASE64Encoder().encode(FileToByteArrayUtil.readCallbackRuntimeClassBytes("com/threedr3am/bug/fastjson/Cmd.class"));
+            String base64Class = new BASE64Encoder().encode(FileToByteArrayUtil.readCallbackRuntimeClassBytes("com/threedr3am/bug/fastjson/rce/Cmd.class"));
             base64Class = base64Class.replaceAll("\\r\\n","");
             stringBuilder.append("\"_bytecodes\":[\""+base64Class+"\"],");
             stringBuilder.append("\"_name\":\"a.b\",");
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/HadoopHikariPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/HadoopHikariPoc.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.fastjson;
+package com.threedr3am.bug.fastjson.rce;
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.parser.ParserConfig;
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/HikariConfigPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/HikariConfigPoc.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.fastjson;
+package com.threedr3am.bug.fastjson.rce;
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.parser.ParserConfig;
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/IbatisSqlmapPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/IbatisSqlmapPoc.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.fastjson;
+package com.threedr3am.bug.fastjson.rce;
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.parser.ParserConfig;
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/JndiConverterPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/JndiConverterPoc.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.fastjson;
+package com.threedr3am.bug.fastjson.rce;
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.parser.ParserConfig;
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/NoNeedAutoTypePoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/NoNeedAutoTypePoc.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.fastjson;
+package com.threedr3am.bug.fastjson.rce;
 
 import com.alibaba.fastjson.JSON;
 import com.threedr3am.bug.common.server.LdapServer;
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/ssrf/ApacheCxfSSRFPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/ssrf/ApacheCxfSSRFPoc.java
@@ -1,11 +1,11 @@
-package com.threedr3am.bug.fastjson;
+package com.threedr3am.bug.fastjson.ssrf;
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.parser.ParserConfig;
 import com.threedr3am.bug.common.server.HTTPServer;
 
 /**
- * fastjson <= 1.2.66 RCE，需要开启AutoType
+ * fastjson <= 1.2.66 RCE，需要开启AutoType (Discovered by threedr3am) 水
  *
  *
  * <dependency>
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/ssrf/ApacheCxfSSRFPoc2.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/ssrf/ApacheCxfSSRFPoc2.java
@@ -1,11 +1,11 @@
-package com.threedr3am.bug.fastjson;
+package com.threedr3am.bug.fastjson.ssrf;
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.parser.ParserConfig;
 import com.threedr3am.bug.common.server.HTTPServer;
 
 /**
- * fastjson <= 1.2.66 RCE，需要开启AutoType
+ * fastjson <= 1.2.66 RCE，需要开启AutoType (Discovered by threedr3am) 水
  *
  *
  * <dependency>
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/ssrf/CommonsJellySSRFPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/ssrf/CommonsJellySSRFPoc.java
@@ -1,11 +1,11 @@
-package com.threedr3am.bug.fastjson;
+package com.threedr3am.bug.fastjson.ssrf;
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.parser.ParserConfig;
 import com.threedr3am.bug.common.server.HTTPServer;
 
 /**
- * fastjson <= 1.2.66 RCE，需要开启AutoType
+ * fastjson <= 1.2.66 RCE，需要开启AutoType (Discovered by threedr3am) 水
  *
  *
  * <dependency>
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/ssrf/JREJeditorPaneSSRFPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/ssrf/JREJeditorPaneSSRFPoc.java
@@ -1,11 +1,11 @@
-package com.threedr3am.bug.fastjson;
+package com.threedr3am.bug.fastjson.ssrf;
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.parser.ParserConfig;
 import com.threedr3am.bug.common.server.HTTPServer;
 
