漏洞描述
fastjson是阿里巴巴的开源JSON解析库,它可以解析JSON格式的字符串,支持将JavaBean序列化为JSON字符串,也可以从JSON字符串反序列化到JavaBean,由于具有执行效率高的特点,应用范围广泛。利用该漏洞在autoType关闭的情况下仍然可以绕过黑白名单防御机制,造成远程命令执行漏洞。
Fastjson 1.2.68 远程代码执行漏洞
PoC代码
暂无相关漏洞推荐
- ERG2 1350W 路由器默认口令漏洞
- AirCam IP 150CAM 摄像头默认口令漏洞
- 畅捷通-TPlus /tplus/ajaxpro/ASP_sm_setupaccount_versionupdate_selectbackupfileonserver_aspx App_Web_selectbackupfileonserver.aspx.1cbd2a00.ashx 目录遍历漏洞
- WordPress Yoco Payments plugin /wp-json/yoco/logs 目录遍历漏洞(CVE-2025-13801)
- POC CVE-2012-10018: WordPress Mapplic <= 6.1 / Mapplic Lite <= 1.0 - Authenticated Stored XSS via SVG File Upload
- POC CVE-2024-24882: Masteriyo LMS <= 1.7.2 - Unauthenticated Privilege Escalation
- POC CVE-2024-29138: WordPress Restrict User Access <= 2.5 - Cross-Site Scripting
- POC CVE-2025-52691: SmarterMail - Unrestricted File Upload
- POC CVE-2025-60188: Atarim < 4.2.2 - Sensitive Information Exposure
- POC CVE-2006-3392: Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
- POC CVE-2011-3600: Apache OFBiz - XML External Entity Injection
- POC CVE-2015-8350: WordPress Calls to Action <=2.4.3 - Authenticated Reflected XSS
- POC CVE-2016-15043: WP Mobile Detector <= 3.5 - Unrestricted File Upload