JDBC Attack防护绕过技术深入分析<\/h1>

0x00 前言<\/h2>
当传入`DriverManager.getConnection(jdbcUrl)<\/code>中的jdbcUrl用户任意可控时，通过构造恶意的jdbcUrl（恶意连接属性、恶意连接类型等），在JDBC Driver处理jdbcUrl进行连接的过程中进行恶意操作（这类JDBC Driver本身是有漏洞的），可能导致任意文件读取、RCE等严重危害。<\/p>`

0x01 常见防护方法<\/h2>
JDBC连接字符串通常格式为：<\/p>
jdbc:<type>:\/\/<hosts|host:port>\/<db><properties>
<\/code><\/pre>
常见防护措施包括：<\/p>


数据源类型(type)限制<\/strong>：<\/p>

使用黑白名单限制可连接的数据源类型<\/li>
防止调用高风险数据源如mysql、postgresql等<\/li>
<\/ul>
<\/li>

host\/port\/db字段格式限制<\/strong>：<\/p>

port限制只允许数字<\/li>
host字段限制字符集（字母、数字、中文、点、短横线、斜杠、冒号等）<\/li>
<\/ul>
<\/li>

连接属性(properties)黑名单<\/strong>：<\/p>

维护不同数据源的恶意连接属性黑名单<\/li>
以MySQL为例，防护的关键属性包括：
private<\/span> static<\/span> final<\/span> Map SENSITIVE_REPLACE_PARAM_MAP =<\/span> new<\/span> HashMap()<\/span> {<\/span>
<\/span><\/span>    {<\/span>
<\/span><\/span>        put(<\/span>"autoDeserialize"<\/span>,<\/span> "false"<\/span>);<\/span>
<\/span><\/span>        put(<\/span>"allowLoadLocalInfile"<\/span>,<\/span> "false"<\/span>);<\/span>
<\/span><\/span>        put(<\/span>"allowUrlInLocalInfile"<\/span>,<\/span> "false"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>
<\/span><\/span>private<\/span> static<\/span> final<\/span> Set SENSITIVE_REMOVE_PARAM_MAP =<\/span> new<\/span> HashSet()<\/span> {<\/span>
<\/span><\/span>    {<\/span>
<\/span><\/span>        add(<\/span>"allowLoadLocalInfileInPath"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
0x02 绕过方式<\/h2>
2.1 使用特定的值替换<\/h3>
MySQL JDBC驱动中，autoDeserialize<\/code>参数设置为true<\/code>或yes<\/code>效果相同：<\/p>

各版本实现：

8.0.12：com.mysql.cj.conf.BooleanPropertyDefinition<\/code>中TRUE<\/code>和YES<\/code>等效<\/li>
6.0.5：com.mysql.cj.core.conf.BooleanPropertyDefinition#getAllowableValues<\/code>同样处理<\/li>
5.1.1：BooleanConnectionProperty#getAllowableValues<\/code>处理方式相同<\/li>
<\/ul>
<\/li>
<\/ul>
绕过方法<\/strong>：使用autoDeserialize=yes<\/code>代替autoDeserialize=true<\/code><\/p>
2.2 大小写绕过<\/h3>
MySQL驱动解析时会统一转换大小写：<\/p>

8.0.12：调用toUpperCase()<\/code>统一大写<\/li>
其他版本：使用equalsIgnoreCase()<\/code>进行不区分大小写比较<\/li>
<\/ul>
绕过方法<\/strong>：使用autoDeserialize=TrUe<\/code>等变体<\/p>
2.3 URL编码绕过<\/h3>
MySQL驱动解析时会进行URL解码：<\/p>


8.0.x版本：<\/p>

对协议、path和参数都进行URL解码<\/li>
解析流程：getConnection<\/code> → connect<\/code> → ConnectionUrl.acceptsUrl<\/code> → ConnectionUrlParser#parseConnectionString<\/code><\/li>
<\/ul>
<\/li>

