Skip to main content

7. How to determine Fastjson vulnerability echo – is DNS used for echo or other protocols? Why? Exploitation without echo.

  1. If the site echoes original errors, one can use an unclosed curly brace to trigger an error that often contains the word “fastjson”.
  2. Append a random key and modify the JSON to: {"name":"S", "age":21,"agsbdkjada__ss_d":123}. Fastjson will not throw an error, whereas Jackson (which strictly aligns keys with JavaBean properties, allowing only fewer keys but not extra) will throw an error, and the server response may contain an exception echo.
  3. BECL attack: compile a PoC using Tomcat’s BasicDataSource chain, convert the PoC’s class bytecode to BCEL, and then send the payload. Command execution / memory shell – SpringEcho, Tomcat echo, abitis echo.