Java Database Connectivity (JDBC) is an application programming interface (API) for the programming language Java, which defines how a client may access a database.
We will introduce a new attack technology called «JDBC URI Attack» in this presentation. Through our in-depth research, if we can control the JDBC URI, we will be able to pwn the victim server by using this new attack technology and execute arbitrary code on it. We will show demos of multiple attack scenarios and demonstrate how we can execute arbitrary code on the target server by attacking the JDBC URI.
We will focus on exploiting Mysql, Oracle, Postgresql and so on. These are present in almost every Enterprise application.
In addition, we will discuss the security issues in the official JDBC standard, which will have a new impact on Java deserialization.