1. Introduction to JDBC
JDBC (short for Java Database Connectivity) is an API to connect to the database, execute SQL statements,…
It is part of JavaSE (Standard Edition). The JDBC API uses the JDBC Driver to connect to the database and there are four types of drivers:
- JDBC-ODBC Bridge Driver
- Native Driver
- Network Protocol Driver
- Thin Driver
Java programmers are probably quite familiar with how to use the JDBC API
In fact, JDBC is a standard interface and each separate relational database will have its own implementation.
2. JDBC Exploit
To exploit vulnerabilities related to JDBC, the most important thing is to control the URL of JDBC Connection.
JDBC Driver is a library that is installed on the client, not on the server (with the client in this case where the JDBC API call is made – ie the web server, and the server is the database). It converts a request from a Java program into a protocol that the Database Management System (DBMS) can understand and execute. After execution, the DBMS will return the corresponding result.
So the attack scenario according to the above model will be:
- The attacker controls the URL value of the JDBC Connection, which points to the fake Database server controlled by the attacker
- The target web server will make a call to JDBC API connect to the fake server using JDBC Driver
- Attackers take advantage of security holes or some specific feature of that JDBC Driver to trigger the vulnerability.
3. Exploiting JDBC in Mysql
In this section, I will present 2 vulnerabilities related to JDBC in Mysql.
3.1. Read any file
Mysql has a command called
LOAD DATA LOCAL that allows reading the client’s file and then sending it to Mysql Server. Detailed link here .
So with a command
load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY 'n'; then it will read the client’s
/etc/passwd file and then send it to the server.
The Mysql homepage itself also states about its dangers and warns users not to connect to untrusted Mysql Server.
After briefly understanding the vulnerability, the next thing to do is how to build a malicious Mysql Server. Before we do this, we need to study about the packet structure that Mysql usually do binding and querying.
To find out, I use Mysql Shell to connect to
localhost:3306 with username as
root , database as
test and run
load data local infile "c:\windows\win.ini" into table test.test FIELDS TERMINATED BY 'n'; . (Note that
useSSL=false flag needs to be used to be able to read the packages unambiguously)