CVE-2017-18349 PoC — Pippo FastjsonEngine Fastjson 输入验证漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-18349.yaml

Associated Vulnerability

Title:Pippo FastjsonEngine Fastjson 输入验证漏洞 (CVE-2017-18349)
Description:Pippo是一款基于Java的Web框架。FastjsonEngine是其中的一个JSON处理引擎。Fastjson是其中的一个基于Java的JSON解析器/生成器。 Pippo 1.11.0版本中的FastjsonEngine所使用的Fastjson 1.2.25之前版本的parseObject存在安全漏洞。远程攻击者可通过发送特制的JSON请求利用该漏洞执行任意代码。

Description

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi-// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

File Snapshot


 id: CVE-2017-18349

info:
  name: Fastjson Insecure Deserialization - Remote Code Execution
  author

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!