如何在渗透测试中区分Fastjson/Jackson-渗透云记

前言

关于对一个站点进行信息收集，能够尽最大程度收集到该站点的信息是最好，这样会极大的提高我们的渗透效率，今天我们来简单聊聊fastjson/jackson组件的区分。

最理想的情况

在最理想的情况下，如果对方站点没有关闭报错显示，那直接查看关键词就可以了

Jackson：

Fastjson：

但是这种报错一般很难遇到，咱们还得使用技巧进行判断

黑盒区分小技巧

1、Jackson的JsonParser.Feature(2.10后替换为JsonReadFeature)

JsonReadFeature的配置也是一样的：

public enum JsonReadFeature implements FormatFeature {
  ALLOW_JAVA_COMMENTS(false, JsonParser.Feature.ALLOW_COMMENTS),
  ALLOW_YAML_COMMENTS(false, JsonParser.Feature.ALLOW_YAML_COMMENTS),
  ALLOW_SINGLE_QUOTES(false, JsonParser.Feature.ALLOW_SINGLE_QUOTES),
  ALLOW_UNQUOTED_FIELD_NAMES(false, JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES),
  ALLOW_UNESCAPED_CONTROL_CHARS(false, JsonParser.Feature.ALLOW_UNQUOTED_CONTROL_CHARS),
  ALLOW_BACKSLASH_ESCAPING_ANY_CHARACTER(false, JsonParser.Feature.ALLOW_BACKSLASH_ESCAPING_ANY_CHARACTER),
  ALLOW_LEADING_ZEROS_FOR_NUMBERS(false, JsonParser.Feature.ALLOW_NUMERIC_LEADING_ZEROS),
  ALLOW_LEADING_DECIMAL_POINT_FOR_NUMBERS(false, JsonParser.Feature.ALLOW_LEADING_DECIMAL_POINT_FOR_NUMBERS),
  ALLOW_NON_NUMERIC_NUMBERS(false, JsonParser.Feature.ALLOW_NON_NUMERIC_NUMBERS),
  ALLOW_MISSING_VALUES(false, JsonParser.Feature.ALLOW_MISSING_VALUES),
  ALLOW_TRAILING_COMMA(false, JsonParser.Feature.ALLOW_TRAILING_COMMA);
  ......
  }

这里以JsonParser.Feature为例进行举例:

解析value遇到以”0″为开头的数字

Jackson的objectMapper默认情况下是不能解析以”0″为开头的数字的，但是fastjson是可以的：

/**
Feature that determines whether parser will allow JSON integral numbers to start with additional (ignorable) zeroes (like: 000001). If enabled, no exception is thrown, and extra nulls are silently ignored (and not included in textual representation exposed via getText).
Since JSON specification does not allow leading zeroes, this is a non-standard feature, and as such disabled by default.
**/
ALLOW_NUMERIC_LEADING_ZEROS(false),

Fastjson会把01解析成1:

Jackson在解析01时会抛出异常：

解析value为NaN
Jackson的ObjectMapper解析器默认不能识别 “Not-a-Number" (NaN)，不会认为其为浮点类型或者int类型的数字：

/**
Feature that allows parser to recognize set of "Not-a-Number" (NaN) tokens as legal floating number values (similar to how many other data formats and programming language source code allows it). Specific subset contains values that XML Schema  (see section 3.2.4.1, Lexical Representation) allows (tokens are quoted contents, not including quotes):
"INF" (for positive infinity), as well as alias of "Infinity"
"-INF" (for negative infinity), alias "-Infinity"
"NaN" (for other not-a-numbers, like result of division by zero)
Since JSON specification does not allow use of such values, this is a non-standard feature, and as such disabled by default.
**/
ALLOW_NON_NUMERIC_NUMBERS(false)

Fastjson 1.2.70会把NaN解析成0:

Fastjson 1.2.37会抛出异常：

Jackson会抛出异常：

注释符

当json字符串里存在注释符时，默认情况下Jackson的ObjectMapper解析器不能解析（Fastjson的AllowComment默认是开启的，所以支持注释符的解析）：

/**
 * Feature that determines whether parser will allow use
 * of Java/C++ style comments (both '/'+'*' and
 * '//' varieties) within parsed content or not.
 *<p>
 * Since JSON specification does not mention comments as legal
 * construct,
 * this is a non-standard feature; however, in the wild
 * this is extensively used. As such, feature is
 * <b>disabled by default</b> for parsers and must be
 * explicitly enabled.
 */
ALLOW_COMMENTS(false)

Fastjson支持注释符：

Jackson默认情况下会报错：

json字段使用单引号包裹

Fastjson的Feature.AllowSingleQuote 是默认开启的，支持使用单引号包裹字段名，但是jackson受到JsonParser.Feature.ALLOW_SINGLE_QUOTES的影响，默认是不支持的：

/**
Feature that determines whether parser will allow use of single quotes (apostrophe, character '\'') for quoting Strings (names and String values). If so, this is in addition to other acceptable markers. but not by JSON specification).
Since JSON specification requires use of double quotes for field names, this is a non-standard feature, and as such disabled by default.
**/
ALLOW_SINGLE_QUOTES(false)

Fastjson正常解析：

Jackson解析抛出异常：

json属性没有使用双引号包裹

fastjson的AllowUnQuotedFieldNames默认开启，允许json字段名不被引号包裹，但是jackson的ALLOW_UNQUOTED_FIELD_NAMES默认不开启，无法解析：

