jdbc反序列化

使用环境

1
2
3
4
5
<dependency>
        <groupId>mysql</groupId>
        <artifactId>mysql-connector-java</artifactId>
        <version>8.0.12</version>
    </dependency>

如下是简单使用,主要是利用DriverManager.getConnection进行连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
package com.example.jdbc;

import java.sql.*;

public class demo {
    public static void main(String[] args) throws ClassNotFoundException, SQLException {
        String Driver = "com.mysql.cj.jdbc.Driver"; //从 mysql-connector-java 6开始
//String Driver = "com.mysql.jdbc.Driver"; // mysql-connector-java 5
        String DB_URL="jdbc:mysql://127.0.0.1:3306/db_1?serverTimezone=UTC";
//1.加载启动
        Class.forName(Driver);
//2.建立连接
        Connection conn = DriverManager.getConnection(DB_URL,"root","1111");
//3.操作数据库,实现增删改查
        Statement stmt = conn.createStatement();
        ResultSet rs = stmt.executeQuery("select * from users");
//如果有数据,rs.next()返回true
        while(rs.next()){
            System.out.println(rs.getString("id")+" : "+rs.getString("name"));
    }
}}

主要是resultsetimpl.getobject有反序列化漏洞

接下来是找谁调用了getobject,找到了com.mysql.cj.jdbc.interceptors.populateMapWithSessionStatusValues方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
private void populateMapWithSessionStatusValues(Map<String, String> toPopulate) {
    Statement stmt = null;
    ResultSet rs = null;

    try {
        try {
            toPopulate.clear();
            stmt = this.connection.createStatement();
            rs = stmt.executeQuery("SHOW SESSION STATUS");
            ResultSetUtil.resultSetToMap(toPopulate, rs);
        } finally {
            if (rs != null) {
                rs.close();
            }

            if (stmt != null) {
                stmt.close();
            }

        }

    } catch (SQLException var8) {
        throw ExceptionFactory.createException(var8.getMessage(), var8);
    }
}

他会自动进行查询SHOW SESSION STATUS并返回结果调用 ResultSetUtil.resultSetToMap

1
2
3
4
5
6
public static void resultSetToMap(Map mappedValues, ResultSet rs) throws SQLException {
      while(rs.next()) {
          mappedValues.put(rs.getObject(1), rs.getObject(2));
      }

  }

resultSetToMap就调用了getObject方法

此处columnIndex为2处才能走到反序列化的代码逻辑,为1则直接返回null