Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-1471 PoC — SnakeYAML 代码问题漏洞

Source
https://github.com/falconkei/snakeyaml_cve_poc
Associated Vulnerability
Title:SnakeYAML 代码问题漏洞 (CVE-2022-1471)
Description:SnakeYAML是一款基于Java的YAML解析器。 SnakeYaml存在代码问题漏洞,该漏洞源于不限制在反序列化期间可以实例化的类型。攻击者利用该漏洞可以远程执行代码。
Description
SnakeYAML-CVE-2022-1471-POC
Readme
# snakeyaml_cve_poc
SnakeYAML-CVE-2022-1471-POC


## build

Either build the jar on your host with `mvn clean compile assembly:single`

Or use `docker` to build an image with `docker build -t snakeyaml .`

## run

Run the container with `docker run --rm -p8080:8080 snakeyaml` 

or the jar if you built on your host with `java -jar target/snakeyaml-1.0-SNAPSHOT-jar-with-dependencies.jar`

## use

Send a get request to serialize object of student class and send yaml as response
![](images/image1.png)

Send a post request with yaml to read YAML object as custom java object - deserialization
![](images/image2.png)

## exploit

Execute `python3 -m http.server 8000` to run the http server

Send a post request with yaml containing exploit
![](images/image3.png)

You should observe a HTTP GET request on the listner
File Snapshot

 [4.0K]  /data/pocs/83cd2e0a103d56755bb4d74211f50882542011e4
├── [ 311]  Dockerfile
├── [4.0K]  images
│   ├── [ 50K]  image1.png
│   ├── [ 51K]  image2.png
│   └── [ 42K]  image3.png
├── [3.4K]  pom.xml
├── [ 818]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [4.0K]  com
                └── [4.0K]  example
                    └── [4.0K]  snakeyaml
                        ├── [1.9K]  App.java
                        ├── [ 425]  Course.java
                        ├── [ 596]  Person.java
                        └── [ 664]  Student.java

7 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.