杩欑瘒鏂囩珷涓昏浠嬬粛浜咼ava JDBC瀵艰嚧鐨勫弽搴忓垪鍖栨敾鍑诲師鐞嗚В鏋?鏂囦腑閫氳繃绀轰緥浠g爜浠嬬粛鐨勯潪甯歌缁嗭紝瀵瑰ぇ瀹剁殑瀛︿範鎴栬€呭伐浣滃叿鏈変竴瀹氱殑鍙傝€冨涔犱环鍊?闇€瑕佺殑鏈嬪弸鍙互鍙傝€冧笅
鑳屾櫙
涓婂懆BlackHat Europe 2019鐨勮棰樸€奛ew Exploit Technique In Java Deserialization Attack銆嬩腑鎻愬埌浜嗕竴涓€氳繃娉ㄥ叆JDBC URL瀹炵幇鍙嶅簭鍒楀寲鏀诲嚮鐨勫満鏅紝绠€鍗曞垎鏋愪竴涓嬨€?/p>
鍒嗘瀽
棣栧厛锛屽綋java搴旂敤浣跨敤MySQL Connector/J锛堝畼鏂圭殑JDBC椹卞姩锛屾湰鏂囧熀浜庡叾8.0+鐗堟湰锛夎繛鎺ysql鏃讹紝JDBC URL鐨勬牸寮忓涓嬶細protocol//[hosts]/[database]?properties锛屽叿浣撳彲鐪媘ysql瀹樻柟鏂囨。锛岀ず渚嬶細jdbc:mysql://localhost:3306/test?useSSL=true
鍏朵腑锛宲rotocol銆乭ost銆乨atabase閮芥瘮杈冨ソ鐞嗚В锛孶RL涓殑properties鍙互璁惧畾MySQL Connector/J杩炴帴mysql鏈嶅姟鍣ㄧ殑鍏蜂綋鏂瑰紡锛屽叧浜巔roperties鐨勫畼鏂规枃妗e湴鍧€锛屽叾涓拰鏈枃鐩稿叧鐨勮繛鎺ュ睘鎬ф湁涓や釜锛屽垎鍒槸autoDeserialize鍜宷ueryInterceptors锛屽墠鑰呮槸璁惧畾MySQL Connector/J鏄惁鍙嶅簭鍒楀寲BLOB绫诲瀷鐨勬暟鎹紝鍚庤€呮槸鎷︽埅鍣紝鍦ㄦ煡璇㈡墽琛屾椂瑙﹀彂锛岀敱com.mysql.cj.protocol.a.NativeProtocol#sendQueryPacket鏂规硶婧愮爜鍙煡锛屼細鍦ㄦ墽琛屾煡璇㈣鍙ュ墠鍚庡垎鍒皟鐢ㄦ嫤鎴櫒鐨刾reProcess鍜宲ostProcess鏂规硶銆?/p>
鎺ヤ笅鏉ュ畾浣嶄笅鍙嶅簭鍒楀寲鐨勮Е鍙戠偣锛屽湪mysql-connector-java缁勪欢涓嬪叏灞€鎼滅储鍏抽敭瀛椻€?readObject()鈥濓紝瀹氫綅鍒癱om.mysql.cj.jdbc.result.ResultSetImpl绫讳腑鐨刧etObject(int columnIndex)鏂规硶锛岄儴鍒嗘牳蹇冧唬鐮佸涓嬶細
public Object getObject(int columnIndex) throws SQLException {鈥︹€?case BLOB: byte[] data = getBytes(columnIndex); if (this.connection.getPropertySet().getBooleanProperty(PropertyDefinitions.PNAME_autoDeserialize).getValue()) { Object obj = data; // Serialized object? try { ByteArrayInputStream bytesIn = new ByteArrayInputStream(data); ObjectInputStream objIn = new ObjectInputStream(bytesIn); obj = objIn.readObject(); } }}
鍙橀噺data鍗充负mysql杩斿洖缁撴灉闆嗭紝褰揓DBC URL涓瀹氬睘鎬utoDeserialize涓簍rue鏃讹紝浼氬绫诲瀷涓篵it銆乥inary浠ュ強blob鐨勬暟鎹繘琛屽弽搴忓垪鍖栵紝濡備綍瑙﹀彂getObject(int columnIndex)鏂规硶鐨勮皟鐢ㄥ憿锛熻棰樹腑缁欏嚭鐨勮皟鐢ㄩ摼濡備笅锛?/p>
