JDBC RCE

This exercise is one of our challenges to help you learn Java Serialisation exploitation

PRO
Tier
Medium
2-4 Hrs.
49

Course


In this exercise, you will learn how to exploit a serialization vulnerability in the Java MySQL connector (version 8.x). The main objective is to create a malicious MySQL server that sends a serialized Java Object payload. This can be achieved by either writing a script to mimic a MySQL server, using a proxy like Cobar, or developing a MySQL extension that responds with a malicious payload.

To generate the payload, you can utilize ysoserial, taking into account that the application includes the commons-collections:3.1 jar. By following the outlined methods, you will understand how to manipulate the MySQL server responses to exploit the deserialization issue in the MySQL JDBC connector.

Want to learn more? Get started with PentesterLab Pro! GO PRO