Shulou(Shulou.com)05/31 Report--

This article is about how to achieve Fastjson remote code execution vulnerability analysis, the editor thinks it is very practical, so share it with you to learn, I hope you can get something after reading this article, say no more, follow the editor to have a look.

I. Preface

Fastjson is Alibaba's open source JSON parsing library, which can parse strings in JSON format, support serialization of JavaBean into JSON strings, and deserialize from JSON strings to JavaBean.

Second, brief introduction of loopholes

There is a deserialization vulnerability patch bypass below Fastjson version 1.2.48.

Third, loophole harm

According to the analysis of multiple patch flaws in Fastjson by the Douxiang Security Emergency response team, Fastjson is below version 1.2.48 and does not need to be opened by Autotype. An attacker can remotely execute code on a server using Fastjson through a well-constructed request packet.

IV. Scope of influence products

Fastjson

Version

Version 1.2.48 below

module

Fastjson

V. recurrence of loopholes

Use POC to reproduce vulnerabilities.

VI. Restoration plan

1. Upgrade Fastjosn to version 1.2.58 and close Autotype

2.WAF intercepts multiple encoded forms of'@ type','\ u0040type'in Json requests

3. It is recommended to use Jackson or Gson whenever possible

4. Upgrade the JDK version to 8u121pr 7u13pr 6u141 or above.

The above is how to achieve the analysis of Fastjson remote code execution vulnerabilities. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.