5.1.x版本：<\/p>

仅对参数值进行解码<\/li>
<\/ul>
<\/li>
<\/ul>
绕过方法<\/strong>：<\/p>

8.0.x：对参数名和值都编码，如%61%75%74%6f%44%65%73%65%72%69%61%6c%69%7a%65=%74%72%75%65<\/code><\/li>
5.1.x：仅对参数值编码<\/li>
<\/ul>
2.4 头尾空白符绕过<\/h3>
当防护代码使用split<\/code>分割参数时：<\/p>
String[]<\/span> keyValue =<\/span> pair.<\/span>split<\/span>(<\/span>"="<\/span>);<\/span>
<\/span><\/span>String key =<\/span> keyValue[<\/span>0<\/span>];<\/span>
<\/span><\/span>String value =<\/span> keyValue.<\/span>length<\/span> ><\/span> 1<\/span> ?<\/span> keyValue[<\/span>1<\/span>]<\/span> :<\/span> ""<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>而MySQL驱动(8.0.12)会调用StringUtils#safeTrim<\/code>去除空白符：<\/p>
绕过方法<\/strong>：<\/p>

使用autoDeserialize = true<\/code>（含空格）<\/li>
使用制表符\t<\/code>等空白字符（如CVE-2023-46227案例）<\/li>
<\/ul>
2.5 使用注释符<\/h3>
MySQL 8.0.x支持#<\/code>作为注释符：<\/p>

解析时使用正则[^#]*<\/code>匹配查询参数，忽略#<\/code>后内容<\/li>
5.1.x不支持此特性<\/li>
<\/ul>
绕过方法<\/strong>：<\/p>

在8.0.x中：autoDeserialize=true#&autoDeserialize=false<\/code><\/li>
<\/ul>
2.6 注入拼接<\/h3>
当jdbcUrl通过拼接用户输入构建时：<\/p>
StringBuilder url =<\/span> new<\/span> StringBuilder(<\/span>"jdbc:mysql:\/\/"<\/span>);<\/span>
<\/span><\/span>url.<\/span>append<\/span>(<\/span>host).<\/span>append<\/span>(<\/span>":"<\/span>).<\/span>append<\/span>(<\/span>port).<\/span>append<\/span>(<\/span>"\/"<\/span>).<\/span>append<\/span>(<\/span>dbname);<\/span>
<\/span><\/span>url.<\/span>append<\/span>(<\/span>"?user="<\/span>).<\/span>append<\/span>(<\/span>user).<\/span>append<\/span>(<\/span>"&password="<\/span>).<\/span>append<\/span>(<\/span>password);<\/span>
<\/span><\/span><\/code><\/pre>绕过方法<\/strong>：<\/p>

在user\/password字段注入恶意参数，如user=root&autoDeserialize=true<\/code><\/li>
<\/ul>
0x03 防护建议<\/h2>


组件升级<\/strong>：<\/p>

升级数据源组件至安全版本（如mysql-connector\/j 8.0.21+）<\/li>
考虑使用替代组件（如mariadb-java-client替换mysql-connector-java）<\/li>
<\/ul>
<\/li>

输入归一化处理<\/strong>：<\/p>

统一大小写<\/li>
URL解码<\/li>
去除所有空白字符（包括\t<\/code>等）<\/li>
处理注释符#<\/code><\/li>
<\/ul>
<\/li>

严格输入校验<\/strong>：<\/p>

限制数据源type为预期值<\/li>
port字段严格限制为数字<\/li>
user\/password字段禁止包含=<\/code>等敏感字符<\/li>
<\/ul>
<\/li>

参数处理优化<\/strong>：<\/p>

使用java.net.URI<\/code>解析jdbcUrl，利用其非法字符检测<\/li>
修复示例：
String jdbcUrl =<\/span> url.<\/span>replaceAll<\/span>(<\/span>"\\s"<\/span>,<\/span> ""<\/span>);<\/span>
<\/span><\/span>URI uri =<\/span> new<\/span> URI(<\/span>jdbcUrl.<\/span>replace<\/span>(<\/span>"jdbc:"<\/span>,<\/span> ""<\/span>));<\/span>
<\/span><\/span>String query =<\/span> uri.<\/span>getQuery<\/span>();<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

黑名单维护<\/strong>：<\/p>

长期维护各数据源的恶意属性黑名单<\/li>
覆盖所有可能的变体（如yes\/true、大小写、编码等）<\/li>
<\/ul>
<\/li>
<\/ol>
通过综合应用以上防护措施，可有效降低JDBC Attack的风险。<\/p>