CVE-2022-41828 Amazon Redshift JDBC Driver RCE
source link: https://y4er.com/posts/cve-2022-41828-amazon-redshift-jdbc-driver-rce/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
CVE-2022-41828 Amazon Redshift JDBC Driver RCE
看到了这个东西,然后看了一下发现和pgsql一样
https://github.com/aws/amazon-redshift-jdbc-driver/security/advisories/GHSA-jc69-hjw2-fm86
在初始化时 com.amazon.redshift.core.SocketFactoryFactory#getSocketFactory
拿socketFactoryArg和socketFactory class初始化。
在com.amazon.redshift.util.ObjectFactory#instantiate
newInstance找Properties类型或者String类型参数的构造函数
这个地方用了一个恶意类
package org.example;
import java.io.IOException;
public class atao {
public atao(String cmd) {
try {
Runtime.getRuntime().exec(cmd);
} catch (IOException e) {
throw new RuntimeException(e);
}
}
}
和pgsql一样可以用spring中的ClassPathXmlApplicationContext
借少宇jas502n师傅的图
https://github.com/aws/amazon-redshift-jdbc-driver/commit/9999659bbc9f3d006fb02a0bf39d5bcf3b503605
多了一个参数
这里用Class<? extends T> cls = Class.forName(classname).asSubclass(expectedClass);
限制了Class类型,所以没法new任意对象了。
修复方案和pgsql一样。
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
如果你觉得这篇文章对你有所帮助,欢迎赞赏或关注微信公众号~
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK