RCE (Object Injection) caused by OQL in product implementation)

RCE (Object Injection) caused by OQL in product implementation)
0x00 Preface

A few days ago, I was told of the following vulnerability types:

Address: http://blog.emaze.net/2014/11/gemfire-from-oqli-to-rce-through.html

GemFire memory database is from the cloud computing company Pivotal (my most promising cloud computing product provider in the future, composed of EMC, VMware, General Electric, and other joint ventures, here we are familiar with the products supported by the Spring technical team, which is the company's cloud computing front-end development framework.

 

0x01 memory database Basics

So what is a memory database and why does it need it? Here is a simple example:

Search in Baidu: GemFire, the result of ranking 5th is our answer

We know that China is a country with a large population. Due to the large regional economic differences, there are a lot of people going out to work to earn money. it has always been a headache to buy train tickets during holidays, that is, the website cannot be opened at a critical time. no matter how bad its experience and performance are, we still need to go to it because we want to go home (this is just needed). As Chinese people make more and more online reservations, there is a problem with the burst of concurrent access volumes, fortunately, it has been solving this problem through technical means.

A brief description of the evolution of concurrent access and database technology may be: starting to use relational databases, such as Oracle, where the concurrent volume is suspended, and then using data for caching in the memory, such: memcached (because the read/write memory is faster than the read/write hard disk, it can greatly improve the access performance), there are still performance problems; later, we simply used cloud computing database to solve the product GemFire (serving as a new product in foreign countries). I don't know if I can buy a ticket for the Chinese New Year? Wait and see!

However, the GemFire memory database is not a simple string in data storage, such as "123456", but a Java object, so it is also an object database, such: we also use DB4o in the Development of j2s. Anyone who has learned the J2EE persistence layer framework knows that, for example, Hibernate and ibatis, each table in the relational database is mapped to the memory (ORM, table fields correspond to the attributes of Java objects in the memory. In addition, Java objects can have more complex object structures (such as iterative objects and data sets ). the data transmission operation is very convenient, and the traditional relational database operation concept is abandoned. the GemFire Memory Database supports more powerful Object operation APIs (OQL)

So what is OQL? Baidu has just a few simple words that are hard to understand:

Http://baike.baidu.com/view/2554236.htm? Fr = aladdin

Here is an example: it is similar to SQL

For example, if the user field name in the SQL query table is test, the SQL statement is:

SQL = "select * from where name = 'test '";

Oql may be like this:

Oql = "select referrers (s) from xxx. xxx. User u where u. name = 'test '";

Here, we will briefly explain the syntax and Syntax: xxx. xxx is the object package path. In the return reference object xxx. xxx. User, the name object is the reference object of test. Is it more powerful? OQL has more and more powerful APIs.

Compared with the SQL injection vulnerability, the new vulnerability type is better understood. SQL injection is an SQL statement contaminated by external parameters, and OQL is an oql statement contaminated by external parameters. What's even worse here is that oql statements support java code semantics and Syntax Parsing (which can be understood as the familiar OGNL expression injection), so this vulnerability type is: the biggest advantage of the OQL Injection vulnerability is remote code execution. The greatest danger is the execution of system commands.

0x02 instance analysis

If you say so much, you will certainly give an example! We know that learning technology is also costly. The GemFire memory database cannot be used for poor people like me now! But it does not affect learning the OQL object query language.

It is actually in our JDK:

First, we start any Java program. Here I am a Tomcat, and find its PID,

Then, use the jmap command to generate a heap dump snapshot,

Then run the heap analysis command jhat, which is an http service. The default port is 7000,

We can use the browser to view the heap information. It also provides the OQL query function we need,

Query strings with a length greater than 100:

Java code execution system commands are not as complicated as foreigners say, but reflection is also used? (Of course, check the statement concatenation ):

In the future, more and more object databases will be used. The vulnerability type is not the SQL injection vulnerability we are familiar with before, but OQL injection, which is more serious (not limited to Java ).