add Feign case :)

Author: Whoopsunix

README.md

@@ -1,7 +1,9 @@
 # fastjson 全版本漏洞复现
+
 By. Whoopsunix
 
 # Why fastjson？
+
 fastjson复现简单、调用链多，很多时候反而更像是在看其他组件的序列化链，很适合拿来做java研究
 
 所以起了个项目记录自己复现过的POC，顺便记录pom依赖，毕竟找环境还是挺麻烦的
@@ -10,23 +12,38 @@ fastjson复现简单、调用链多，很多时候反而更像是在看其他组
 https://github.com/Whoopsunix/fastjson_study
 
 # 环境
-[环境](https://github.com/Whoopsunix/PPPVULNS/tree/master/fastjsonDemo)
 
-# json框架区分、dnslog、版本探测、利用链探测
+[环境](https://github.com/Whoopsunix/PPPVULNS/tree/master/components/fastjsonDemo)
+
+# json检测
+
+通过实战案例记录不断更新，如何区分不同的框架、dnslog探测、版本探测、利用链探测
+
 [fastjson check](fastjsonCheck/fastjsonCheck.md)
 
 # 全版本poc合集
+
 [1.2.24-1.2.80 poc](recurring.md)
 
 # bypass
+
+绕过手段
+
 [bypass](bypass/bypass.md)
 
+# 其他利用
+
+二次反序列化、原生反序列化相关在其他项目中
+
 # 感谢以下师傅的研究
-+  https://github.com/LeadroyaL/fastjson-blacklist fastjson黑白名单
-+  https://github.com/safe6Sec/Fastjson  目前最全的poc合集
-+  https://github.com/su18/hack-fastjson-1.2.80 1.2.80 POC
-+  https://github.com/safe6Sec/ShiroAndFastJson 1.2.80 poc含环境
-+  https://mp.weixin.qq.com/s/5mO1L5o8j_m6RYM6nO-pAA  版本区分
-+  https://b1ue.cn/archives/506.html 浅蓝博客
-+  https://github.com/knownsec/KCon/tree/master/2022 浅蓝kcon分享
-+  https://www.yulegeyu.com/2022/11/12/Java%E5%AE%89%E5%85%A8%E6%94%BB%E9%98%B2%E4%B9%8B%E8%80%81%E7%89%88%E6%9C%ACFastjson-%E7%9A%84%E4%B8%80%E4%BA%9B%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/ 雨了个雨 低版本 bcel
+
++
++ https://github.com/LeadroyaL/fastjson-blacklist fastjson黑白名单
++ https://github.com/safe6Sec/Fastjson  目前最全的poc合集
++ https://github.com/su18/hack-fastjson-1.2.80 1.2.80 POC
++ https://github.com/safe6Sec/ShiroAndFastJson 1.2.80 poc含环境
++ https://mp.weixin.qq.com/s/5mO1L5o8j_m6RYM6nO-pAA  版本区分
++ https://b1ue.cn/archives/506.html 浅蓝博客
++ https://github.com/knownsec/KCon/tree/master/2022 浅蓝kcon分享
++ https://www.yulegeyu.com/2022/11/12/Java%E5%AE%89%E5%85%A8%E6%94%BB%E9%98%B2%E4%B9%8B%E8%80%81%E7%89%88%E6%9C%ACFastjson-%E7%9A%84%E4%B8%80%E4%BA%9B%E4%B8%8D%E5%87%BA%E7%BD%91%E5%88%A9%E7%94%A8/
+  雨了个雨 低版本 bcel

bypass/bypass.md

@@ -7,58 +7,75 @@ JSON.parse("{\"@type\":\"org.example.User\",\"username\":\"1\"}")
 ```
 
 # WAF bypass
+
 demo
+
 ```json
 {
-	"@type":"org.example.User",
-	"username":"1"
+  "@type": "org.example.User",
+  "username": "1"
 }
 ```
 
 # 编码绕过
+
 fastjson 对 key,value 值会自动进行 hex 解码和 unicode解码
+
 hex
+
 ```json
 {
-	"\x40\x74\x79\x70\x65":"\x6f\x72\x67\x2e\x65\x78\x61\x6d\x70\x6c\x65\x2e\x55\x73\x65\x72",
-	"username":"1"
+  "\x40\x74\x79\x70\x65": "\x6f\x72\x67\x2e\x65\x78\x61\x6d\x70\x6c\x65\x2e\x55\x73\x65\x72",
+  "username": "1"
 }
 ```
 
 unicode
+
 ```json
 {
-	"@type":"\u006f\u0072\u0067\u002e\u0065\u0078\u0061\u006d\u0070\u006c\u0065\u002e\u0055\u0073\u0065\u0072",
-	"username":"1"
+  "@type": "\u006f\u0072\u0067\u002e\u0065\u0078\u0061\u006d\u0070\u006c\u0065\u002e\u0055\u0073\u0065\u0072",
+  "username": "1"
+}
+
+{
+  "\u0040\u0074\u0079\u0070\u0065": "\u006f\u0072\u0067\u002e\u0065\u0078\u0061\u006d\u0070\u006c\u0065\u002e\u0055\u0073\u0065\u0072",
+  "username": "1"
 }
 ```
 
 # 字符填充
+
 ```json
 {
-	"@type":"org.example.User",
-	"username":"1",
-	"f":"a*20000"
+  "@type": "org.example.User",
+  "username": "1",
+  "f": "a*20000"
 }
 ```
 
 二次反序列化
 
 $ref
+
 http://www.bmth666.cn/bmth_blog/2022/04/11/Fastjson%E6%BC%8F%E6%B4%9E%E5%AD%A6%E4%B9%A0/#%E9%A2%98%E7%9B%AE%E5%A4%8D%E7%8E%B0
 
 编码
+
 https://blog.csdn.net/fmyyy1/article/details/121674546
 
-绕过 WAF ，在部分中间件中，multipart 支持指定 Content-Transformer-Encoding 可以使用 Base64 或 quoted-printable （QP 编码） 来绕过 WAF
+绕过 WAF ，在部分中间件中，multipart 支持指定 Content-Transformer-Encoding 可以使用 Base64 或 quoted-printable （QP 编码）
+来绕过 WAF
 
 大量字符绕过 WAF
+
 ```
 [11111111111111111111111111111111111,[11111111111111111111111111111111111... ,[11111111111111111111111111111111111... ,[11111111111111111111111111111111111... ,[11111111111111111111111111111111111... ,...,{'\x40\u0074\x79\u0070\x65':xjava.lang.AutoCloseable"... ]]]]]
 
 ```
 
 各种特性
+
 ```
 ,new:[NaN,x'00',{,/*}*/'\x40\u0074\x79\u0070\x65':xjava.lang.AutoClosea ble"
 ```