-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
发现最新版本1.2.67依然可以通过dnslog判断后端是否使用fastjson #3077
Comments
而且无需开启autotype |
nice work, thx! |
我再发一个畸形的
|
@retanoj nb,下午也刚好和其他师傅聊到这个payload |
新知识get |
还有很早的那个ysoserial里的由HashMap触发的URLDNS也能用,只不过也有点畸形
然而都没啥卵用啊,只能发个dns |
学习了 |
不造你为啥要变那么畸形
|
看样子,最新的bypass也快出来了:) |
@threedr3am
再短
再
|
amazing :-) |
tql |
能获取到啥敏感信息吗 |
https://github.com/alibaba/fastjson/releases/tag/1.2.68 |
@retanoj 师傅,以上畸形的payload只能探测到存在fastjson是么?实际利用有什么思路么? |
java.net.Inet4Address 这个payload只能发dns,没有利用方法了吧 |
java.net.InetAddress
虽然被禁止了,但是依然可以使用如下两个payload探测后端是否是fastjsonThe text was updated successfully, but these errors were encountered: