若依后台管理系统定时任务功能SQL注入漏洞分析<\/h1>

环境说明<\/h2>

目标系统：RuoYi-fast v4.7.3（前后端不分离版本）<\/li>

漏洞组件：Quartz定时任务组件<\/li> <\/ul>

Quartz组件基础<\/h2>

RuoYi-fast使用Quartz作为定时任务组件，基本使用方式如下：<\/p>

依赖配置<\/strong>：<\/li> <\/ol>
<dependencies><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.springframework.boot<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>spring-boot-starter-quartz<\/artifactId><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span><\/dependencies><\/span> <\/span><\/span><\/code><\/pre> Job实现<\/strong>：<\/li> <\/ol> public<\/span> class<\/span> DateTimeJob<\/span> extends<\/span> QuartzJobBean {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> protected<\/span> void<\/span> executeInternal<\/span>(<\/span>JobExecutionContext context)<\/span> {<\/span> <\/span><\/span> String msg =<\/span> (<\/span>String)<\/span> context.<\/span>getJobDetail<\/span>().<\/span>getJobDataMap<\/span>().<\/span>get<\/span>(<\/span>"msg"<\/span>);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"current time :"<\/span>+<\/span>new<\/span> SimpleDateFormat(<\/span>"yyyy-MM-dd HH:mm:ss"<\/span>).<\/span>format<\/span>(<\/span>new<\/span> Date())<\/span> +<\/span> "---"<\/span> +<\/span> msg);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 配置Job和Trigger<\/strong>：<\/li> <\/ol> @Configuration<\/span> <\/span><\/span>public<\/span> class<\/span> QuartzConfig<\/span> {<\/span> <\/span><\/span> @Bean<\/span> <\/span><\/span> public<\/span> JobDetail printTimeJobDetail<\/span>(){<\/span> <\/span><\/span> return<\/span> JobBuilder.<\/span>newJob<\/span>(<\/span>DateTimeJob.<\/span>class<\/span>)<\/span> <\/span><\/span> .<\/span>withIdentity<\/span>(<\/span>"DateTimeJob"<\/span>)<\/span> <\/span><\/span> .<\/span>usingJobData<\/span>(<\/span>"msg"<\/span>,<\/span> "Hello Quartz"<\/span>)<\/span> <\/span><\/span> .<\/span>storeDurably<\/span>()<\/span> <\/span><\/span> .<\/span>build<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Bean<\/span> <\/span><\/span> public<\/span> Trigger printTimeJobTrigger<\/span>()<\/span> {<\/span> <\/span><\/span> CronScheduleBuilder cronScheduleBuilder =<\/span> CronScheduleBuilder.<\/span>cronSchedule<\/span>(<\/span>"0\/1 * * * * ?"<\/span>);<\/span> <\/span><\/span> return<\/span> TriggerBuilder.<\/span>newTrigger<\/span>()<\/span> <\/span><\/span> .<\/span>forJob<\/span>(<\/span>printTimeJobDetail())<\/span> <\/span><\/span> .<\/span>withIdentity<\/span>(<\/span>"quartzTaskService"<\/span>)<\/span> <\/span><\/span> .<\/span>withSchedule<\/span>(<\/span>cronScheduleBuilder)<\/span> <\/span><\/span> .<\/span>build<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>漏洞分析<\/h2> 定时任务执行逻辑<\/h3> 执行流程<\/strong>：<\/p> AbstractQuartzJob<\/code>抽象类实现了模版方法设计模式<\/li> 包含before<\/code>、doExecute<\/code>、after<\/code>方法<\/li> execute<\/code>方法组合上述三个方法<\/li> <\/ul> <\/li> 关键执行点<\/strong>：<\/p> 通过反射调用目标方法<\/li> 支持两种调用方式： Spring容器中注册的bean<\/li> 指定class名称（需有无参构造函数）<\/li> <\/ul> <\/li> <\/ul> <\/li> 方法调用限制<\/strong>：<\/p> 方法不能是private修饰<\/li> 参数类型仅支持：String、Boolean、Long、Double、Integer<\/li> <\/ul> <\/li> <\/ol> 定时任务添加\/修改逻辑<\/h3> 黑白名单检查<\/strong>：<\/p> 添加定时任务前会检查黑白名单<\/li> 但存在检测遗漏：仅对全限定类名(class)检测，未对Spring容器中的对象检测<\/li> <\/ul> <\/li> 漏洞产生原因<\/strong>：<\/p> 可以绕过黑名单检测<\/li> 可以逃过白名单检测<\/li> <\/ul> <\/li> <\/ol> 寻找可利用对象<\/h3> 在Spring容器中寻找满足以下条件的对象：<\/p> 存在于Spring容器中<\/li> 方法至少不是private修饰<\/li> 参数类型为String、Boolean、Long、Double、Integer<\/li> <\/ol> 发现可利用对象<\/strong>：<\/p> JdbcTemplate<\/code>类中的execute<\/code>和update<\/code>方法都是public方法<\/li> 参数为String类型<\/li> 可以执行任意SQL语句<\/li> <\/ul> <\/li> <\/ul> 绕过方法参数截取<\/h3> 问题<\/strong>：<\/p> 方法参数值是从目标字符串第一个(<\/code>和第一个)<\/code>中间的字符串获取<\/li> 如jdbcTemplate.execute("insert into sys_user_role values(7,7);")<\/code>，实际获取的是"insert into sys_user_role values(7,7"<\/code><\/li> <\/ul> <\/li> 绕过方案<\/strong>：<\/p> 使用MySQL预处理和hex编码<\/li> 确保参数值内容中不出现)<\/code><\/li> <\/ul> <\/li> 示例攻击流程<\/strong>：<\/p> 将SQL语句hex编码：insert into sys_user_role values(7,7);<\/code> → 0x696E7365727420494E544F207379735F757365725F726F6C652076616C75657328372C293B<\/code><\/li> 构造无)<\/code>的payload： set<\/span> @<\/span>a=<\/span>0<\/span>x696E7365727420494E544F207379735F757365725F726F6C652076616C75657328372C293B; <\/span><\/span>prepare<\/span> stmt from<\/span> @<\/span>a; <\/span><\/span>execute<\/span> stmt; <\/span><\/span><\/code><\/pre><\/li> 通过定时任务执行上述SQL<\/li> <\/ul> <\/li> <\/ol> 漏洞修复方案<\/h2> 完善黑白名单检测机制<\/li> 对Spring容器中的对象也进行白名单检测<\/li> 严格限制可执行的方法和参数类型<\/li> <\/ol> 总结<\/h2> 该漏洞利用Quartz定时任务组件的反射执行机制，结合Spring容器中JdbcTemplate的可执行SQL特性，通过精心构造的SQL语句绕过参数截取限制，最终实现任意SQL语句执行。修复时应全面考虑各种调用方式和参数处理场景。<\/p>