/**
 * Feature that determines whether parser will allow use
 * of unquoted field names (which is allowed by Javascript,
 * but not by JSON specification).
 *<p>
 * Since JSON specification requires use of double quotes for
 * field names,
 * this is a non-standard feature, and as such disabled by default.
 */
ALLOW_UNQUOTED_FIELD_NAMES(false)

解析JSON数组中“缺失”的值

如果数组中两个逗号之间缺失了值，形如这样[value1, , value3]。对于fastjson来说可以解析，jackson受到ALLOW_MISSING_VALUES的影响会抛出异常：

/**
Feature allows the support for "missing" values in a JSON array: missing value meaning sequence of two commas, without value in-between but only optional white space. Enabling this feature will expose "missing" values as JsonToken.VALUE_NULL tokens, which typically become Java nulls in arrays and java.util.Collection in data-binding.
For example, enabling this feature will represent a JSON array ["value1",,"value3",] as ["value1", null, "value3", null]
Since the JSON specification does not allow missing values this is a non-compliant JSON feature and is disabled by default.
**/
ALLOW_MISSING_VALUES(false)

Fastjson正常解析，会把缺失的值忽略掉：

Jackson会抛出异常：

2、Jackson的MapperFeature

大小写敏感

假设Bean的结构如下：

public class User {
    private int id;
    private String userName;
    private String sex;
    private String[] nickNames;

    //对应的getter和setter方法
}

在代码里里属性id是小写的，在fastjson和jackson解析时会有区别。

FastJson在反序列化的时候，是对大小写不敏感的:

在Jackson中，MapperFeature.ACCEPT_CASE_INSENSITIVE_PROPERTIES默认设置为FALSE，在反序列化时是大小写敏感的，可以看到下面的例子中Id因为大小写敏感的问题并未赋值：

3、Fastjson的Feature

忽略json中包含的连续的多个逗号

Fastjson中Feature.AllowArbitraryCommas是默认开启的，允许在json字符串中写入多个连续的逗号。

Fastjson正常解析：

Jackson会抛出异常，类似的的Feature是ALLOW_TRAILING_COMMA（是否允许json尾部有逗号，默认是False)：

4、结合fastjson智能匹配区分

除了通过默认Feature的差异以外，FastJSON存在智能匹配的特性，即使JavaBean中的字段和JSON中的key并不完全匹配，在一定程度上还是可以正常解析的。通过这些特性也可以简单的进行区分。

字段名包含-和_

主要是在JavaBeanDeserializer.smartMatch方法进行实现。通过这一特点可以在一定程度上做区分。

在1.2.36版本及后续版本，部分具体代码如下，具体处理方法在TypeUtils.fnv1a_64_lower：

public FieldDeserializer smartMatch(String key, int[] setFlags)
  {
    if (key == null) {
      return null;
    }
    FieldDeserializer fieldDeserializer = getFieldDeserializer(key, setFlags);
    if (fieldDeserializer == null)
    {
      long smartKeyHash = TypeUtils.fnv1a_64_lower(key);
      if (this.smartMatchHashArray == null)
      {
        long[] hashArray = new long[this.sortedFieldDeserializers.length];
        for (int i = 0; i < this.sortedFieldDeserializers.length; i++) {
          hashArray[i] = TypeUtils.fnv1a_64_lower(this.sortedFieldDeserializers[i].fieldInfo.name);
        }
        Arrays.sort(hashArray);
        this.smartMatchHashArray = hashArray;
      }

查看TypeUtils.fnv1a_64_lower的具体实现,这里忽略字母大小写和-和_：

 public static long fnv1a_64_lower(String key)
  {
    long hashCode = -3750763034362895579L;
    for (int i = 0; i < key.length(); i++)
    {
      char ch = key.charAt(i);
      if ((ch != '_') && (ch != '-'))
      {
        if ((ch >= 'A') && (ch <= 'Z')) {
          ch = (char)(ch + ' ');
        }
        hashCode ^= ch;
        hashCode *= 1099511628211L;
      }
    }
    return hashCode;
  }

也就是说fastjson1.2.36版本及后续版本支持同时使用_和-对字段名进行处理：

但是jackson默认是没有这一特性的，例如下面的例子，并没有识别到经过-和_处理后的userName：

使用is开头的key字段

Fastjson在做智能匹配时，如果key以is开头,则忽略is开头,相关代码如下:

int pos = Arrays.binarySearch(this.smartMatchHashArray, smartKeyHash);
if ((pos < 0) && (key.startsWith("is")))
{
    smartKeyHash = TypeUtils.fnv1a_64_lower(key.substring(2));
    pos = Arrays.binarySearch(this.smartMatchHashArray, smartKeyHash);
}

同样的Jackson是不具备该特点的。

参考文章

http://forum.butian.net/index.php/share/1679

渗透云记的技术文章仅供参考，此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等（包括但不限于）进行检测或维护参考，未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失，均由使用者本人负责。渗透云记拥有对此文章的修改、删除和解释权限，如转载或传播此文章，需保证文章的完整性，未经允许，禁止转载！本文所提供的工具仅用于学习，禁止用于其他，请在24小时内删除工具文件！！！访问本博客请务必遵守有关互联网的相关法律、规定与规则。一旦您访问本博客，即表示您已经知晓并接受了此声明通告。详情见本站的“免责声明”如果有侵权之处请第一时间联系我们删除。敬请谅解!E-mail：admin@encenc.com

THE END