op

“threedr3am” · “threedr3am” · commit 0f9ea5198954 · 2020-03-03T14:14:14.000+08:00
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/AnterosPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/AnterosPoc.java
@@ -5,7 +5,7 @@
 import com.threedr3am.bug.common.server.LdapServer;
 
 /**
- * fastjson <= 1.2.62 RCE，需要开启AutoType
+ * fastjson <= 1.2.62 RCE，需要开启AutoType (report by threedr3am to 阿里云先知众测 - 内部已知)
  *
  * Anteros-DBCP依赖的gadget
  *
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/IbatisSqlmapPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/IbatisSqlmapPoc.java
@@ -5,7 +5,7 @@
 import com.threedr3am.bug.common.server.LdapServer;
 
 /**
- * fastjson <= 1.2.62 RCE，需要开启AutoType
+ * fastjson <= 1.2.62 RCE，需要开启AutoType (report by threedr3am to 阿里云先知众测 - 内部已知)
  *
  * <dependency>
  *       <groupId>org.apache.ibatis</groupId>
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/JndiConverterPoc.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/JndiConverterPoc.java
@@ -5,7 +5,7 @@
 import com.threedr3am.bug.common.server.LdapServer;
 
 /**
- * fastjson <= 1.2.62 RCE，需要开启AutoType
+ * fastjson <= 1.2.62 RCE，需要开启AutoType (report by threedr3am to ASRC)
  *
  * Jackson-databind的CVE-2020-8840 gadget与Fastjson通用
  *
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/AnterosPoc.java b/jackson/src/main/java/com/threedr3am/bug/jackson/AnterosPoc.java
@@ -6,7 +6,9 @@
 
 /**
  *
- * jackson-databind <= 2.10.2 and <= 2.9.10.3 RCE，需要开启DefaultType (reported by threedr3am to the authorities)
+ * jackson-databind <= 2.10.2 and <= 2.9.10.3 RCE，需要开启DefaultType (reported by threedr3am & V1ZkRA)
+ *
+ * CVE-2020-9547, CVE-2020-9548
  *
  *     <dependency>
  *       <groupId>com.codahale.metrics</groupId>
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/HadoopHikariConfigPoc.java b/jackson/src/main/java/com/threedr3am/bug/jackson/HadoopHikariConfigPoc.java
@@ -6,7 +6,9 @@
 
 /**
  *
- * jackson-databind <= 2.9.10.3 and <= 2.10.2 RCE，需要开启DefaultType (reported by threedr3am to the authorities)
+ * jackson-databind <= 2.9.10.3 and <= 2.10.2 RCE，需要开启DefaultType (reported by threedr3am & LFY)
+ *
+ * CVE-2020-9546
  *
  * <dependency>
  *       <groupId>org.apache.hadoop</groupId>
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/IbatisSqlmapPoc.java b/jackson/src/main/java/com/threedr3am/bug/jackson/IbatisSqlmapPoc.java
@@ -6,7 +6,9 @@
 
 /**
  *
- * jackson-databind <= 2.9.10.3 RCE，需要开启DefaultType (reported by threedr3am to the authorities)
+ * jackson-databind <= 2.9.10.3 RCE，需要开启DefaultType (reported by threedr3am & V1ZkRA)
+ *
+ * CVE-2020-9547, CVE-2020-9548
  *
  * <dependency>
  *       <groupId>org.apache.ibatis</groupId>
diff --git a/jackson/src/main/java/com/threedr3am/bug/jackson/JndiConverterPoc.java b/jackson/src/main/java/com/threedr3am/bug/jackson/JndiConverterPoc.java
@@ -6,7 +6,7 @@
 
 /**
  *
- * jackson-databind <= 2.10.2 RCE，需要开启DefaultType (reported by threedr3am to the authorities)
+ * jackson-databind <= 2.10.2 RCE，需要开启DefaultType (reported by threedr3am)
  *
  * CVE-2020-8840
  *

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@`
`5`	`5`	`import com.threedr3am.bug.common.server.LdapServer;`
`6`	`6`
`7`	`7`	`/**`
`8`		`- * fastjson <= 1.2.62 RCE，需要开启AutoType`
	`8`	`+ * fastjson <= 1.2.62 RCE，需要开启AutoType (report by threedr3am to 阿里云先知众测 - 内部已知)`
`9`	`9`	`*`
`10`	`10`	`* Anteros-DBCP依赖的gadget`
`11`	`11`	`*`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,9 @@`
`6`	`6`
`7`	`7`	`/**`
`8`	`8`	`*`
`9`		`- * jackson-databind <= 2.10.2 and <= 2.9.10.3 RCE，需要开启DefaultType (reported by threedr3am to the authorities)`
	`9`	`+ * jackson-databind <= 2.10.2 and <= 2.9.10.3 RCE，需要开启DefaultType (reported by threedr3am & V1ZkRA)`
	`10`	`+ *`
	`11`	`+ * CVE-2020-9547, CVE-2020-9548`
`10`	`12`	`*`
`11`	`13`	`* <dependency>`
`12`	`14`	`* <groupId>com.codahale.metrics</groupId>`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,9 @@`
`6`	`6`
`7`	`7`	`/**`
`8`	`8`	`*`
`9`		`- * jackson-databind <= 2.9.10.3 and <= 2.10.2 RCE，需要开启DefaultType (reported by threedr3am to the authorities)`
	`9`	`+ * jackson-databind <= 2.9.10.3 and <= 2.10.2 RCE，需要开启DefaultType (reported by threedr3am & LFY)`
	`10`	`+ *`
	`11`	`+ * CVE-2020-9546`
`10`	`12`	`*`
`11`	`13`	`* <dependency>`
`12`	`14`	`* <groupId>org.apache.hadoop</groupId>`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,9 @@`
`6`	`6`
`7`	`7`	`/**`
`8`	`8`	`*`
`9`		`- * jackson-databind <= 2.9.10.3 RCE，需要开启DefaultType (reported by threedr3am to the authorities)`
	`9`	`+ * jackson-databind <= 2.9.10.3 RCE，需要开启DefaultType (reported by threedr3am & V1ZkRA)`
	`10`	`+ *`
	`11`	`+ * CVE-2020-9547, CVE-2020-9548`
`10`	`12`	`*`
`11`	`13`	`* <dependency>`
`12`	`14`	`* <groupId>org.apache.ibatis</groupId>`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@`
`6`	`6`
`7`	`7`	`/**`
`8`	`8`	`*`
`9`		`- * jackson-databind <= 2.10.2 RCE，需要开启DefaultType (reported by threedr3am to the authorities)`
	`9`	`+ * jackson-databind <= 2.10.2 RCE，需要开启DefaultType (reported by threedr3am)`
`10`	`10`	`*`
`11`	`11`	`* CVE-2020-8840`
`12`	`12`	`*`