mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-03 11:24:54 -07:00
feat(modules): add clickhouse and dgraph exposure modules (#258)
add recon modules for self-hosted databases whose http interface is reachable without credentials: clickhouse runs arbitrary sql because the default user has an empty password, confirmed here by reading the server version through the http interface, and the open-source dgraph alpha has no authentication so its /health endpoint discloses the cluster while /query and /admin read and drop all data; a clickhouse that requires a password returns 403 and an alpha behind an authenticating proxy returns 401 and neither is flagged.
This commit is contained in:
@@ -0,0 +1,111 @@
|
||||
package modules_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/vmfunc/sif/internal/modules"
|
||||
)
|
||||
|
||||
func runDBHTTPModule(t *testing.T, file string, status int, body string) *modules.Result {
|
||||
t.Helper()
|
||||
def, err := modules.ParseYAMLModule(file)
|
||||
if err != nil {
|
||||
t.Fatalf("parse %s: %v", file, err)
|
||||
}
|
||||
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(status)
|
||||
_, _ = w.Write([]byte(body))
|
||||
}))
|
||||
defer srv.Close()
|
||||
|
||||
res, err := modules.ExecuteHTTPModule(context.Background(), srv.URL, def, modules.Options{
|
||||
Timeout: 5 * time.Second,
|
||||
Threads: 2,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("execute %s: %v", file, err)
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
func dbHTTPExtract(res *modules.Result, key string) string {
|
||||
for _, f := range res.Findings {
|
||||
if v := f.Extracted[key]; v != "" {
|
||||
return v
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func TestDatabaseHTTPExposureModules(t *testing.T) {
|
||||
const clickhouse = "../../modules/recon/clickhouse-http-exposure.yaml"
|
||||
const dgraph = "../../modules/recon/dgraph-api-exposure.yaml"
|
||||
|
||||
t.Run("a clickhouse FORMAT JSON result is flagged with the version", func(t *testing.T) {
|
||||
body := `{"meta":[{"name":"version()","type":"String"}],"data":[{"version()":"24.3.1.2672"}],` +
|
||||
`"rows":1,"statistics":{"elapsed":0.000123,"rows_read":1,"bytes_read":1}}`
|
||||
res := runDBHTTPModule(t, clickhouse, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a clickhouse finding")
|
||||
}
|
||||
if v := dbHTTPExtract(res, "clickhouse_version"); v != "24.3.1.2672" {
|
||||
t.Errorf("clickhouse_version=%q, want 24.3.1.2672", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a json result without the statistics envelope is not flagged as clickhouse", func(t *testing.T) {
|
||||
body := `{"meta":[{"name":"x"}],"data":[{"x":1}],"rows":1}`
|
||||
if res := runDBHTTPModule(t, clickhouse, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a statless json result should not match clickhouse, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a dgraph alpha health is flagged with its version", func(t *testing.T) {
|
||||
body := `[{"instance":"alpha","address":"localhost:7080","status":"healthy","group":"0",` +
|
||||
`"version":"v23.1.0","uptime":3600,"lastEcho":1700000000,"ongoing":["opRollup"],"max_assigned":30002}]`
|
||||
res := runDBHTTPModule(t, dgraph, 200, body)
|
||||
if len(res.Findings) == 0 {
|
||||
t.Fatal("expected a dgraph finding")
|
||||
}
|
||||
if v := dbHTTPExtract(res, "dgraph_version"); v != "v23.1.0" {
|
||||
t.Errorf("dgraph_version=%q, want v23.1.0", v)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a dgraph alpha health without max_assigned is not flagged", func(t *testing.T) {
|
||||
body := `[{"instance":"alpha","status":"healthy","lastEcho":1700000000}]`
|
||||
if res := runDBHTTPModule(t, dgraph, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a partial alpha health should not match dgraph, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a non-alpha instance health is not flagged as dgraph", func(t *testing.T) {
|
||||
body := `[{"instance":"zero","max_assigned":30002,"lastEcho":1700000000}]`
|
||||
if res := runDBHTTPModule(t, dgraph, 200, body); len(res.Findings) > 0 {
|
||||
t.Errorf("a zero-node health should not match dgraph alpha, got %d findings", len(res.Findings))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a plain 200 body is not a leak", func(t *testing.T) {
|
||||
for _, file := range []string{clickhouse, dgraph} {
|
||||
if res := runDBHTTPModule(t, file, 200, "ok"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a plain 200 body should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("a 403 or 404 is not a leak", func(t *testing.T) {
|
||||
if res := runDBHTTPModule(t, clickhouse, 403, "Authentication failed"); len(res.Findings) > 0 {
|
||||
t.Errorf("a 403 clickhouse should not match, got %d findings", len(res.Findings))
|
||||
}
|
||||
for _, file := range []string{clickhouse, dgraph} {
|
||||
if res := runDBHTTPModule(t, file, 404, "not found"); len(res.Findings) > 0 {
|
||||
t.Errorf("%s: a 404 should not match, got %d findings", file, len(res.Findings))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,38 @@
|
||||
# ClickHouse HTTP Interface Exposure Detection Module
|
||||
|
||||
id: clickhouse-http-exposure
|
||||
info:
|
||||
name: ClickHouse HTTP Interface Exposure
|
||||
author: sif
|
||||
severity: high
|
||||
description: Detects an unauthenticated ClickHouse http interface that executes arbitrary sql and reaches server-side files and internal urls
|
||||
tags: [clickhouse, database, sql, olap, exposure, unauth, recon]
|
||||
|
||||
type: http
|
||||
|
||||
http:
|
||||
method: GET
|
||||
paths:
|
||||
- "{{BaseURL}}/?query=SELECT+version()+FORMAT+JSON"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "\"meta\""
|
||||
- "\"statistics\""
|
||||
- "\"rows_read\""
|
||||
- "\"bytes_read\""
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: clickhouse_version
|
||||
part: body
|
||||
regex:
|
||||
- '"version\(\)"\s*:\s*"([^"]+)"'
|
||||
group: 1
|
||||
@@ -0,0 +1,41 @@
|
||||
# Dgraph Alpha API Exposure Detection Module
|
||||
|
||||
id: dgraph-api-exposure
|
||||
info:
|
||||
name: Dgraph Alpha API Exposure
|
||||
author: sif
|
||||
severity: medium
|
||||
description: Detects a Dgraph Alpha whose unauthenticated health api leaks the cluster members and versions and serves read and admin apis
|
||||
tags: [dgraph, graph-database, database, exposure, unauth, recon]
|
||||
|
||||
type: http
|
||||
|
||||
http:
|
||||
method: GET
|
||||
paths:
|
||||
- "{{BaseURL}}/health"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- '"instance"\s*:\s*"alpha"'
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "\"max_assigned\""
|
||||
- "\"lastEcho\""
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: dgraph_version
|
||||
part: body
|
||||
regex:
|
||||
- '"version"\s*:\s*"([^"]+)"'
|
||||
group: 1
|
||||
Reference in New Issue
Block a user