Home

Awesome

Fastjson-Gadgets-Automatic-Scanner

Introduction

In computer science, an Abstract Syntax Tree (AST), or simply a Syntaxtree, is an abstract representation of the grammatical structure of source code . It represents the syntax structure of the programming language in the form of a tree, and each node on the tree represents a structure in the source code.

This project combines Abstract Syntax Tree (AST) to automatically scan fastjson available ga dgets in a jar package.

Fastjson Vulnerability

Fastjson is a Java library that can be used to convert Java Objects into their JSON representation. It can also be used to convert a JSON string to an equivalent Java object. Fastjson can work with arbitrary Java objects including pre-existing objects that you do not have source-code of.

When fastjson is deserialized, it will execute the constructor of the target class、the method starts with "set" or "get". And due to the characteristic of deserialization, we can make use of the target class that method starts with "set" to freely set the attribute value of the class. What's more, it is easy to cause Remote Code Execution (RCE).

There are two types for defense in lower versions:

Combining the two defensive methods, theoretically, when the autoType setting is turned on, we can find class that not in fastjson blacklist with a jar package to construct available gadgets.

Project Logic

According to the above description, we can roughly describe the logic of the project.

Project Logic

Usage

usage: python main.py [-h] jar operating_system

positional arguments:
  jar               Enter the jar to be scanned
  operating_system  Enter the operating system Windows or Linux or MacOS

optional arguments:
  -h, --help        show this help message and exit

Finally

In particular, this project is limited to mining Gadgets that may be exploited, and screening results need to be excluded by themselves.