CVE-2017-7525

Client and walkthrough for the Jackson JSON Deserialization CTF.

The Royals Quiz (king-of-pop) CTF A CTF to demonstrate Jackson's JSON deserialization vulnerability (CVE-2017-7525) Setup Run the server server readme git clone githubcom/CatalanCabbage/king-of-pop-servergit cd king-of-pop-server/package #Extract the packagezip file present in this folder java -jar target/king-of-pop-10-SNAPSHOTjar

Insecure Java Deserialization Lab

CVE-2017-7525 Java Insecure Deserialization Lab Basic Java REST application vulnerable to Insecure Deserialization, leading to RCE The project must be run on Java < 8u45 Based on Maven with the following dependencies: jackson-databind 222 commons-collections 31 spring-context-support 4311 More dependencies can be added through Maven if you want to try some more g

jackson-databind-exploit

jackson-databind-exploit Example exploit of CVE-2017-7525 This application runs a local Dropwizard web server on port 8888 under the /application context There is one route /application/echo which echos back the JSON that you send it exploitjson: The JSON payload to send the server This tells the server to download an XML file from localhost:8000/spelxml spelxml: The XM

Jackson 反序列化 漏洞描述 CVE-2017-7525 CVE-2017-7525详情 githubcom/iBearcat/S2-055 官方在漏洞产生后，通过黑名单的方式禁止黑名单中的第三方库反序列化问题而产生的代码执行漏洞,黑名单是一种不可靠的修复方式，攻击者常常可以通过一些手段绕过黑名单，造成新漏洞产生，可以说是S2-055

ZeroNights-WebVillage-2017 Tasks are based on the presentation from ZeroNights 2017 Several simple webapps with deserialization vulnerabilities in Docker containers Python Pickle docker run -p 8080:80 greendog/wv_python wwwcsuicedu/~s/musings/pickle/ blognelhagecom/2011/03/exploiting-pickle/ Nodejs node-serialize docker run -p 8080:8080 greendog/

Jackson Deserialization CVE-2017-7525 PoC

jackson-deserialization-2017-7525 Jackson Deserialization CVE-2017-7525 PoC

Package $ sbt stage $ file /target/helloshiftleft-play-jpa-scala-001-SNAPSHOTjar Run $ sbt run Http routes See routes at config/routes Use localhost as host name in the URLs To interact with the endpoints use curl (or any other tool) GET /account GET /createCustomer POST /account curl localhos

Vulnerable Play application The point for this repo is to show how easy is to do XXE attack on old version of the framework Steps Step 1 Run the app sbt run Step 2 Create a service to serve malicious content ruby -rwebrick -e'WEBrick::HTTPServernew(:Port => 8000, :DocumentRoot => Dirpwd)start' Step 3 Create malicious input as file testdtd <!

An example project that exploits the default typing issue in Jackson-databind via Spring application contexts and expressions

jackson-rce-via-spel An example project that exploits the default typing issue in Jackson-databind (githubcom/FasterXML/jackson-databind) via Spring application contexts and expressions Context The Jackson-databind project has a feature called default-typing (not enabled by default) When the target class has some polymorph fields inside (such as interfaces, abstract c

vulnerable play app

Package $ sbt stage $ file /target/helloshiftleftplay-000-SNAPSHOTjar Run $ sbt run Http routes See routes at config/routes Use localhost as host name in the URLs To interact with the endpoints use curl (or any other tool) GET /account GET /createCustomer POST /account curl localhost:8082

Writeups Web Facebook mediumcom/bugbountywriteup/disclose-private-attachments-in-facebook-messenger-infrastructure-15-000-ae13602aa486 wwwvulnanocom/2019/03/facebook-messenger-server-random-memoryhtml vinothkumarme/20000-facebook-dom-xss/ Google wwwezequieltech/p/36k-google-app-engine-rcehtml wwwezequieltech/p/10k-host-header

Insecure Java Deserialization in the Jackson Library & How It Can Escalate to RCE Insecure deserialization is a security vulnerability that occurs when a software application deserializes data from an untrusted or malicious source without proper validation and protection This vulnerability can be exploited by attackers to execute arbitrary code, gain unauthorized acces

spel.xml

jackson-rce-via-spel An example project that exploits the default typing issue in Jackson-databind (githubcom/FasterXML/jackson-databind) via Spring application contexts and expressions Context The Jackson-databind project has a feature called default-typing (not enabled by default) When the target class has some polymorph fields inside (such as interfaces, abstract c

Project code and dependent component analysis tools.

clocwalk Project code and dependent component analysis tools Dependent installation npm install -g cloc # wwwnpmjscom/package/cloc sudo apt install cloc # Debian, Ubuntu sudo yum install cloc # Red Hat, Fedora sudo dnf install cloc # Fedora 22 or later sudo pacman -S cloc

Check CVSS v3.1 and EPSS scores for a given CVE ID and whether its in CISA KEV catalog

CVE Risk Scores Check CVSS v31 and EPSS scores for a given CVE ID by querying the NIST NVD API and FIRST EPSS database Also check if the CVE is listed in the CISA Known Exploited Vulnerability (KEV) catalog About CVSS CVSS stands for Common Vulnerability Scoring System It is a standardized system for rating the severity of security vulnerabilities in software The CVSS scor

Package $ sbt stage $ file /target/helloshiftleft-play-jpa-scala-001-SNAPSHOTjar Run $ sbt run Http routes See routes at config/routes Use localhost as host name in the URLs To interact with the endpoints use curl (or any other tool) GET /account GET /createCustomer POST /account curl localhos