Skip to content

tuo4n8/CVE-2020-2950

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.idea
.idea
 
 
README.assets
README.assets
 
 
lib
lib
 
 
src/main/java
src/main/java
 
 
take-note.assets
take-note.assets
 
 
target
target
 
 
README.md
README.md
 
 
amf.bin
amf.bin
 
 
oracle-bi.iml
oracle-bi.iml
 
 
pom.xml
pom.xml
 
 

Repository files navigation

Oracle-BI (CVE-2020-2950)

AMF deseiralize

Version: 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0

**Install:**https://www.sql.edu.vn/obiee/oracle-business-intelligence-12c/

Ref: https://peterjson.medium.com/cve-2020-2950-turning-amf-deserialize-bug-to-java-deserialize-bug-2984a8542b6f

Exploit - PoC

amf.bin

Header cmd with base64 and child !!

Debug trace bug

URL: /analytics/jbips/messagebroker/cs/

  • Handle request -> processCall()

image-20210521104317854

  • Get inputstream -> deserialize AMF package

image-20210521104423834

  • Get Object AMF -> deserilize

image-20210521104538758

image-20210521104730919

image-20210521104755256

image-20210521104844150

  • If matching type -> AMF readobject (AMF3DATA.class)

image-20210521104956342

  • AMF3DATA.class -> AMF3ObjectInput
  • In AMF3ObjectInut -> readComplexObject

image-20210521105409912

  • In readComplexObject:
    • If class deseriliaze is externalizable -> radExternalchain
    • else setFiled

image-20210521105523270

  • AMF deserialize chain -> readExternal Chain

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

5 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages