search

🟑time

JSON | JSON DESERIALIZATION | com.fasterxml.jackson | PUBLIC EXPLOIT | SSRF TO RCE |

hashtag
Recon & Enum

hashtag
Port scan

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

hashtag
Directory scan

hashtag
WEB (80)

Their is a json beautifier & validator working on website , after testing it , i get to know that the beautifier is of no use for us , so only thing left is validator Basically if we input json data in it , it validates it and give response accordingly , But if we input normal data then it will give us error :-

Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.MismatchedInputException: Unexpected token (START_OBJECT), expected START_ARRAY: need JSON Array to contain As.WRAPPER_ARRAY type information for class java.lang.Object

After googling and reading walk-through , i found that this is a CVE-2019-12384s

hashtag
Shell as pericles

LogoGitHub - jas502n/CVE-2019-12384: Jackson Rce For CVE-2019-12384GitHubchevron-right

their is public exploit available on github , through which we can perform SSRF to RCE Steps to reproduce :- 1. clone the git repository in your machine 2. open and edit the sql file and enter the command you want to get executed on target machine/server , in my case its reverse shell 3. start a http server on your local machine 4. edit the payload & accordingly :- ip address , port no. , sql file name 5. remove all the "\" with " " (blank space) using echo command :-

final payload :-

Turn on the netcat listner on your machine , and BOOM.......... we got the shell

hashtag
privesc pericles => root

PreviouscronosNextblunder

Last updated