Databasir is a team-oriented relational database model document management platform.
Databasir 1.0.7 has remote code execution vulnerability.
Remote code execution vulnerability is a Web security vulnerability, we can execute any command, such as open -a Calculator
影响
Databasir is a team-oriented relational database model document management platform.
Databasir 1.0.7 has remote code execution vulnerability.
Remote code execution vulnerability is a Web security vulnerability, we can execute any command, such as
open -a Calculator不安全的代码
SpelScriptEvaluator使用了StandardEvaluationContext作为context,script参数可控并且没有任何过滤漏洞入口
在进行rules校验时
POC
攻击者可以控制rules的参数来造成rce,例如:
[ { "columnName": "test", "dependentColumnName": "test", "dependentTableName": "test", "mockDataScript": "T(java.lang.String).forName('java.lang.Runtime').getRuntime().exec('open -a Calculator')", "mockDataType": "SCRIPT", "tableName": "test" } ]修复建议
最直接的方式:使用
SimpleEvaluationContext来替换StandardEvaluationContext报告人
@luelueking
来源
https://github.com/luelueking/Databasir-1.0.7-vuln-poc
The text was updated successfully, but these errors were encountered: