fastjson to get the exact version

reference:

• How to get the exact version number of fastjson in penetration testing

The condition is that the business code does not properly handle the exception information. For example, the exception is not caught, or even if the exception is caught, the exception information is returned to the client as a string.

{
    
    "@type": "java.lang.AutoCloseable"

Even if the exception is caught, the exception information is returned to the client as a string

Corresponding code:

    @RequestMapping(value = "/deserialize", method = {
    
    RequestMethod.POST })
    @ResponseBody
    public static String Deserialize(@RequestBody String params) {
    
    
        try {
    
    

            JSONObject ob = JSON.parseObject(params);

            return ob.toString();
        }catch (Exception e){
    
    
            e.printStackTrace();
            return e.toString();    // 将异常信息作为HTTP响应的一部分返回了
        }

Did not catch the exception, so the exception is thrown back to the client

Corresponding code:

    @RequestMapping(value = "/deserializeE2", method = {
    
    RequestMethod.POST })
    @ResponseBody
    public static String DeserializeE2(@RequestBody String params) {
    
    
        JSONObject ob = JSON.parseObject(params);

        return ob.toString();
        // 并不捕获异常
    }

The exception thrown by fastjson is caught, and no exception information is returned

Corresponding code:

    @RequestMapping(value = "/deserializeE1", method = {
    
    RequestMethod.POST })
    @ResponseBody
    public static String DeserializeE1(@RequestBody String params) {
    
    
        try {
    
    
            JSONObject ob = JSON.parseObject(params);

            return ob.toString();
        }catch (Exception e){
    
    
            e.printStackTrace();
            // 并不返回异常信息
        }

        return "";
    }