Giter Site home page Giter Site logo

a1phaboy / fastjsonscan Goto Github PK

View Code? Open in Web Editor NEW
920.0 15.0 93.0 4.51 MB

Fastjson扫描器,可识别版本、依赖库、autoType状态等。A tool to distinguish fastjson ,version and dependency

License: MIT License

Go 100.00%
deserialization-vulnerability fastjson fastjson-rce scanner-web

fastjsonscan's Introduction

FastjsonScan

FastjsonScan

A tool to fast detect fastjson‘s deserialize vuln

0x00 FastjsonScan now is public 🎉🎉🎉

WHAT?

FastjsonExpFramework一共分为探测、利用、混淆、bypass JDK等多个模块,而FastjsonScan 是其中一部分,通过报错、请求、依赖库等探测实现多方面定位fastjson版本

WHY?

现有的fastjson扫描器无法满足迭代速度如此快的fastjson版本,大部分扫描器早已无人维护,已不适配高版本。我将持续优化此系列项目。

HOW?

目前fastjsonScan支持
☑️支持批量接口探测
☑️1.2.83及以下的区间探测(主要分为48,68,80三大安全版本)
☑️支持报错回显探测
☑️DNS出网检测
☑️支持AutoType状态检测
☑️依赖库检测
☑️延迟检测

TODO

适配内网环境下的探测
适配webpack做自动化扫描
完善DNS回显探测依赖库的探测
完善在61版本以上并且不出网的检测方式
完善其他不同json解析库的探测 完善相关依赖库检测

如果在使用过程中有任何问题欢迎提出issues👏

Demo

img.pngimg_1.png

Usage

FastjsonScan [-u] url [-f] urls.txt [-o] result.txt
-u 目标url,注意需要加上http/https
-f 目标url文件,可以扫描多条url
-o 结果保存文件,默认在当前文件夹下的results.txt文件

0x01 Dev Notes

2022-09-05 0.5

Framework分离出scan模块

2022-09-05 0.4 beta

☑️重构版本探测模块,将判断fastjson,jackson,org.json,gson分离出来做识别模块

TODO:
利用dnslog探测依赖库
利用模块编写

2022-09-04 0.35 beta

☑️修复了48版本的探测payload,该payload在进行80版本的payload探测之后,会触发tojavaobject从而将java.net.InetAddress类加入白名单,当进行第二次版本探测时会产生误报
☑️版本检测会优先判断AutoType是否开启,如果开启只能模糊区分48以下及以上

2022-09-03 0.34 beta

☑️重构了版本探测模块,由之前精确探测分成了3块(48,68,80)
☑️重写了判断版本的逻辑
☑️补充了80版本与83版本的探测

TODO:
目标依赖库环境的探测
AutoType的状态对版本探测有影响,需要做处理

2022-09-02 0.33 beta

☑️修改了含有jackson字段的报错检测逻辑
☑️DNS检测新增10秒的等待时间,防止网络原因导致误报

2022-09-01 0.32 beta

☑️添加多条gadget,部分gadget复现不成功,根据目标的环境添加
☑️修改了延迟探测的bug
☑️添加了URLReader的探测链

2022-08-07 0.31 beta

☑️增加了几条gadgets

2022-08-06 0.3 beta

☑️完成了AutoType探测模块

2022-08-05 0.2 beta

☑️完成了探测模块的主要部分:包括报错探测,DNS探测和延迟探测

0x02参考

https://github.com/safe6Sec/Fastjson
https://github.com/hosch3n/FastjsonVulns
https://github.com/iSafeBlue/fastjson-autotype-bypass-demo

0x03鸣谢

非常感谢 blue 浅蓝师傅在kcon上的精彩分享
非常感谢 hosch3n 李师傅的答疑解惑

fastjsonscan's People

Contributors

a1phaboy avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

do0x-ccc phuong39 ruanzy506 ddostest123 kenuoseclab mxm-tools 0x24bin asura88 gysf666 functfan qianniaoge savior-only klinklinklin bingpo laowang1026 startagain2016 auxiliarya areyougetshell tea0o mk4t1xp linhai2015 yu2lulu yezi-m4c1 nanaao testitok changheluor007 zzhsec crazymarky muyugit yyming-sudo liutufang rabbitsafe sry309 forxiu ofalwl myl3883 sn-yang mu-l xiaowei6688 unchihuoguo hacker-top-community super-rain senu11 darkkid0 cnmars minecraftst3v3 be-gay-security-team z-bool mygit2014 jchenluo sms2056 d4rkduck harry1080 xiju2003 cnwpdb gg-big-org 30579096 faint-memory wuxiaodai github8669 northshad0w 5l1v3r1 adurak2 honeypothoneypot jxpsx v1rtu0l sec-fork istoliving michaelcandoo go-bi h1ck0r beike2020 atlassion afwu mwb0350 yeyeye888 helloworld-888 mssky9527 greatspider135 f19t iq-scm freetest sunpeak leasonj jiyb tree911 yx2124538 zunyuange yeshuibo w4n95 bge-faith sobinge 999999999a

fastjsonscan's Issues

dns平台网络不可达

与dns平台网络不可达,请检查网络
与dns平台网络不可达,请检查网络
客户端与dnslog平台网络不可达

dnslog问题

[http://xxx] :[*] 目标可出网
[http://xxx] :[+] 正在进行 AutoType状态 探测
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x40 pc=0x112f64e]

goroutine 5068 [running]:
FastjsonScan/Detect.ErrDetectDependency({0xc0001d7660, 0x1e}, 0xc05672f260)
/Users/a1phaboy/项目研发/FastjsonScan/Detect/detect.go:249 +0x2ce
FastjsonScan/Detect.DetectDependency({0xc0001d7660, 0x1e})
/Users/a1phaboy/项目研发/FastjsonScan/Detect/detect.go:125 +0x153
FastjsonScan/Detect.DetectVersion({0xc0001d7660, 0x1e})
/Users/a1phaboy/项目研发/FastjsonScan/Detect/detect.go:59 +0x3c6
FastjsonScan/console.Start.func1(0x1282, {0xc0001d7660?, 0x0?}, 0x0?)
/Users/a1phaboy/项目研发/FastjsonScan/console/console.go:45 +0x5c
created by FastjsonScan/console.Start
/Users/a1phaboy/项目研发/FastjsonScan/console/console.go:44 +0x2b7

部分代码判断逻辑问题

dnslog.go 58行

if string(body) == "[]"{
		return ""

从历史更改记录上看,之前这里直接返回[],后来改为返回"",但是其他位置判断逻辑未修改导致部分判断逻辑存在问题,例如detect.go 155行

	if  record == "[]" || record == Utils.NETWORK_NOT_ACCESS{
		fmt.Println("["+url+"] :"+"[-] 目标没有开启 AutoType")
		autoTypeStatus = false
	}else{
		fmt.Println("["+url+"] :"+"[*] 目标开启了 AutoType ")
		autoTypeStatus = true
	}

后续是否支持自定义DNS平台

1、为方便内网扫描;
2、常见dnslog平台地址基本都已被安全设备封堵;
是否考虑可以自定义dnslog平台?谢谢

macos m1

师傅,可以提供编译好的 macos arm 架构的可执行文件吗,或者在 readme 中写一下编译方法

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.