漏洞描述
探测存在fastjsonFastjson是阿里巴巴公司开源的一款json解析器,其性能优越,被广泛应用于各大厂商的Java项目中。fastjson于1.2.24版本后增加了反序列化白名单,而在1.2.48以前的版本中,攻击者可以利用特殊构造的json字符串绕过白名单检测,成功执行任意命令。
fastjson v1.2.47 反序列化漏洞
PoC代码
暂无相关漏洞推荐
- POC CVE-2025-1302: JSONPath Plus < 10.3.0 - Remote Code Execution
- fastjson-rce-all: Fastjson Deserialization RCE
- hikvision-center-fastjson-rce: 海康威视综合安防-运行管理中心-Fastjson-远程命令执行漏洞
- POC CVE-2017-18349: Fastjson Insecure Deserialization - Remote Code Execution
- POC CVE-2020-28429: geojson2kml - Command Injection
- POC landray-oa-datajson-rce: Landray OA Datajson RCE
- POC yunanbao-authservice-fastjson-rce: 云匣子 FastJson反序列化RCE漏洞
- POC config-json-exposure-fuzz: Exposed JSON Configuration Files
- POC config-json: Configuration File - Detect
- POC auth-json: Auth.json File - Disclosure
- POC azuredeploy-json: Azure Resource Manager Template - File Exposure
- POC composer-auth-json: Composer-auth Json File Disclosure
- POC credentials-json: Credentials File Disclosure