有回显报错检测
增加一个key-value
一、Jackson的基本用法
import com.fasterxml.jackson.databind.ObjectMapper; import java.io.IOException; public class Hello { public static void main(String args[]) throws IOException { Person p = new Person(); p.age = 1; p.name = "Econ"; ObjectMapper mapper = new ObjectMapper(); String json = mapper.writeValueAsString(p); System.out.println(json); // {"age":1,"name":"Econ"} Person p2 = mapper.readValue(json, Person.class); System.out.println(p2); // Person.age=1, Person.name=Econ } } class Person { public int age; public String name; @Override public String toString() { return String.format("Person.age=%d, Person.name=%s", age, name); } }
二、基于DefaultTyping的序列化与反序列化
属性:
JAVA_LANG_OBJECT
OBJECT_AND_NON_CONCRETE
NON_CONCRETE_AND_ARRAYS
NON_FINAL
序列化:
import com.fasterxml.jackson.databind.ObjectMapper; import java.io.IOException; public class Hello { public static void main(String args[]) throws IOException { Person p = new Person(); p.age = 1; p.name = "Econ"; p.object = new Dna(); ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.JAVA_LANG_OBJECT); String json = mapper.writeValueAsString(p); System.out.println(json); // {"age":1,"name":"Econ","object":["Dna",{"length":1}]} Person p2 = mapper.readValue(json, Person.class); System.out.println(p2); // Person.age=1, Person.name=Econ } } class Person { public int age; public String name; public Object object; @Override public String toString() { return String.format("Person.age=%d, Person.name=%s", age, name, object == null ? "null" : object); } } class Dna { public int length = 1; }
反序列化:
import com.fasterxml.jackson.databind.ObjectMapper; import java.io.IOException; public class Hello { public static void main(String args[]) throws IOException { Jacksonunserialize(); } public static void Jacksonunserialize() throws IOException { String json = "{"age":1, "name":"econ"}"; ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_CONCRETE_AND_ARRAYS); Person person = mapper.readValue(json, Person.class); System.out.println(person); // Person.age=1, Person.name=econ } } class Person { public int age; public String name; @Override public String toString() { return String.format("Person.age=%d, Person.name=%s", age, name); } }
反序列化调用栈分析
1.NativeConstructorAccessorImpl (sun.reflect)
gadget类构造
class Dna { String cmd; Dna() { System.out.println("Dna.init()"); } public void setCmd(String cmd) throws IOException { this.cmd = "calc.exe"; System.out.println(String.format("Dna.setCmd(%s)", cmd)); Runtime.getRuntime().exec(cmd); } }
三、基于JsonTypeInfo的序列化与反序列化
四、 绕过历史
CVE-2020-10673
父类ResourceGroupConfig中setLookupName方法进行赋值,调用writeValueAsString方法进行序列化,触发get方法
影响范围:
jackson-databind < 2.9.10.4
JDK < 6u201、7u191、8u182、11.0.1(LDAP)
com.caucho.config.types.ResourceRef ()
调用栈:
1.ObjectMapper.class
2.DeserializationConfig.class
3.ParserMinimalBase.class
4.ReaderBasedJsonParser.class
5.JsonReadContext.class
6.JsonStreamContext.class
7.DefaultDeserializationContext.class
8.DeserializationContext.class
9.DatabindContext.class
10.MapperConfigBase.class
11.JavaType.class
12.DeserializerCache.class
13.SimpleType.class
14.Modifier.class
15.BasicClassIntrospector.class
16.BasicBeanDescription.class
17.BeanDescription.class
18.POJOPropertiesCollector.class
19.MapperConfig.class
20.MapperFeature.class
21.BaseSettings.class
22.JacksonAnnotationIntrospector.class
23.AnnotationIntrospector.class
24.AnnotatedClass.class
25.AnnotationCollector.class
26.LRUMap.class
27.BaseicDeserializerFactory.class
28.StdDeserializer.class
29.UntypedObjectDeserializer.class
30.TypeFactory.class
31.ClassUtil.class
32.UntypedObjectDeserializer.class
33.LinkedNode.class
34.ConfigOverrides.class