admin/GobyVuls
1
0
Fork 0
mirror of https://github.com/gobysec/GobyVuls.git synced 2025-06-20 09:50:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

add CNVD-2017-02833

Browse Source
This commit is contained in:
tardc 2020-11-06 22:51:39 +08:00
parent 5118de008f
commit b146db1e67
2 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Fastjson/CNVD-2017-02833/README.md Normal file
View File

@ -0,0 +1,9 @@
# CNVD-2017-02833 Fastjson 1.2.24 RCE
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
**Affected version**: Fastjson < 1.2.25
# Demo
![](fastjson1.2.24.gif)

BIN
Fastjson/CNVD-2017-02833/fastjson1.2.24.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 683 KiB