oracle 7月份更新CVE-2020-14645 復現&利用
阿新 • • 發佈:2020-07-15
簡介
該漏洞針對gadget cve-2020-2555 繞過利用。
分析
com.tangosol.util.extractor.UniversalExtractor程式碼如下
public UniversalExtractor() { this.m_sNameCanon = null; } public UniversalExtractor(String sName) { this(sName, (Object[])null, 0); } public UniversalExtractor(String sName, Object[] aoParam) { this(sName, aoParam, 0); } @JsonbCreator public UniversalExtractor(@JsonbProperty("name") String sName, @JsonbProperty("params") Object[] aoParam, @JsonbProperty("target") int nTarget) { this.m_sNameCanon = null; azzert(sName != null); if (aoParam != null && aoParam.length > 0 && !sName.endsWith("()")) { throw new IllegalArgumentException("UniversalExtractor constructor: parameter sName[value:" + sName + "] must end with method suffix \"" + "()" + "\" when optional parameters provided"); } else { this.m_sName = sName; this.m_aoParam = aoParam; this.m_nTarget = nTarget; this.init(); } } public E extract(T oTarget) { if (oTarget == null) { return null; } else { TargetReflectionDescriptor targetPrev = this.m_cacheTarget; try { if (targetPrev != null && oTarget.getClass() == targetPrev.getTargetClass()) { return targetPrev.isMap() ? ((Map)oTarget).get(this.getCanonicalName()) : targetPrev.getMethod().invoke(oTarget, this.m_aoParam); } else { return this.extractComplex(oTarget); } } catch (NullPointerException var4) { throw new RuntimeException(this.suggestExtractFailureCause(oTarget.getClass())); } catch (Exception var5) { throw ensureRuntimeException(var5, oTarget.getClass().getName() + this + '(' + oTarget + ')'); } } }
從程式碼可以看出,與cve-2020-2555 類似
利用
只需要修改cve 2020-2555 gadget的最後一環為該類即可