 /**
- * fastjson <= 1.2.66 RCE，需要开启AutoType（JRE自带依赖）
+ * fastjson <= 1.2.66 RCE，需要开启AutoType（todo JRE自带依赖） (Discovered by threedr3am) 这个还是蛮好的gadget
  *
  * @author threedr3am
  */
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/package-info.java b/jackson/src/main/java/com/threedr3am/bug/jackson/package-info.java
@@ -1,10 +1,10 @@
 /**
  * @author threedr3am
  *
- * CVE-2020-8840    com.threedr3am.bug.jackson.JndiConverterPoc
+ * CVE-2020-8840    com.threedr3am.bug.jackson.rce.JndiConverterPoc
  * CVE-2019-20330   com.threedr3am.bug.jackson.EhcacheJndi2
- * CVE-2019-14379   com.threedr3am.bug.jackson.EhcacheJndi
- * CVE-2019-12384   com.threedr3am.bug.jackson.H2Rce
+ * CVE-2019-14379   com.threedr3am.bug.jackson.rce.EhcacheJndi
+ * CVE-2019-12384   com.threedr3am.bug.jackson.rce.H2Rce
  * CVE-2019-12086   com.threedr3am.bug.jackson.MysqlFileRead
  *
  *
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/rce/AnterosPoc.java b/jackson/src/main/java/com/threedr3am/bug/jackson/rce/AnterosPoc.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.jackson;
+package com.threedr3am.bug.jackson.rce;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.threedr3am.bug.common.server.LdapServer;
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/rce/EhcacheJndi.java b/jackson/src/main/java/com/threedr3am/bug/jackson/rce/EhcacheJndi.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.jackson;
+package com.threedr3am.bug.jackson.rce;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.threedr3am.bug.common.server.LdapServer;
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/rce/H2Rce.java b/jackson/src/main/java/com/threedr3am/bug/jackson/rce/H2Rce.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.jackson;
+package com.threedr3am.bug.jackson.rce;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import java.io.IOException;
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/rce/HadoopHikariConfigPoc.java b/jackson/src/main/java/com/threedr3am/bug/jackson/rce/HadoopHikariConfigPoc.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.jackson;
+package com.threedr3am.bug.jackson.rce;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.threedr3am.bug.common.server.LdapServer;
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/rce/HikariConfigPoc.java b/jackson/src/main/java/com/threedr3am/bug/jackson/rce/HikariConfigPoc.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.jackson;
+package com.threedr3am.bug.jackson.rce;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.threedr3am.bug.common.server.LdapServer;
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/rce/IbatisSqlmapPoc.java b/jackson/src/main/java/com/threedr3am/bug/jackson/rce/IbatisSqlmapPoc.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.jackson;
+package com.threedr3am.bug.jackson.rce;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.threedr3am.bug.common.server.LdapServer;
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/rce/JndiConverterPoc.java b/jackson/src/main/java/com/threedr3am/bug/jackson/rce/JndiConverterPoc.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.jackson;
+package com.threedr3am.bug.jackson.rce;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.threedr3am.bug.common.server.LdapServer;
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/rce/LogbackJndi.java b/jackson/src/main/java/com/threedr3am/bug/jackson/rce/LogbackJndi.java
@@ -1,4 +1,4 @@
-package com.threedr3am.bug.jackson;
+package com.threedr3am.bug.jackson.rce;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.threedr3am.bug.common.server.LdapServer;
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/ssrf/JREJeditorPaneSSRFPoc.java b/jackson/src/main/java/com/threedr3am/bug/jackson/ssrf/JREJeditorPaneSSRFPoc.java
@@ -1,11 +1,13 @@
-package com.threedr3am.bug.jackson;
+package com.threedr3am.bug.jackson.ssrf;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.threedr3am.bug.common.server.HTTPServer;
 import java.io.IOException;
 
 /**
- * jackson-databind <= 2.9.10.3 and <= 2.10.2 RCE，需要开启DefaultType（JRE内置依赖）
+ * jackson-databind <= 2.9.10.3 and <= 2.10.2 RCE，需要开启DefaultType
+ *
+ * （todo JRE自带依赖） (Discovered by threedr3am) 这个还是蛮好的gadget
  *
  * @author threedr3am
  */

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-package com.threedr3am.bug.fastjson;`
	`1`	`+package com.threedr3am.bug.fastjson.rce;`
`2`	`2`
`3`	`3`	`import com.alibaba.fastjson.JSON;`
`4`	`4`	`import com.alibaba.fastjson.parser.ParserConfig;`