> com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor#preProcess/postProcess> com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor#populateMapWithSessionStatusValues> com.mysql.cj.jdbc.util.ResultSetUtil#resultSetToMap> com.mysql.cj.jdbc.result.ResultSetImpl#getObject
ServerStatusDiffInterceptor鍗充负姝ゅ墠鎻愬埌杩囩殑鎷︽埅鍣紝鍦↗DBC URL涓瀹氬睘鎬ueryInterceptors涓篠erverStatusDiffInterceptor鏃讹紝鎵ц鏌ヨ璇彞浼氳皟鐢ㄦ嫤鎴櫒鐨刾reProcess鍜宲ostProcess鏂规硶锛岃繘鑰岄€氳繃涓婅堪璋冪敤閾炬渶缁堣皟鐢╣etObject(int columnIndex)鏂规硶銆?/p>
瀹為檯鍒╃敤杩樻湁涓€涓棶棰橈紝鏈€缁堣皟鐢╣etObject鏂规硶鐨勫璞℃槸鏁版嵁搴撹繑鍥炵殑缁撴灉闆嗭紝鐢眕opulateMapWithSessionStatusValues鏂规硶鍙煡锛?/p>
try { toPopulate.clear(); stmt = this.connection.createStatement(); rs = stmt.executeQuery("SHOW SESSION STATUS"); ResultSetUtil.resultSetToMap(toPopulate, rs);}
杩欎釜缁撴灉闆嗘槸鎵цSQL璇彞鈥淪HOW SESSION STATUS鈥濆悗鏁版嵁搴撹繑鍥炵殑鍊硷紝SQL璇彞鈥淪HOW SESSION STATUS鈥濊繑鍥炲綋鍓嶆暟鎹簱杩炴帴鐨勭姸鎬佸€硷紝瀹為檯鏄鍙栫郴缁熻〃INFORMATION_SCHEMA.SESSION_VARIABLES鐨勫€硷紝涔熷彲鑳芥槸PERFORMANCE_SCHEMA.SESSION_VARIABLES锛圡ysql鐗堟湰宸紓瀵艰嚧锛夈€備絾鏄痬ysql涓璉NFORMATION_SCHEMA鍜孭ERFORMANCE_SCHEMA閮芥槸涓嶅厑璁歌淇敼鐨勶紝鎵€浠ラ渶瑕佹兂鍔炴硶鎿嶇旱杩斿洖鐨勬暟鎹€?/p>
鍒╃敤鏉′欢
1.鏈川涓婅繕鏄疛ava鍘熺敓鐨勫弽搴忓垪鍖栧埄鐢紝鎵€浠ラ渶瑕佺幆澧冧腑鏈夊彲鐢ㄧ殑Gadget锛?/p>
2.闇€瑕佽兘浼€犵浉鍏崇郴缁熻〃鐨勬暟鎹紝灏嗏€淪HOW SESSION STATUS鈥濈殑鎵ц缁撴灉璁剧疆涓烘垜浠簿蹇冩瀯閫犵殑鍙嶅簭鍒楀寲鏁版嵁锛屾垨鑰呭熀浜巑ysql杩炴帴鍗忚锛岃嚜瀹氫箟杩斿洖鏁版嵁锛屽悗闈㈡湁鏃堕棿鐨勬椂鍊欎細鍐欏啓杩欏潡鍎裤€?/p>
3.鍙帶鐨凧DBC URL
浠ヤ笂灏辨槸鏈枃鐨勫叏閮ㄥ唴瀹癸紝甯屾湜瀵瑰ぇ瀹剁殑瀛︿範鏈夋墍甯姪锛屼篃甯屾湜澶у澶氬鏀寔鎴戜滑銆?/p>
鏈枃鏍囬: Java JDBC瀵艰嚧鐨勫弽搴忓垪鍖栨敾鍑诲師鐞嗚В鏋?/p>
鏈枃鍦板潃: http://www.xuebuyuan.com/ruanjian/java/293629.html
以上就上有关JavaJDBC瀵艰嚧鐨勫弽搴忓垪鍖栨敾鍑诲師鐞嗚В鏋?/a>的相关介绍,要了解更多Java,JDBC,鍙?搴忓垪鍖?>
<meta name="description" content="杩欑瘒鏂囩珷涓昏浠嬬粛浜咼ava JDBC瀵艰嚧鐨勫弽搴忓垪鍖栨敾鍑诲師鐞嗚В鏋?鏂囦腑閫氳繃绀轰緥浠g爜浠嬬粛鐨勯潪甯歌缁嗭紝瀵瑰ぇ瀹剁殑瀛︿範鎴栬€呭伐浣滃叿鏈変竴瀹氱殑鍙傝€冨涔犱环鍊?闇€瑕佺殑鏈嬪弸鍙互鍙傝€冧笅内容请登录学步园。