漏洞描述
反序列化漏洞主要发生在应用程序未对用户输入的序列化字符串进行充分检查的情况下,攻击者可以通过构造恶意的序列化数据来进行攻击,从而控制应用程序的行为,执行任意代码,访问或修改敏感数据,甚至可能导致整个系统的控制权被攻陷。
jackson-databind 反序列化漏洞(spring gadget)
PoC代码
暂无相关漏洞推荐
- springboot-actuator-unauth: Springboot Actuator Unauth
- springblade-export-user-sqli: SpringBlade 框架后台 export-user 路径 SQL 注入漏洞
- Apache CXF Aegis databinding /test 文件读取漏洞(CVE-2024-28752)
- POC spring4shell-CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
- POC CVE-2020-9547: FasterXML jackson-databind - Deserialization Remote Code Execution
- POC CVE-2025-46822: Java-springboot-codebase 1.1 - Arbitrary File Read
- POC e-cology-springframework-directory-traversal: 泛微OA e-cology springframework 目录遍历
- POC jeespringcloud-uploadfile-fileupload: JeeSpringCloud uploadFile.jsp 任意文件上传
- POC spring-expression-oob: Spring Expression Language - Out of Band Template Injection
- POC springboot-admin-unauth: Spring boot Admin unauth
- POC springboot-h2-db-rce: Spring Boot H2 Database RCE
- POC spring-framework-exceptions: Spring Framework Exceptions
- POC exposed-alps-spring: Exposed Spring Data REST Application-Level Profile Semantics (ALPS)