MeterSphere PluginController Pre-Auth RCE
source link: https://y4er.com/post/metersphere-plugincontroller-pre-auth-rce/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
MeterSphere PluginController Pre-Auth RCE
2022-01-07 代码审计 RCE javachybeta又发预警了
wget https://github.com/metersphere/metersphere/releases/download/v1.16.3/metersphere-online-installer-v1.16.3.tar.gz
tar zxvf metersphere-online-installer-v1.16.3.tar.gz
cd metersphere-online-installer-v1.16.3/
MSVERSION="v1.16.3"
echo $MSVERSION
sed -i -e "s#MS_IMAGE_TAG=.*#MS_IMAGE_TAG=${MSVERSION}#g" install.conf
sed -i -e "s#MS_IMAGE_PREFIX=.*#MS_IMAGE_PREFIX=registry.cn-qingdao.aliyuncs.com\/metersphere#g" install.conf
/bin/bash install.sh
搭建完运行在http://172.16.16.129:8081/ docker中 msctl status可以看到状态。
根据diff https://github.com/metersphere/metersphere/compare/v1.16.3...v1.16.4
删除了/plugin/**路由的anon权限,也就是说原来访问/plugin/是不需要授权的。
找到路由对应的controller io.metersphere.controller.PluginController
主要关注两个函数 add 和 customMethod
add函数中上传文件跟进到io.metersphere.service.PluginService#editPlugin
io.metersphere.commons.utils.FileUtils#create将上传的文件拼接写入到 /opt/metersphere/data/body/plugin 目录下
文件名形如/opt/metersphere/data/body/plugin/490fb08a-eae3-4414-a991-09f16f5b8f5e_test.jar
写入之后进入io.metersphere.service.PluginService#getMethod
继续跟进this.loadJar()
这里将上传的文件通过URLClassLoader加载进来,那么我们可以通过上传jar包,向内存中注册任意类。
接下来再看io.metersphere.controller.PluginController#customMethod
跟进到io.metersphere.service.PluginService#customMethod
Class.forName参数可控,我们可以在上文的jar包中写一个customMethod函数,这样就可以执行任意java代码了。
整个流程就是写一个Evil类,类中定义一个customMethod函数,打成jar包上传来向内存中注册class,然后通过customMethod路由调用jar包中的Evil类customMethod函数。
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK